Captive Portal Detection when using Cisco AnyConnect

Antairez alexsu1113 at
Tue Sep 8 14:43:17 PDT 2015

Server is running the latest server software 0.10.8, all certificates have been verified to be installed correctly, authentication method is radius.

On my Mac machine, both running AnyConnect 3.0 and 3.1 yield the same result in console after network interface has changed (restart WiFi switch or waking up laptop from sleep):

9/8/15 5:21:31.020 PM UserEventAgent[40]: Captive: CNPluginHandler en0: Inactive
9/8/15 5:21:36.576 PM UserEventAgent[40]: Captive: [CNInfoNetworkActive:1709] en0: SSID 'Cheng 5Ghz' making interface primary (cache indicates network not captive)
9/8/15 5:21:36.577 PM UserEventAgent[40]: Captive: CNPluginHandler en0: Evaluating
9/8/15 5:21:36.596 PM UserEventAgent[40]: Captive: en0: Not probing 'Cheng 5Ghz' (cache indicates not captive)
9/8/15 5:21:36.598 PM UserEventAgent[40]: Captive: CNPluginHandler en0: Authenticated
9/8/15 5:21:41.375 PM acvpnagent[42779]: Function: TestNetEnv File: NetEnvironment.cpp Line: 334 Captive portal detected. Retesting connectivity to the secure gateway in 10 seconds.
9/8/15 5:21:41.375 PM acvpnagent[42779]: Current network state: Captive portal detected

Have tried both including and excluding profile.xml on client connection to no avail. Playing with settings inside numerous times yield no results as well.

Both 3.0 and 3.1 clients produce the following message on GUI: “Web authentication required”, but 3.0 will continue the login process while 3.1 will reject user from any further login attempts.

As far as I can see ocserv seems to only support AnyConnect 3.0 at this moment, I guess this is Cisco’s way of stopping user from using their products if they are not licensed and ripped off? Will ocserv support the new clients anytime soon?

Same rules apply to Windows machine. 3.0 Ok 3.1 No go.

More information about the openconnect-devel mailing list