Problem
Users with the AnyConnect Secure Web Gateway (SWG) module may have trouble signing in at some public hotspot locations.
Solution
Hotspots often interact with newly-connected clients by directing their web traffic to a captive portal (sometimes called a walled garden). This is used for "click-through" acceptable-use splash pages, authentication codes, or payment, before granting full access to the hotspot.
If the SWG module becomes active before the user can interact with the captive portal, web traffic will be proxied directly to the Umbrella cloud, which prevents the local interaction. The user may be trapped in a state where they only have partial internet connectivity.
Modern operating systems will automatically probe for captive portals. To ensure these probes occur on the local network, and allow the user to locally interact, add these probing domains to the External Domains List in the Umbrella Dashboard:
www.msftncsi.com
www.msftconnecttest.com
captive.apple.com
More instructions on how to add domains to your bypass list can be found here: Manage Domains.
Some hotspots may trigger additional redirects. If those redirects do not resolve to a local IP address, further exceptions may need to be added. Make sure to collect diagnostic information and a list of all domains used by the hotspot when contacting Support.
Hotspot Administrators
Be sure to follow vendor best practices for your hotspot solution. Make sure clients are blocked from the Umbrella API endpoint at https://api.opendns.com until they've first authorized with the captive portal. Ensure that any destination that needs to be treated as local has an IP address in the RFC-1918 local range.
Comments
0 comments
Article is closed for comments.