RAS VPN Split tunneling

Unanswered Question
Jan 13th, 2009
User Badges:

I have an ASA integrated with ACS for VPN clients to be able to authenticate with their Active Directory accounts. I need to figure out how to enable split tunneling per VPN group on the ACS. I found a doc that shows that the setting is under GROUP SETUP where you can specify the ACL. But I am not sure if the ACL resides on the ASA or on the ACS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Tue, 01/13/2009 - 13:24
User Badges:
  • Cisco Employee,

The ACL needs to be on the ASA, what you need to do is to pass from the ACS the class attribute string (att 25) back to the asa, this attribute string must be equal to the group policy that the user will be assigned. Within that group policy then you can have configured the split tunnel policy.

vantipov Tue, 01/13/2009 - 14:52
User Badges:

Thank you for your reply. I have never configured attribute strings on the ASA. How do you do that? Do you have any docs that would be useful?

Ivan Martinon Tue, 01/13/2009 - 15:01
User Badges:
  • Cisco Employee,

The attribute strings have to be configured on the ACS, ASA will just read that and place the user on the correct group policy.


On your ACS, you go to the "interface configuration" and enable Radius IETF Class value for either user or for group.


Once this is applied, you go to the group where you want to configure this feature and edit it, scroll to the Radius IETF values; once there enable the option and put the next sintax: 'OU=group_pol_name;' no quote where group_pol_name is the group policy that the ASA has confgured with the correct split tunnel list.


After a user that belongs to that group authenticates, ACS will send back to the ASA the attribute class (25) which will the asa will interpret as the group policy that the user belongs.

vantipov Wed, 01/14/2009 - 08:54
User Badges:

I am trying to set this up and what I am not clear on is the ASA side. I configured an ACL for the split tunneling on the ASA:

access-list RAS_SPLIT rem ** Split Tunnel ACL for RAS VPN **

access-list RAS_SPLIT stand permit 10.64.0.0 255.192.0.0

I enabled Radius IETF Class value and set it up with the propper string in the Edit Group options OU=VPN-GROUP-6;

The only confusing part is how do you associate the ACL RAS_SPLIT with the VPN-GROUP-6 policy on the ASA since the group type is external?

Ivan Martinon Wed, 01/14/2009 - 09:00
User Badges:
  • Cisco Employee,

Mhhh I think that,s were we should started, when the group is internal, then you use this setup I advised, when it is external then you pretty much have to forget everything about the class value and radius attributes, in this case you would only use the CiscoVPN3000/ASA Pix 7 radius attributes, then you enable the split tunneling policy and you just define the List name that your ASA has configured, this is the way to tie the ACL to the external group. What will happen is that ACS will pass back to the ASA the Split tunnel list string value, which should be defined on the ASA.


27 CVPN3000-IPSec-Split-Tunnel-List


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html#wp148379


Actions

This Discussion