01-13-2009 11:18 AM - edited 03-11-2019 07:36 AM
I have an ASA integrated with ACS for VPN clients to be able to authenticate with their Active Directory accounts. I need to figure out how to enable split tunneling per VPN group on the ACS. I found a doc that shows that the setting is under GROUP SETUP where you can specify the ACL. But I am not sure if the ACL resides on the ASA or on the ACS?
01-13-2009 01:24 PM
The ACL needs to be on the ASA, what you need to do is to pass from the ACS the class attribute string (att 25) back to the asa, this attribute string must be equal to the group policy that the user will be assigned. Within that group policy then you can have configured the split tunnel policy.
01-13-2009 02:52 PM
Thank you for your reply. I have never configured attribute strings on the ASA. How do you do that? Do you have any docs that would be useful?
01-13-2009 03:01 PM
The attribute strings have to be configured on the ACS, ASA will just read that and place the user on the correct group policy.
On your ACS, you go to the "interface configuration" and enable Radius IETF Class value for either user or for group.
Once this is applied, you go to the group where you want to configure this feature and edit it, scroll to the Radius IETF values; once there enable the option and put the next sintax: 'OU=group_pol_name;' no quote where group_pol_name is the group policy that the ASA has confgured with the correct split tunnel list.
After a user that belongs to that group authenticates, ACS will send back to the ASA the attribute class (25) which will the asa will interpret as the group policy that the user belongs.
01-14-2009 07:16 AM
Thanks. I am going to try this right now.
01-14-2009 08:54 AM
I am trying to set this up and what I am not clear on is the ASA side. I configured an ACL for the split tunneling on the ASA:
access-list RAS_SPLIT rem ** Split Tunnel ACL for RAS VPN **
access-list RAS_SPLIT stand permit 10.64.0.0 255.192.0.0
I enabled Radius IETF Class value and set it up with the propper string in the Edit Group options OU=VPN-GROUP-6;
The only confusing part is how do you associate the ACL RAS_SPLIT with the VPN-GROUP-6 policy on the ASA since the group type is external?
01-14-2009 09:00 AM
Mhhh I think that,s were we should started, when the group is internal, then you use this setup I advised, when it is external then you pretty much have to forget everything about the class value and radius attributes, in this case you would only use the CiscoVPN3000/ASA Pix 7 radius attributes, then you enable the split tunneling policy and you just define the List name that your ASA has configured, this is the way to tie the ACL to the external group. What will happen is that ACS will pass back to the ASA the Split tunnel list string value, which should be defined on the ASA.
27 CVPN3000-IPSec-Split-Tunnel-List
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: