dynamic split tunnel

Answered Question
Oct 27th, 2009

Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.

For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.

Is there a similar VSA for split tunnel?

Thanks

mike

I have this problem too.
0 votes
Correct Answer by Jatin Katyal about 7 years 2 months ago

Hi,

ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.

You have to use two attributes for ASA:

[3076\027] Ipsec-split-tunnel-list

[3076\055] Ipsec-split-tunneling-policy

Now on the ASA you have to create netwok list as mentioned in the below listed document and then you have to call the name of the

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wpxref36314

In the attribute [3076\027]: you only need to define the name of the access-list that you created under network-list.

Attribute 55, IPSec-Split-Tunneling-Policy, will need to be set to Only Tunnel networks in list.

HTH

JK

Plz rate helpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Tue, 10/27/2009 - 13:43

Hi,

I checked ACS 4.x version. As you want to push the

Split Tunnel List from ACS to ASA. It can be done.

On ACS 4.x it is known as,

[026/3076/027] IPSec-Split-Tunnel-List

On 3.3 it is known as,

[026/3076/027] CVPN3000-IPSec-Split-Tunnel-List

Please make sure the value that you define in the Split Tunnel List, an

access-list should exists on the ASA configuration.

For more info on radius VSA:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_

for_windows/4.1/user/NetCfg.html#wp342112

HTH

JK

Plz rate helpful posts-

ippolito Tue, 10/27/2009 - 14:38

Thanks for the reply -- not sure if I understand what [026/3076/027] means. I'm guessing that 026 means vendor-specifc, and 027 is the type code for IPSec-Split-Tunnel-List, but what is 3076? Also, do you know what the packet format should be? For example, I know that the radius server can send an ACL to the ASA by using the format "ip:inacl#1=permit ip...", using radius type 26, vendor type 9 (Cisco), and subtype 1 (attribute-value pair). Is there something equivalent for IPSec-Split-Tunnel-List?

Thanks,

Mike

Correct Answer
Jatin Katyal Wed, 10/28/2009 - 10:24

Hi,

ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.

You have to use two attributes for ASA:

[3076\027] Ipsec-split-tunnel-list

[3076\055] Ipsec-split-tunneling-policy

Now on the ASA you have to create netwok list as mentioned in the below listed document and then you have to call the name of the

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wpxref36314

In the attribute [3076\027]: you only need to define the name of the access-list that you created under network-list.

Attribute 55, IPSec-Split-Tunneling-Policy, will need to be set to Only Tunnel networks in list.

HTH

JK

Plz rate helpful posts-

ippolito Wed, 01/06/2010 - 14:28

Thank you very much for the help -- this worked very well for me.

Mike

ghogberg Mon, 04/12/2010 - 05:48

Hi,

We are testing the exact same thing. Using FreeRadius at the moment for the RADIUS server.

We are able to configure everything right, and the RADIUS packets looks mostly like the ones we used with Cisco VPN3000 box.

Vendor Attribute: 27, Length: 7, Value: SplitTest

But it seems this doesn't do the trick when I check the routing info in the VPN Client, so my question is:

- Do I have to use a specific group (like an external group) or can I use the "Default Group" in the ASA to get this up and running?

Any other specific ASA Setup I have to do? We have tried some debugging to without getting anything good out of that... :-/

Any hints to point me in the right direction would be most welcome :-)

-Geir

ippolito Wed, 04/14/2010 - 08:36

Hello Geir,

It shouldn't matter which group policy you use, as the radius attributes should override what is in the policy.  The things that tripped me up at first were the following:

- make sure you're using vpn vendor id 3076

- use attribute 55 (IPSec-Split-Tunneling-Policy) with value=1 (4-byte, big-endian value 0x00000000), which means "Only tunnel networks in list"

- use attribute 27 (IPSec-Split-Tunnel-List) with value = a string containing the name of the access list

- make sure the access-list is already defined on the ASA, and that it is a standard (rather than extended) access-list

I'm not familiar with FreeRadius (I'm using my own home-grown radius server), but this is what should be in the reply packet from the radius server back to the ASA (these are all expressed in decimal rather than hex):

first attribute for choosing to only tunnel the networks in an ACL:

26 (vendor-specific attribute)

12 (total length of attribute, including the "26", this length field, and the attribute payload)

(next four bytes are the big-endian vendor id = 3076; i.e. 0x00000C04)

0

0

12

4

55 (vendor-specific attribute = IPSec-Split-Tunneling-Policy

6 (length of vsa including the "55", this length field, and the next four-byte value)

(next four bytes are the big-endian value of 1, which means "Only tunnel networks in list"; i.e. 0x00000001)

0

0

0

1

second attribute for choosing which pre-defined ACL to use for the split tunnel (in this case I chose ACL called "abc"):

26 (vendor-specific attribute)

11 (total length of attribute, including the "26", this length field, and the attribute payload)

(next four bytes are the big-endian vendor id = 3076; i.e. 0x00000C04)

0

0

12

4

27 (vendor-specific attribute = IPSec-Split-Tunnel-List

5 (length of vsa including the "27", this length field, and the string value below)

97 (ascii "a")
98 (ascii "b")
99 (ascii "c")
Good luck with it.
Mike
Mapnadev1 Mon, 08/22/2011 - 06:21

hy guys

I am wondering how can impliment dynamic split tunnel

i have 2 access to my dmz from inside and outside

and i want to have access to another server from inside out of the tunnel

but web i connect from outside i want to see the server from the vpn is it posible or not

best regard,

danailpetrov Sat, 02/19/2011 - 03:08

Hi guys,

I was wondering, is it somehow possible to reffer to access-list created on AAA Server (Secure ACS) instead of reffering to locally created (on ASA) ACL?

My aim is to use ONLY Secure ACS in order to define Tunnel properties (Split tunneling and so on) as well as ACLs used for interesting traffic (split-tunneling). I don't want to have locally configured ACLs on ASA. Do I have to use the same attributes that jkatyal reffered to?

[3076\027] Ipsec-split-tunnel-list

[3076\055] Ipsec-split-tunneling-policy

For instance - I've created "Downloadable ACL" under "Shared Profile Components -> Downloadable IP ACLs" menu on Secure ACS (v4.2). How can I reffer to that list which is downloaded to the ASA with name "#ACSACL#-IP-MYOWNACLNAMEHERE-some_random_name"?


Kind regards!

Actions

This Discussion