10-27-2009 01:37 PM - edited 03-10-2019 04:45 PM
Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.
For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.
Is there a similar VSA for split tunnel?
Thanks
mike
Solved! Go to Solution.
10-28-2009 10:24 AM
Hi,
ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.
You have to use two attributes for ASA:
[3076\027] Ipsec-split-tunnel-list
[3076\055] Ipsec-split-tunneling-policy
Now on the ASA you have to create netwok list as mentioned in the below listed document and then you have to call the name of the
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wpxref36314
In the attribute [3076\027]: you only need to define the name of the access-list that you created under network-list.
Attribute 55, IPSec-Split-Tunneling-Policy, will need to be set to Only Tunnel networks in list.
HTH
JK
Plz rate helpful posts-
10-27-2009 01:43 PM
Hi,
I checked ACS 4.x version. As you want to push the
Split Tunnel List from ACS to ASA. It can be done.
On ACS 4.x it is known as,
[026/3076/027] IPSec-Split-Tunnel-List
On 3.3 it is known as,
[026/3076/027] CVPN3000-IPSec-Split-Tunnel-List
Please make sure the value that you define in the Split Tunnel List, an
access-list should exists on the ASA configuration.
For more info on radius VSA:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_
for_windows/4.1/user/NetCfg.html#wp342112
HTH
JK
Plz rate helpful posts-
10-27-2009 02:38 PM
Thanks for the reply -- not sure if I understand what [026/3076/027] means. I'm guessing that 026 means vendor-specifc, and 027 is the type code for IPSec-Split-Tunnel-List, but what is 3076? Also, do you know what the packet format should be? For example, I know that the radius server can send an ACL to the ASA by using the format "ip:inacl#1=permit ip...", using radius type 26, vendor type 9 (Cisco), and subtype 1 (attribute-value pair). Is there something equivalent for IPSec-Split-Tunnel-List?
Thanks,
Mike
10-28-2009 10:24 AM
Hi,
ACS supports Cisco VPN 3000/ASA/PIX 7.x+ RADIUS VSAs. The vendor ID for this Cisco RADIUS Implementation is 3076.
You have to use two attributes for ASA:
[3076\027] Ipsec-split-tunnel-list
[3076\055] Ipsec-split-tunneling-policy
Now on the ASA you have to create netwok list as mentioned in the below listed document and then you have to call the name of the
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/vpngrp.html#wpxref36314
In the attribute [3076\027]: you only need to define the name of the access-list that you created under network-list.
Attribute 55, IPSec-Split-Tunneling-Policy, will need to be set to Only Tunnel networks in list.
HTH
JK
Plz rate helpful posts-
01-06-2010 02:28 PM
Thank you very much for the help -- this worked very well for me.
Mike
04-12-2010 05:48 AM
Hi,
We are testing the exact same thing. Using FreeRadius at the moment for the RADIUS server.
We are able to configure everything right, and the RADIUS packets looks mostly like the ones we used with Cisco VPN3000 box.
Vendor Attribute: 27, Length: 7, Value: SplitTest
But it seems this doesn't do the trick when I check the routing info in the VPN Client, so my question is:
- Do I have to use a specific group (like an external group) or can I use the "Default Group" in the ASA to get this up and running?
Any other specific ASA Setup I have to do? We have tried some debugging to without getting anything good out of that... :-/
Any hints to point me in the right direction would be most welcome :-)
-Geir
04-14-2010 08:36 AM
Hello Geir,
It shouldn't matter which group policy you use, as the radius attributes should override what is in the policy. The things that tripped me up at first were the following:
- make sure you're using vpn vendor id 3076
- use attribute 55 (IPSec-Split-Tunneling-Policy) with value=1 (4-byte, big-endian value 0x00000000), which means "Only tunnel networks in list"
- use attribute 27 (IPSec-Split-Tunnel-List) with value = a string containing the name of the access list
- make sure the access-list is already defined on the ASA, and that it is a standard (rather than extended) access-list
I'm not familiar with FreeRadius (I'm using my own home-grown radius server), but this is what should be in the reply packet from the radius server back to the ASA (these are all expressed in decimal rather than hex):
first attribute for choosing to only tunnel the networks in an ACL:
26 (vendor-specific attribute)
12 (total length of attribute, including the "26", this length field, and the attribute payload)
(next four bytes are the big-endian vendor id = 3076; i.e. 0x00000C04)
0
0
12
4
55 (vendor-specific attribute = IPSec-Split-Tunneling-Policy
6 (length of vsa including the "55", this length field, and the next four-byte value)
(next four bytes are the big-endian value of 1, which means "Only tunnel networks in list"; i.e. 0x00000001)
0
0
0
1
second attribute for choosing which pre-defined ACL to use for the split tunnel (in this case I chose ACL called "abc"):
26 (vendor-specific attribute)
11 (total length of attribute, including the "26", this length field, and the attribute payload)
(next four bytes are the big-endian vendor id = 3076; i.e. 0x00000C04)
0
0
12
4
27 (vendor-specific attribute = IPSec-Split-Tunnel-List
5 (length of vsa including the "27", this length field, and the string value below)
08-22-2011 06:21 AM
hy guys
I am wondering how can impliment dynamic split tunnel
i have 2 access to my dmz from inside and outside
and i want to have access to another server from inside out of the tunnel
but web i connect from outside i want to see the server from the vpn is it posible or not
best regard,
02-19-2011 03:08 AM
Hi guys,
I was wondering, is it somehow possible to reffer to access-list created on AAA Server (Secure ACS) instead of reffering to locally created (on ASA) ACL?
My aim is to use ONLY Secure ACS in order to define Tunnel properties (Split tunneling and so on) as well as ACLs used for interesting traffic (split-tunneling). I don't want to have locally configured ACLs on ASA. Do I have to use the same attributes that jkatyal reffered to?
[3076\027] Ipsec-split-tunnel-list
[3076\055] Ipsec-split-tunneling-policy
For instance - I've created "Downloadable ACL" under "Shared Profile Components -> Downloadable IP ACLs" menu on Secure ACS (v4.2). How can I reffer to that list which is downloaded to the ASA with name "#ACSACL#-IP-MYOWNACLNAMEHERE-some_random_name"?
Kind regards!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: