ANSWERED: IOS SSL VPN with Cisco RADIUS webvpn:split-include attribute not working.

Unanswered Question
Mar 27th, 2010

Hi

I've recently switched from using a static default IOS SSL vpn policy to (default-group-policy xxx) Cisco  RADIUS (CSACS 4.x) pushed vpn components (determined by the group the user logging in belongs to). Everything seems to be working, url-lists, port-forwards, etc, execpt for the split tunnel config on the full tunnel client, it does not seem to be getting the split tunnel list from the RADIUS server and thus it ends up tunnelling everything which cuts off local internet access.  The av pair on my group config looks like this;

webvpn:split-include=10.192.0.0 255.255.0.0

webvpn:addr-pool=pool1

webvpn:svc-enabled=1

I've tried the normal mask and the inverse mask and it always shows 0.0.0.0 0.0.0.0 under the secured routes status of the SSL VPN dialer and no Internet access is available while connected.  This split tunnel works just fine when configured via a policy on the actual router via 'svc split-include 10.192.0.0 255.255.0.0', just not when pushed via RADIUS.

Any ideas?

Thanks

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 03/27/2010 - 17:40

Hi Jason,

You would need to add radius attribute as a Vendor Specific value with the vendor being Cisco and the AV pair being "webvpn:split-include=10.192.0.0 255.255.0.0"

Hope that helps.

jasonhumes Sat, 03/27/2010 - 17:51

Hi

I'm not sure how what you've shown is any different from what I've configured on my RADIUS server...all the other webvpn:xxx attributes are working fine, url-lists, etc, just not the split-include one.

Thanks

Jason

Jennifer Halim Sat, 03/27/2010 - 18:08

You are right. Also assume that you don't have "split-exclude" by any chance.

What is your IOS version?

jasonhumes Mon, 03/29/2010 - 05:36

Hi

We are running an 1812 with 12.4(24)T2 ADVIPSERVICES-k9.

Thanks again for your time.

Jason

Jennifer Halim Tue, 03/30/2010 - 00:45

Can you also confirm if the following is all you have configured on the ACS for the attributes:

webvpn:split-include=10.192.0.0 255.255.0.0

webvpn:addr-pool=pool1

webvpn:svc-enabled=1

OR/ You have a long list of webvpn:split-include or other attributes?

jasonhumes Tue, 03/30/2010 - 05:19

Hi

Here is the complete list of attributes under cisco-av-pair for the GROUP;

webvpn:split-include=10.192.0.0 255.255.0.0
webvpn:split-include=192.168.123.0 255.255.255.0
webvpn:split-include=192.168.47.0 255.255.255.0
webvpn:split-include=192.168.111.0 255.255.255.0
webvpn:urllist-name=telecom
webvpn:urllist-name=smb
webvpn:svc-enabled=1
webvpn:addr-pool=vpnPool
webvpn:default-domain="acs.local"
webvpn:keep-svc-installed=1
webvpn:primary-dns=10.192.5.10
webvpn:wins-server-primary=10.192.5.10

Thanks

J

Jennifer Halim Wed, 03/31/2010 - 04:38

Doesn't look like a long list at all. If the list is too long, the fragmented radius packet is not supported. But the attribute list that you have is normal.

Can you do me a favor and test with just 1 line of webvpn:split-include attribute, and see if that got pushed down? Thanks.

Just want to rule out the syntax. I am 100% sure the syntax is correct.

jasonhumes Wed, 03/31/2010 - 05:17

Hi

I just tried this again, but with only a single split-include line and it still failed to push this attribute.  When I check the VPN client it still shows 0.0.0.0 under secured routes and no local internet is available.

webvpn:split-include=10.192.0.0 255.255.0.0
webvpn:urllist-name=telecom
webvpn:urllist-name=smb
webvpn:svc-enabled=1
webvpn:addr-pool=vpnPool
webvpn:default-domain="acs.local"
webvpn:keep-svc-installed=1
webvpn:primary-dns=10.192.5.10
webvpn:wins-server-primary=10.192.5.10

I see there is a newer IOS by one minor revision, but the release notes do not say anything about this bug so I'm not thinking the upgrade would help any.

Thanks again for your help.

Jason

Jennifer Halim Wed, 03/31/2010 - 06:05

What if you try moving the "webvpn:split-include=10.192.0.0 255.255.0.0" to the bottom of the attribute list.

jasonhumes Thu, 04/01/2010 - 13:27

Hi

I've tried moving that attribute to the bottom of the list and it makes no difference.  I've attached the debug from my router and it shows it being processed ok, but never really accepted on the client;

===LOGS WITH ADDRESS GIVEN BY RADIUS SERVER===

007563: Apr  1 16:06:36.329 EDT: AAA/AUTHEN/LOGIN (00000000): Pick method list 'webvpnauth'
007564: Apr  1 16:06:36.329 EDT: WV-AAA: AAA authentication request sent for user: "testvpn"
007565: Apr  1 16:06:36.341 EDT: WV-AAA: svc-enabled: Processing AV
007566: Apr  1 16:06:36.341 EDT: WV-AAA: svc-enabled = true
007567: Apr  1 16:06:36.341 EDT: WV-AAA: default-domain: Processing AV
007568: Apr  1 16:06:36.341 EDT: WV-AAA: Default domain acs.local
007569: Apr  1 16:06:36.341 EDT: WV-AAA: keep-svc-installed: Processing AV
007570: Apr  1 16:06:36.341 EDT: WV-AAA: keep-svc-installed = true
007571: Apr  1 16:06:36.341 EDT: WV-AAA: primary-dns: Processing AV
007572: Apr  1 16:06:36.341 EDT: WV-AAA: Primary DNS server 10.192.5.10
007573: Apr  1 16:06:36.341 EDT: WV-AAA: wins-server-primary: Processing AV
007574: Apr  1 16:06:36.341 EDT: WV-AAA: Primary WINS server 10.192.5.10
007575: Apr  1 16:06:36.341 EDT: WV-AAA: split-include: Processing AV
007576: Apr  1 16:06:36.341 EDT: WV-AAA: Split Include 10.192.0.0 255.255.0.0
007577: Apr  1 16:06:36.341 EDT: WV-AAA: netmask: Processing AV
007578: Apr  1 16:06:36.341 EDT: WV-AAA: Framed user IP nmask 255.255.255.0
007579: Apr  1 16:06:36.341 EDT: WV-AAA: route: Skipping processing AV
007580: Apr  1 16:06:36.341 EDT: WV-AAA: addr: Processing AV
007581: Apr  1 16:06:36.341 EDT: WV-AAA: Framed user IP 10.192.98.180
007582: Apr  1 16:06:36.341 EDT: WV-AAA: AAA Authentication Passed!
007583: Apr  1 16:06:36.341 EDT: WV-AAA: User "testvpn" has logged in from "x.x.x.x" to gateway "ACS_SSL_GW1" context "SSL1"

===LOGS WITH ADDRESS GIVEN BY LOCAL POOL ON ROUTER===

007584: Apr  1 16:09:05.951 EDT: AAA/AUTHEN/LOGIN (00000000): Pick method list 'webvpnauth'
007585: Apr  1 16:09:05.951 EDT: WV-AAA: AAA authentication request sent for user: "testvpn"
007586: Apr  1 16:09:05.959 EDT: WV-AAA: svc-enabled: Processing AV
007587: Apr  1 16:09:05.959 EDT: WV-AAA: svc-enabled = true
007588: Apr  1 16:09:05.959 EDT: WV-AAA: addr-pool: Processing AV
007589: Apr  1 16:09:05.959 EDT: WV-AAA: Address pool vpnPool
007590: Apr  1 16:09:05.959 EDT: WV-AAA: split-include: Processing AV
007591: Apr  1 16:09:05.959 EDT: WV-AAA: Split Include 10.192.0.0 255.255.0.0
007592: Apr  1 16:09:05.959 EDT: WV-AAA: default-domain: Processing AV
007593: Apr  1 16:09:05.959 EDT: WV-AAA: Default domain acs.local
007594: Apr  1 16:09:05.959 EDT: WV-AAA: keep-svc-installed: Processing AV
007595: Apr  1 16:09:05.959 EDT: WV-AAA: keep-svc-installed = true
007596: Apr  1 16:09:05.959 EDT: WV-AAA: primary-dns: Processing AV
007597: Apr  1 16:09:05.959 EDT: WV-AAA: Primary DNS server 10.192.5.10
007598: Apr  1 16:09:05.959 EDT: WV-AAA: wins-server-primary: Processing AV
007599: Apr  1 16:09:05.959 EDT: WV-AAA: Primary WINS server 10.192.5.10
007600: Apr  1 16:09:05.959 EDT: WV-AAA: netmask: Processing AV
007601: Apr  1 16:09:05.959 EDT: WV-AAA: Framed user IP nmask 255.255.255.0
007602: Apr  1 16:09:05.959 EDT: WV-AAA: negotiated-route: Skipping processing AV
007603: Apr  1 16:09:05.959 EDT: WV-AAA: addr: Processing AV
007604: Apr  1 16:09:05.959 EDT: WV-AAA: Framed user IP 255.255.255.255
007605: Apr  1 16:09:05.959 EDT: WV-AAA: AAA Authentication Passed!
007606: Apr  1 16:09:05.963 EDT: WV-AAA: User "testvpn" has logged in from "x.x.x.x" to gateway "ACS_SSL_GW1" context "SSL1"
007607: Apr  1 16:09:08.583 EDT: WV-AAA: Invalid Framed IP address 255.255.255.255 from AAA

===AND ANOTHER FROM A DIFFERENT VPN GROUP===

007738: Apr  1 16:27:10.275 EDT: AAA/AUTHEN/LOGIN (00000000): Pick method list 'webvpnauth'

007739: Apr  1 16:27:10.275 EDT: WV-AAA: AAA authentication request sent for user: "jasonvpn"

007740: Apr  1 16:27:10.343 EDT: WV-AAA: urllist-name: Processing AV

007741: Apr  1 16:27:10.343 EDT: WV-AAA: Urllist name telecom

007742: Apr  1 16:27:10.343 EDT: WV-AAA: urllist-name: Processing AV

007743: Apr  1 16:27:10.343 EDT: WV-AAA: Urllist name smb

007744: Apr  1 16:27:10.343 EDT: WV-AAA: svc-enabled: Processing AV

007745: Apr  1 16:27:10.343 EDT: WV-AAA: svc-enabled = true

007746: Apr  1 16:27:10.343 EDT: WV-AAA: addr-pool: Processing AV

007747: Apr  1 16:27:10.343 EDT: WV-AAA: Address pool vpnPool

007748: Apr  1 16:27:10.343 EDT: WV-AAA: default-domain: Processing AV

007749: Apr  1 16:27:10.343 EDT: WV-AAA: Default domain acs.local

007750: Apr  1 16:27:10.343 EDT: WV-AAA: keep-svc-installed: Processing AV

007751: Apr  1 16:27:10.343 EDT: WV-AAA: keep-svc-installed = true

007752: Apr  1 16:27:10.343 EDT: WV-AAA: primary-dns: Processing AV

007753: Apr  1 16:27:10.343 EDT: WV-AAA: Primary DNS server 10.192.5.10

007754: Apr  1 16:27:10.343 EDT: WV-AAA: wins-server-primary: Processing AV

007755: Apr  1 16:27:10.343 EDT: WV-AAA: Primary WINS server 10.192.5.10

007756: Apr  1 16:27:10.343 EDT: WV-AAA: split-include: Processing AV

007757: Apr  1 16:27:10.343 EDT: WV-AAA: Split Include 10.192.0.0 255.255.0.0

007758: Apr  1 16:27:10.343 EDT: WV-AAA: split-include: Processing AV

007759: Apr  1 16:27:10.343 EDT: WV-AAA: Split Include 192.168.123.0 255.255.255.0

007760: Apr  1 16:27:10.343 EDT: WV-AAA: split-include: Processing AV

007761: Apr  1 16:27:10.343 EDT: WV-AAA: Split Include 192.168.47.0 255.255.255.0

007762: Apr  1 16:27:10.343 EDT: WV-AAA: split-include: Processing AV

007763: Apr  1 16:27:10.343 EDT: WV-AAA: Split Include 192.168.111.0 255.255.255.0

007764: Apr  1 16:27:10.343 EDT: WV-AAA: addr: Processing AV

007765: Apr  1 16:27:10.343 EDT: WV-AAA: Framed user IP 255.255.255.255

007766: Apr  1 16:27:10.343 EDT: WV-AAA: priv-lvl: Processing AV

007767: Apr  1 16:27:10.343 EDT: WV-AAA: AAA Authentication Passed!

007768: Apr  1 16:27:10.347 EDT: WV-AAA: User "jasonvpn" has logged in from "x.x.x.x" to gateway "ACS_SSL_GW1" context "SSL1"

007769: Apr  1 16:27:13.019 EDT: WV-AAA: Invalid Framed IP address 255.255.255.255 from AAA

WV-AAA: Switching to local IP pool

And here is my router config;

webvpn context SSL1
title "Applied Computer Solutions Inc."
login-photo file flash:/acslogo6.jpg
color #121212
secondary-color #121212
title-color #000000
text-color #ffffff
secondary-text-color #000000
ssl authenticate verify all
!
url-list "smb"
   heading "ACS - Internal"
   url-text "(ECMx" url-value "http://10.1x"
   url-text "ACS Wiki" url-value "http://10.19x"
!
url-list "telecom"
   heading "ACS - Telecom"
   url-text "Whx" url-value "http://10.x"
   url-text "Whatx" url-value "http://10.192.x

!
port-forward "pforward1"
   local-port 3002 remote-server "10.19x3" remote-port 3389 description "RDP - NetmonTS"
!
policy group vpn1
   svc split include 10.192.0.0 255.255.0.0
default-group-policy vpn1
aaa authentication list webvpnauth
gateway ACS_SSL_GW1
inservice
!
end

The default-group-policy shown above is what is making this work until I figure out the RADIUS attribute issue.  I remove this default-group-policy when testing the radius attribute push and it always shows all traffic tunnelled via 0.0.0.0.

Thanks

Jason

jasonhumes Mon, 04/05/2010 - 05:08

Hi

The Client ver is 2.4.1012 and the OS is winXP pro (fully updated).

Thanks

J

Jennifer Halim Mon, 04/05/2010 - 06:11

Looks more and more like a bug to me. You might want to open a TAC case to get the issue further investigated.

jasonhumes Mon, 04/05/2010 - 06:26

Yeah, that's pretty much the conclusion I came to as well...sadly TAC is not an option

as this router is not under any contract as of last week.  Thanks for your help.

Cheers

J

jasonhumes Wed, 04/14/2010 - 12:12

Hi

Finally got this issue resolved.  It turns out if you do not have a default policy group defined in the actual router config, or push one via the RADIUS user-vpn-group attribute, then it ignores the webvpn:split-include lines...even if the policy group is totally empty, just the creation and use of it is enough to get the webvpn:split-include working!

So now my RADIUS config looks like this;

webvpn:split-include=10.192.0.0 255.255.0.0

webvpn:netmask=255.255.255.0

webvpn:addr-pool=vpnPool

webvpn:svc-enabled=1

webvpn:keep-svc-installed=1

webvpn:user-vpn-group=emptyPolicy

and on the router itself;

webvpn context SSL1

...

...

...

policy group emptyPolicy

aaa authentication list webvpnauth
gateway ACS_SSL_GW1

inservice

!

And all works as expected!

Cheers

J

Actions

This Discussion