I have an ASA integrated with ACS for VPN clients to be able to authenticate with their Active Directory accounts. I need to figure out how to enable split tunneling per VPN group on the ACS. I found a doc that shows that the setting is under GROUP SETUP where you can specify the ACL. But I am not sure if the ACL resides on the ASA or on the ACS?
The ACL needs to be on the ASA, what you need to do is to pass from the ACS the class attribute string (att 25) back to the asa, this attribute string must be equal to the group policy that the user will be assigned. Within that group policy then you can have configured the split tunnel policy.
The attribute strings have to be configured on the ACS, ASA will just read that and place the user on the correct group policy.
On your ACS, you go to the "interface configuration" and enable Radius IETF Class value for either user or for group.
Once this is applied, you go to the group where you want to configure this feature and edit it, scroll to the Radius IETF values; once there enable the option and put the next sintax: 'OU=group_pol_name;' no quote where group_pol_name is the group policy that the ASA has confgured with the correct split tunnel list.
After a user that belongs to that group authenticates, ACS will send back to the ASA the attribute class (25) which will the asa will interpret as the group policy that the user belongs.
Mhhh I think that,s were we should started, when the group is internal, then you use this setup I advised, when it is external then you pretty much have to forget everything about the class value and radius attributes, in this case you would only use the CiscoVPN3000/ASA Pix 7 radius attributes, then you enable the split tunneling policy and you just define the List name that your ASA has configured, this is the way to tie the ACL to the external group. What will happen is that ACS will pass back to the ASA the Split tunnel list string value, which should be defined on the ASA.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...