Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN, Split-tunneling and RADIUS

Hello.

We know about the ipsec:inacl attribute for configuring split-tunneling for a VPN group, but AFAWK you must define the ACL in the local configuration of the router. Is it possible to define the ACL in the RADIUS server instead? How? By the way, is it possible to do the same for the IPsec pools?

Thank you beforehand.

2 REPLIES
Silver

Re: VPN, Split-tunneling and RADIUS

This feature introduces the radius-server attribute 11 direction default command, which allows you to change the default direction of filters for your access control lists (ACL) via RADIUS. (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user.) Enabling this command allows you to change the filter direction to inboundwhich stops traffic from entering a router, and reduces resource consumptionrather than keeping the outbound default direction, which waits until the traffic is about to leave the network before filtering occurs.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftacldir.htm

Community Member

Re: VPN, Split-tunneling and RADIUS

Thanks for your answer, but I don't see how to use this for the problem we are trying to solve.

As I understand it, the Filter-Id option specifies an ACL in the router's local config, but this is what we are trying to avoid.

We would like to define per group downloadable ACLs for split-tunneling in the ACS config, in order to push them into a IOS router. Any way to do this?

Thanks.

322
Views
0
Helpful
2
Replies
CreatePlease to create content