Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1560
Views
0
Helpful
1
Replies

Mapping Split tunnel list value from Radius (ACS) to ASA for remote access VPN.

dtochilovsky
Level 1
Level 1

‎11-16-2011 11:08 AM - edited ‎02-21-2020 05:42 PM

Hello all, I am tryingto replace a VPN3000 with an ASA (8.4) for remote access. We use Cisco ACS for authorization and accounting, and RSA for authorization.

On the VPN3000 we were able to pass the Split-Tunnel list to restrict users access to only specified IP's.

I am trying to replicate the same on the ASA. I understand that I can create access-lists that will limit user access, and I am trying to understand how to assign an access list to the user based on the Radius attribute -  [3076\027] IPSec-Split-Tunnel-List.

Is this done using the Dynamic Acccess Policy?

How do I assign the Radius Attribute of the IPSec-Split-Tunnel-List to the dynamic policy?

Any help will be greatly appreciated.

Dima.

Labels:
0 Helpful
1 Reply 1

dtochilovsky
Level 1
Level 1

‎11-17-2011 02:53 PM

I found out that for Dynamic Access Policy the Radius attibute equals 4096 + RADIUS ID. So I configured DAP to look for Radius attribute of 4123 (4096+27 which is the value for IPSec Split Tunnel in Radius). But testing it with Remote Access VPN there is not split tunneling.

The question is how do I apply this Dynamic Access policy to the remote vpn users?

Again any help will be appreciated.

Dima.

0 Helpful
Customers Also Viewed These Support Documents