Cisco Support Community
Community Member

Wanted: Radius Cisco VSA for Split Tunneling on IOS Client

Hi there,

i'm currently configuring some Cisco 800 as EZVPN Clients, the server will be a 2821. We want to setup the server in a way that no client-specific configuration is needed there (because this is a service provider environment). So authentication (xauth) and isakmp authorization (preshared keys) are done agains a RADIUS server (freeradius).

This EZVPN setup works fine, however what we also want to achieve is split tunneling for the clients. That would mean configuring a split tunneling ACL and pushing it towards the client during mode config. As the clients will have different private address spaces we do not want to have client specific configuration on the gateway, instead we also want to get this information from the RADIUS server. Thus we need the appropriate cisco-avpairs.

Does anyone know which avpair to use for this purpose? Note it's not enough to push the ACL number and have the ACL configured on the server (i think thats possible for ASA/VPN3k), we need to get the ACL from the radius.

Thanks & best regards



Re: Wanted: Radius Cisco VSA for Split Tunneling on IOS Client

I don't think this is supported.

You can only specify the split tunnel list name via Cisco VSA.

Cisco ACS supports download ACL but it is for restricting access on the interface level and its name is generated  by ACS with a random number.

CreatePlease to create content