ANSWERED: IOS SSL VPN with Cisco RADIUS webvpn:split-include attribute not working. - Page 2

jasonhumes · ‎03-27-2010

Hi

I've recently switched from using a static default IOS SSL vpn policy to (default-group-policy xxx) Cisco RADIUS (CSACS 4.x) pushed vpn components (determined by the group the user logging in belongs to). Everything seems to be working, url-lists, port-forwards, etc, execpt for the split tunnel config on the full tunnel client, it does not seem to be getting the split tunnel list from the RADIUS server and thus it ends up tunnelling everything which cuts off local internet access. The av pair on my group config looks like this;

webvpn:split-include=10.192.0.0 255.255.0.0

webvpn:addr-pool=pool1

webvpn:svc-enabled=1

I've tried the normal mask and the inverse mask and it always shows 0.0.0.0 0.0.0.0 under the secured routes status of the SSL VPN dialer and no Internet access is available while connected. This split tunnel works just fine when configured via a policy on the actual router via 'svc split-include 10.192.0.0 255.255.0.0', just not when pushed via RADIUS.

Any ideas?

Thanks

Jason

jasonhumes · ‎04-14-2010

Hi

Finally got this issue resolved. It turns out if you do not have a default policy group defined in the actual router config, or push one via the RADIUS user-vpn-group attribute, then it ignores the webvpn:split-include lines...even if the policy group is totally empty, just the creation and use of it is enough to get the webvpn:split-include working!

So now my RADIUS config looks like this;

webvpn:split-include=10.192.0.0 255.255.0.0

webvpn:netmask=255.255.255.0

webvpn:addr-pool=vpnPool

webvpn:svc-enabled=1

webvpn:keep-svc-installed=1

webvpn:user-vpn-group=emptyPolicy

and on the router itself;

webvpn context SSL1

...

policy group emptyPolicy

aaa authentication list webvpnauth
gateway ACS_SSL_GW1

inservice

!

And all works as expected!

Cheers

J

Jennifer Halim · ‎04-14-2010

Good to know, and thanks for updating this topic.