03-27-2010 10:24 AM
Hi
I've recently switched from using a static default IOS SSL vpn policy to (default-group-policy xxx) Cisco RADIUS (CSACS 4.x) pushed vpn components (determined by the group the user logging in belongs to). Everything seems to be working, url-lists, port-forwards, etc, execpt for the split tunnel config on the full tunnel client, it does not seem to be getting the split tunnel list from the RADIUS server and thus it ends up tunnelling everything which cuts off local internet access. The av pair on my group config looks like this;
webvpn:split-include=10.192.0.0 255.255.0.0
webvpn:addr-pool=pool1
webvpn:svc-enabled=1
I've tried the normal mask and the inverse mask and it always shows 0.0.0.0 0.0.0.0 under the secured routes status of the SSL VPN dialer and no Internet access is available while connected. This split tunnel works just fine when configured via a policy on the actual router via 'svc split-include 10.192.0.0 255.255.0.0', just not when pushed via RADIUS.
Any ideas?
Thanks
Jason
04-14-2010 12:12 PM
Hi
Finally got this issue resolved. It turns out if you do not have a default policy group defined in the actual router config, or push one via the RADIUS user-vpn-group attribute, then it ignores the webvpn:split-include lines...even if the policy group is totally empty, just the creation and use of it is enough to get the webvpn:split-include working!
So now my RADIUS config looks like this;
webvpn:split-include=10.192.0.0 255.255.0.0
webvpn:netmask=255.255.255.0
webvpn:addr-pool=vpnPool
webvpn:svc-enabled=1
webvpn:keep-svc-installed=1
webvpn:user-vpn-group=emptyPolicy
and on the router itself;
webvpn context SSL1
...
...
...
policy group emptyPolicy
aaa authentication list webvpnauth
gateway ACS_SSL_GW1
inservice
!
And all works as expected!
Cheers
J
04-14-2010 09:38 PM
Good to know, and thanks for updating this topic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide