Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
723
Views
0
Helpful
2
Replies

RADIUS-defined split-include on ASA

Go to solution
ghostinthenet
Level 7
Level 7

‎07-19-2015 09:05 AM

We're in the process of migrating from an IOS-based AnyConnect SSL access VPN architecture to an ASA-based one.

Everything appears to be working correctly except for one thing. We use a RADIUS-defined split-include setting to ensure that certain users have access to only their networks using the cisco-avpair "webvpn:split-include=#.#.#.# 255.255.255.0" which works well on the IOS installation, but not on the ASA. I can verify that the AV pair is being provided as part of the authentication process, the ASA (version 9.1(6), btw) ignores it and gives full access to the client using the ACL specified in the configuration.

Despite a few hours of googling and referencing Cisco ASA AnyConnect documentation, I cannot find a reference for accomplishing this. I suspect that the AV pair in question is IOS-specific, but can't find confirmation of this either.

Has anyone else run into this?

Jody

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abaji Rawool
Level 3
Level 3

‎07-20-2015 10:36 PM

Hi Jody,

Looks like this av-pair is not available for ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html

You can try using

Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.

HTH

Abaji.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Abaji Rawool
Level 3
Level 3

‎07-20-2015 10:36 PM

Hi Jody,

Looks like this av-pair is not available for ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html

You can try using

Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.

HTH

Abaji.

 

0 Helpful

Go to solution
ghostinthenet
Level 7
Level 7
In response to Abaji Rawool

‎07-21-2015 12:13 PM

That's what I thought as well. Looks like the IOS AnyConnect implementation is a bit more robust in some ways than the ASA's.

I've managed to work around the platform's deficiency by using downloadable ACLs and applying those to the configuration. This is a bit more ham-handed than I would like as it prevents users from accessing their own LAN addresses if there is an overlap, even if they're restricted from that portion of the network.

Thanks.

Jody

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca
0 Helpful
Customers Also Viewed These Support Documents