07-19-2015 09:05 AM
We're in the process of migrating from an IOS-based AnyConnect SSL access VPN architecture to an ASA-based one.
Everything appears to be working correctly except for one thing. We use a RADIUS-defined split-include setting to ensure that certain users have access to only their networks using the cisco-avpair "webvpn:split-include=#.#.#.# 255.255.255.0" which works well on the IOS installation, but not on the ASA. I can verify that the AV pair is being provided as part of the authentication process, the ASA (version 9.1(6), btw) ignores it and gives full access to the client using the ACL specified in the configuration.
Despite a few hours of googling and referencing Cisco ASA AnyConnect documentation, I cannot find a reference for accomplishing this. I suspect that the AV pair in question is IOS-specific, but can't find confirmation of this either.
Has anyone else run into this?
Jody
Solved! Go to Solution.
07-20-2015 10:36 PM
Hi Jody,
Looks like this av-pair is not available for ASA
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html
You can try using
Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.
HTH
Abaji.
07-20-2015 10:36 PM
Hi Jody,
Looks like this av-pair is not available for ASA
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html
You can try using
Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.
HTH
Abaji.
07-21-2015 12:13 PM
That's what I thought as well. Looks like the IOS AnyConnect implementation is a bit more robust in some ways than the ASA's.
I've managed to work around the platform's deficiency by using downloadable ACLs and applying those to the configuration. This is a bit more ham-handed than I would like as it prevents users from accessing their own LAN addresses if there is an overlap, even if they're restricted from that portion of the network.
Thanks.
Jody
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide