cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
685
Views
0
Helpful
2
Replies

RADIUS-defined split-include on ASA

ghostinthenet
Level 7
Level 7

We're in the process of migrating from an IOS-based AnyConnect SSL access VPN architecture to an ASA-based one.

Everything appears to be working correctly except for one thing. We use a RADIUS-defined split-include setting to ensure that certain users have access to only their networks using the cisco-avpair "webvpn:split-include=#.#.#.# 255.255.255.0" which works well on the IOS installation, but not on the ASA. I can verify that the AV pair is being provided as part of the authentication process, the ASA (version 9.1(6), btw) ignores it and gives full access to the client using the ACL specified in the configuration.

Despite a few hours of googling and referencing Cisco ASA AnyConnect documentation, I cannot find a reference for accomplishing this. I suspect that the AV pair in question is IOS-specific, but can't find confirmation of this either.

Has anyone else run into this?

Jody

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca
1 Accepted Solution

Accepted Solutions

Abaji Rawool
Level 3
Level 3

Hi Jody,

Looks like this av-pair is not available for ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html

You can try using

Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.

HTH

Abaji.

 

View solution in original post

2 Replies 2

Abaji Rawool
Level 3
Level 3

Hi Jody,

Looks like this av-pair is not available for ASA

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ref_extserver.html

You can try using

Cisco Attribute Value (AV) pair (ID# 26/9/1) as mentioned on the guide.

HTH

Abaji.

 

That's what I thought as well. Looks like the IOS AnyConnect implementation is a bit more robust in some ways than the ASA's.

I've managed to work around the platform's deficiency by using downloadable ACLs and applying those to the configuration. This is a bit more ham-handed than I would like as it prevents users from accessing their own LAN addresses if there is an overlap, even if they're restricted from that portion of the network.

Thanks.

Jody

---
Jody Lemoine, Network Architect
CCIE 41436, MTCRE, MTCINE, MTCIPv6E
tishco networks, Virtually Everywhere
(905) 378-1134, jody.lemoine@tishco.ca