10-19-2005 05:19 AM - edited 02-21-2020 02:03 PM
Hello.
We know about the ipsec:inacl attribute for configuring split-tunneling for a VPN group, but AFAWK you must define the ACL in the local configuration of the router. Is it possible to define the ACL in the RADIUS server instead? How? By the way, is it possible to do the same for the IPsec pools?
Thank you beforehand.
10-26-2005 06:40 AM
This feature introduces the radius-server attribute 11 direction default command, which allows you to change the default direction of filters for your access control lists (ACL) via RADIUS. (RADIUS attribute 11 (Filter-Id) indicates the name of the filter list for the user.) Enabling this command allows you to change the filter direction to inboundwhich stops traffic from entering a router, and reduces resource consumptionrather than keeping the outbound default direction, which waits until the traffic is about to leave the network before filtering occurs.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftacldir.htm
10-27-2005 07:19 AM
Thanks for your answer, but I don't see how to use this for the problem we are trying to solve.
As I understand it, the Filter-Id option specifies an ACL in the router's local config, but this is what we are trying to avoid.
We would like to define per group downloadable ACLs for split-tunneling in the ACS config, in order to push them into a IOS router. Any way to do this?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide