Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
1
Replies

Wanted: Radius Cisco VSA for Split Tunneling on IOS Client

Frank Anstoetz
Level 1
Level 1

‎11-05-2010 07:45 AM

Hi there,

i'm currently configuring some Cisco 800 as EZVPN Clients, the server will be a 2821. We want to setup the server in a way that no client-specific configuration is needed there (because this is a service provider environment). So authentication (xauth) and isakmp authorization (preshared keys) are done agains a RADIUS server (freeradius).

This EZVPN setup works fine, however what we also want to achieve is split tunneling for the clients. That would mean configuring a split tunneling ACL and pushing it towards the client during mode config. As the clients will have different private address spaces we do not want to have client specific configuration on the gateway, instead we also want to get this information from the RADIUS server. Thus we need the appropriate cisco-avpairs.

Does anyone know which avpair to use for this purpose? Note it's not enough to push the ACL number and have the ACL configured on the server (i think thats possible for ASA/VPN3k), we need to get the ACL from the radius.

Thanks & best regards

Frank

Labels:
0 Helpful
1 Reply 1

Yudong Wu
Level 7
Level 7

‎11-05-2010 10:46 AM

I don't think this is supported.

You can only specify the split tunnel list name via Cisco VSA.

Cisco ACS supports download ACL but it is for restricting access on the interface level and its name is generated  by ACS with a random number.

0 Helpful
Customers Also Viewed These Support Documents