AnyConnect Split tunnel for just particular user in group

raza555 · ‎02-14-2014

Scenario:

We are using AnyConnect via ASA(8.4) ASDM(7.1.5). ASA->Remote Access VPN AnyConnect profile is configured with 1 group and that group Authenticate the users against ACS (AAA).

Question1:

Group is configured with Split tunnel, please advice if we can enable Split tunnel for few users and not the others.

Question2:

Is split tunnel a security risk or not?

Marvin Rhoads · ‎02-14-2014

1. Yes. the ASA will evaluate user profile in front of connection and group profiles. You just need to change the policy for the user(s).

2. Yes. With split tunnel, attacks on the user's local LAN can potentially access the protected network.

Javier Portuguez · ‎02-14-2014

As Marvin mentioned it is possible.

Now, just to add some more details.

IF you use the local users database of the ASA, you can assign a specific group-policy to specific users. Such group-policy will overwrite the "default-group-policy" defined under the "tunnel-group xxx general-attributes" configuration.

username cisco attributes

vpn-group-policy split_tunneling

IF you use an external database like AD or an external server, you can assign:

1- Attribute 25 --> RADIUS.

2- LDAP attribute mapping with memberOf and Group-policy.

The above attributes let the ASA know which group-policy should be assigned to a specific user.

And btw, YES, split-tunneling is a risk, so use it carefully. You can use Cisco Host Scan for instance to make sure that the user system has, at least, the latest AV, AS among others.

HTH.