02-14-2014 02:43 AM - edited 02-21-2020 07:30 PM
Scenario:
We are using AnyConnect via ASA(8.4) ASDM(7.1.5). ASA->Remote Access VPN AnyConnect profile is configured with 1 group and that group Authenticate the users against ACS (AAA).
Question1:
Group is configured with Split tunnel, please advice if we can enable Split tunnel for few users and not the others.
Question2:
Is split tunnel a security risk or not?
02-14-2014 06:22 AM
1. Yes. the ASA will evaluate user profile in front of connection and group profiles. You just need to change the policy for the user(s).
2. Yes. With split tunnel, attacks on the user's local LAN can potentially access the protected network.
02-14-2014 07:50 AM
As Marvin mentioned it is possible.
Now, just to add some more details.
IF you use the local users database of the ASA, you can assign a specific group-policy to specific users. Such group-policy will overwrite the "default-group-policy" defined under the "tunnel-group xxx general-attributes" configuration.
username cisco attributes
vpn-group-policy split_tunneling
IF you use an external database like AD or an external server, you can assign:
1- Attribute 25 --> RADIUS.
2- LDAP attribute mapping with memberOf and Group-policy.
The above attributes let the ASA know which group-policy should be assigned to a specific user.
And btw, YES, split-tunneling is a risk, so use it carefully. You can use Cisco Host Scan for instance to make sure that the user system has, at least, the latest AV, AS among others.
HTH.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide