(RADIATOR) cisco 3000 VPN external group attrs

Andrew D. Clark andrew.clark at ucsb.edu
Tue Feb 8 13:55:32 CST 2005


I need to rephrase my question.  After more fiddling, I find that I 
should indeed use the network lists as they are named on the 
concentrator as reply attributes for group authentication using 
Radiator, and that works fine.  However, what isn't working is setting 
the split-tunnelling policy.  The values in my dictionary are:

VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Tunnel-Everything       0
VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Split-Tunnel-Net-List   1
VALUE Altiga-IPSec-Split-Tunnel-Policy-G     Local-Net-Bypass        2

I've tried both numeric and named parameters, neither seems to do the 
right thing.  Here's an example group defined in a flat file:

some_group User-Password = "foo"
PoolHint = 169.231.64.1,
Idle-Timeout = 60,
Class = "OU=some_group;"
Altiga-IPSec-Authentication-G = RADIUS,
Altiga-Tunneling-Protocols-G/U = IPSec,
# valid HYBRID SA
Altiga-IPSec-Sec-Association-G/U = ESP-AES256-HYBRID,
# full tunneling with local net bypass (default in base group)
Altiga-IPSec-Split-Tunnel-Policy-G = 2,
Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"

Local-Net-Bypass is my default policy in the VPN base group.  If I 
don't  set the Altiga-IPSec-Split-Tunnel-Policy-G reply attribute, it 
works fine.  If I do, it doesn't.  Anyone bonk into this one before?

--
Andrew Clark
Campus Network Programmer
Office of Information Technology
University of California, Santa Barbara
andrew.clark at ucsb.edu (805) 893-5311

--On Monday, February 07, 2005 05:22:29 PM -0800 "Andrew D. Clark" 
<andrew.clark at ucsb.edu> wrote:

> Hi all,
>
> I've got a Cisco 3060 VPN doing external group auth to radiator.  All
> is working fine (though I really with there was a good way to
> distinguish VPN groups from users, but Cisco apparently isn't making
> that easy - any suggestions?).  However, if I want to pass up
> different split tunneling policies to the VPN, I have a problem with
> specifying the particular network list to use.  The VPN has some
> network lists defined on it, like the default "VPN Client Local LAN
> (Default)" list, as well as one I added called "UCSB Nets".  Do I
> reference them by those names on the VPN?
>
> I thought something like this might work:
>
># full tunneling with local net bypass
> Altiga-IPSec-Split-Tunnel-Policy-G = Local-Net-Bypass,
> Altiga-IPSec-Split-Tunnel-List-G = "VPN Client Local LAN (Default)"
>
> but it doesn't.  Neither does something like:
>
># split tunneling, campus space only
> Altiga-IPSec-Split-Tunnel-Policy-G = Split-Tunnel-Net-List,
> Altiga-IPSec-Split-Tunnel-List-G = "UCSB Nets"
>
> Doing a network list numerically like "0.0.0.0/0.0.0.0" (for local
> LAN split tunneling, for instance) doesn't seem to work either.
> Anyone out there have any wisdom to spare?
>
> --
> Andrew Clark
> Campus Network Programmer
> Office of Information Technology
> University of California, Santa Barbara
> andrew.clark at ucsb.edu (805) 893-5311
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list