IOS SSLVPN - RADIUS attributes ignored

     I am trying to configure SSLVPN on an IOS router, with RADIUS
authorization. Everything works fine, but the router seems to simply
ignore the attributes it receives from the RADIUS server.

     The debug messages on the router show the attributes it receives
(and the fact that it parses them correctly). However, in the end the
client doesn't receive the split tunnel list.

*Feb 12 22:45:01.751: AAA/AUTHEN/LOGIN (00000000): Pick method list
'SSLVPN'
*Feb 12 22:45:01.755: WV-AAA: AAA authentication request sent for user:
"USER"
*Feb 12 22:45:01.779: AAA/AUTHOR (0x0): Pick method list 'SSLVPN'
*Feb 12 22:45:01.827: WV-AAA: addr: Processing AV
*Feb 12 22:45:01.827: WV-AAA: Framed user IP 255.255.255.255
*Feb 12 22:45:01.827: WV-AAA: addr-pool: Processing AV
*Feb 12 22:45:01.827: WV-AAA: Address pool SVC_POOL
*Feb 12 22:45:01.827: WV-AAA: svc-required: Processing AV
*Feb 12 22:45:01.827: WV-AAA: svc-required = true
*Feb 12 22:45:01.827: WV-AAA: split-include: Processing AV
*Feb 12 22:45:01.827: WV-AAA: Split Include "6.6.6.0 255.255.255.0"
*Feb 12 22:45:01.827: WV-AAA: AAA Authentication Passed!
*Feb 12 22:45:01.827: WV-AAA: User "USER" has logged in from
"136.1.120.200" to gateway "SSL_GW" context "SSLVPN"

*Feb 12 23:08:38.683: RADIUS/ENCODE(00000000):Orig. component type = INVALID
*Feb 12 23:08:38.683: RADIUS/ENCODE(00000000): dropping service type,
"radius-server attribute 6 on-for-login-auth" is off
*Feb 12 23:08:38.683: RADIUS(00000000): Config NAS IP: 150.1.6.6
*Feb 12 23:08:38.683: RADIUS(00000000): sending
*Feb 12 23:08:38.683: RADIUS(00000000): Send Access-Request to
10.0.0.100:1645 id 1645/15, len 57
*Feb 12 23:08:38.683: RADIUS: authenticator 2D E7 65 13 1F E9 E1 B6 -
FC AE 56 9D B0 F5 BC 44
*Feb 12 23:08:38.683: RADIUS: User-Name [1] 13 "USER_at_SSLVPN"
*Feb 12 23:08:38.683: RADIUS: User-Password [2] 18 *
*Feb 12 23:08:38.687: RADIUS: NAS-IP-Address [4] 6 150.1.6.6
*Feb 12 23:08:38.719: RADIUS: Received from id 1645/15 10.0.0.100:1645,
Access-Accept, len 175
*Feb 12 23:08:38.719: RADIUS: authenticator 71 6A AA EE 27 01 73 55 -
A0 C3 E4 28 5A D6 F8 41
*Feb 12 23:08:38.719: RADIUS: Framed-IP-Address [8] 6
255.255.255.255
*Feb 12 23:08:38.719: RADIUS: Vendor, Cisco [26] 33
*Feb 12 23:08:38.719: RADIUS: Cisco AVpair [1] 27
"webvpn:addr-pool=SVC_POOL"
*Feb 12 23:08:38.719: RADIUS: Vendor, Cisco [26] 29
*Feb 12 23:08:38.719: RADIUS: Cisco AVpair [1] 23
"webvpn:svc-required=1"
*Feb 12 23:08:38.719: RADIUS: Vendor, Cisco [26] 52
*Feb 12 23:08:38.719: RADIUS: Cisco AVpair [1] 46
"webvpn:split-include="6.6.6.0 255.255.255.0""
*Feb 12 23:08:38.719: RADIUS: Class [25] 35
*Feb 12 23:08:38.719: RADIUS: 43 41 43 53 3A 30 2F 31 35 36 30 36 2F
39 36 30 [CACS:0/15606/960]
*Feb 12 23:08:38.719: RADIUS: 31 30 36 30 36 2F 55 53 45 52 40 53 53
4C 56 50 [10606/USER_at_SSLVP]
*Feb 12 23:08:38.719: RADIUS:
4E [N]
*Feb 12 23:08:38.723: RADIUS(00000000): Received from id 1645/15
*Feb 12 23:08:38.723: RADIUS(00000000): Unique id not in use
*Feb 12 23:08:38.723: RADIUS/DECODE(00000000): There is no RADIUS DB
Some Radius attributes may not be stored

     The config is below:

webvpn gateway SSL_GW
  ip address 150.1.6.6 port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-2227377596
  inservice
  !
webvpn install svc flash:/webvpn/svc.pkg sequence 1
  !
webvpn context SSLVPN
  title "R6 SSL VPN"
  ssl encryption rc4-md5
  ssl authenticate verify all
  !
  !
  policy group POL1
    functions svc-required
    svc address-pool "SVC_POOL"
    svc keep-client-installed
    svc split include 6.6.6.0 255.255.255.0
  !
  policy group EMPTY_POL
  default-group-policy EMPTY_POL
  aaa authentication list SSLVPN
  aaa authentication domain @SSLVPN
  aaa authorization list SSLVPN
  gateway SSL_GW domain SSLVPN
  inservice

     I am testing this on a 2811 router, running IOS 12.4(20)T4 (I have
also tested some previous versions, but they were missing the "aaa
authorization list" command under webvpn context).

     Can anyone tell me what I am missing here? Or at least point me in
the right direction?

     Thank you,

-- 
Bogdan Sass
CCSP,LPIC-1,VCP5,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"	
Blogs and organic groups at http://www.ccie.net