On Tue, Jun 28, 2005 at 03:10:51PM -0700, Niall Browne wrote: > Apart from this is there any other way to increase the number of > Cisco-Avpair's within freeradius to be pushed to a firewall or is this the > maximum ?
You already seem to know the way for creating acl via radius: inacl#X An input access list definition. For IP, standard or extended access list syntax can be used, though you cannot mix them within a single list. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. outacl#X An output access list definition. For IP, standard or extended access list syntax can be used. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. But you might also use the ip:inacl/outacl without a rule number to assign a named ip access-list which is defined on the router: router: ip access-list extended No-EIGRP remark Filters EIGRP Traffic remark used with dynamic ADSL deny eigrp any any permit ip any any radius: Cisco-AVPair += "ip:inacl=No-EIGRP", Cisco-AVPair += "ip:outacl=No-EIGRP" If you have a CCO (I think you need one for that) you could take a look at ciscos Dial Solutions Configuration Guide, which helps you with such stuff. Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html