Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamics ACL with Radius


My question is regarding a Cisco Radius server with Dynamcic ACL.

I have one router and one Radius Security server. How a router can received a Dynamic ACL from the Radius Server in order to let the user to go in specific host or subnet ??

Any help would be appreciated.

Thanks, Dany

New Member

Re: Dynamics ACL with Radius


I've done this as an ISP once. You need to use the

Cisco-AV-Pair attribute in which you may specify any router command you want to be executed for a specific user.

You'll need to use

virtual-profile aaa.

The problem is that the commands are not exactly the way you would write them in the CLI. They are from TACACS, run a search on CCO for Cisco-AV-Pair and I'm sure you'll find something usefull.

Best regards,

Cristian Caramida

New Member

Re: Dynamics ACL with Radius

Hello Dany,

To implement dynamic acl, your radius server should return an attribute to the router:

cisco-avpair = "ip:inacl=my_user_access_list"

this is for selecting an extended access list, already defined in the router, named "my_user_access_list"

or you could return several :

cisco-avpair = "ip:inacl#1="deny"

cisco-avpair = "ip:inacl#1="permit any any"

Those line build a dynamic access list 1.

cisco-avpair = "ip:inacl#1="deny"