Chris sent me an interesting challenge a few days ago: he wanted to set inbound access lists on virtual access interfaces with RADIUS but somehow couldn’t get this feature to work.
Uncle Google quickly provided two documents on Cisco.com: an older one (explaining the IETF attributes, vendor-specific attributes and AV-pairs) and the most recent one (with more attributes and less useful information) covering every Cisco IOS software release up to 12.2 (yeah, it looks like the RADIUS attributes haven’t been touched in a long time). According to the documentation, attribute #11 as well as AV-pairs ip:inacl/ip:outacl and lcp:interface-config should work, but the access list did not appear in the interface configuration.
A few e-mails later, we’ve discovered a number of somewhat semi-documented facts:
- Most changes to interface configuration done with lcp:interface-config AV-pair appear in the show running printout; the access lists don’t (regardless of how you set them). You have to use the show ip interface command to verify the ip access-group configured on the interface.
- Although the documentation states you can only use a numbered ACL with attribute#11, named ACLs work as well.
- You have to specify .in or .out suffix in attribute#11, otherwise the same ACL is applied in both directions.
- You can have multiple instances of attribute#11 in RADIUS reply and the router will simply apply them sequentially, sometimes overwriting the previous settings (for example, you could specify bidirectional ACL in one instance and inbound ACL in the next one).