Controlling Client Parameters via RADIUS

When using RADIUS as an authentication source for a VPN, pfSense® software supports receiving certain client configuration parameters from the RADIUS server as reply attributes.

Inbound firewall rules

Inbound firewall rules to govern traffic from the client to the server.

Cisco-AVPair = <IP_PROTO>:inacl#<NUM>=<rule>
  • <IP_PROTO> is the address family / IP protocol (ip or ipv6)

  • <NUM> is a rule number

  • <rule> is a rule string in Cisco-style ACL format.


    Subnet masks must be wildcard style, not CIDR or traditional netmasks.

    The firewall replaces the template strings {clientip} and {clientipv6} in rules with the Tunnel IP addresses of the connecting client.

FreeRADIUS example:

Cisco-AVPair = "ip:inacl#1=permit tcp host host eq 80",
Cisco-AVPair += "ip:inacl#2=permit udp host {clientip} host eq 53",
Cisco-AVPair += "ip:inacl#3=permit ip host",
Cisco-AVPair += "ipv6:inacl#1=permit icmp host {clientipv6} host 2001:DB8::10",
Cisco-AVPair += "ipv6:inacl#2=permit udp host 2001:DB8::4444 host 2001:DB8::7 range 1024 65535"

Outbound Firewall Rules

Outbound firewall rules to govern traffic from the server to the client.

Cisco-AVPair = <IP_PROTO>:outacl#<NUM>=<rule>

Aside from the outacl keyword, the format is the same as inbound rules.

DNS Servers

DNS servers that OpenVPN will push to this client.

Cisco-AVPair = dns-servers=x.x.x.x y.y.y.y

Separate multiple servers with spaces.


Additional route statements OpenVPN will push to the client.

Cisco-AVPair = route=x.x.x.x y.y.y.y

Specified as x.x.x.x y.y.y.y where the first parameter is a network address and the second is a subnet mask.

Static IP Address

A specific IP address OpenVPN will assign to the client.


If the OpenVPN server uses a subnet style Topology the RADIUS server must also send back an appropriate Framed-IP-Netmask value matching the VPN Tunnel Network.

When using a net30 style Topology, the client receives this IP address and the server side is set as one IP address lower than the address given to the client.


This currently only works for IPv4. The firewall does not support the Framed-IPv6-Address reply attribute at this time.