Controlling Client Parameters via RADIUS

When using RADIUS as an authentication source for a VPN, pfSense® software supports receiving some client configuration parameters from the RADIUS server as reply attributes. The following values may be specified:

Cisco-AVPair = <IP_PROTO>:inacl#<NUM>=

Inbound firewall rules to govern traffic from the client to the server, where <IP_PROTO> is IP protocol (ip or ipv6) and <NUM> is a rule number. Given in Cisco-style ACL format subnet masks are specified wildcard style. It is possible to use client variables {clientip} and {clientipv6} which are replaced with the connecting client Tunnel IP addresses. FreeRADIUS example:

Cisco-AVPair = "ip:inacl#1=permit tcp host host eq 80",
Cisco-AVPair += "ip:inacl#2=permit udp host {clientip} host eq 53",
Cisco-AVPair += "ipv6:inacl#1=permit icmp host {clientipv6} host 2001:DB8::10",
Cisco-AVPair += "ipv6:inacl#2=permit udp host 2001:DB8::4444 host 2001:DB8::7 range 1024 65535"
Cisco-AVPair = <IP_PROTO>:outacl#<NUM>=

Outbound firewall rules to govern traffic from the server to the client. Formatted the same as the inacl parameter.

Cisco-AVPair dns-servers=

DNS servers to push to the client. Multiple servers may be specified, separated by spaces.

Cisco-AVPair route=

Additional route statements to push to the client. Specified as x.x.x.x y.y.y.y where the first parameter is a network address and the second is a subnet mask.


The IP address to assign to the client. When using a subnet style Topology the RADIUS server must also send back a Framed-Mask set appropriately for the Tunnel Network of the VPN. When using a net30 style Topology, the client receives this IP address and the server side is set as one IP address lower than the address given to the client.