Netgate is offering COVID-19 aid for pfSense software users, learn more.
Controlling Client Parameters via RADIUS¶
When using RADIUS as an authentication source for a VPN, pfSense® software supports receiving some client configuration parameters from the RADIUS server as reply attributes. The following values may be specified:
- Cisco-AVPair inacl=
Inbound firewall rules to govern traffic from the client to the server. Given in Cisco-style ACL format (e.g.
permit tcp any any) subnet masks are specified wildcard style.
- Cisco-AVPair outacl=
Outbound firewall rules to govern traffic from the server to the client. Formatted the same as the inacl parameter.
- Cisco-AVPair dns-servers=
DNS servers to push to the client. Multiple servers may be specified, separated by spaces.
- Cisco-AVPair route=
Additional route statements to push to the client. Specified as
x.x.x.x y.y.y.ywhere the first parameter is a network address and the second is a subnet mask.
The IP address to assign to the client. When using a subnet style Topology the RADIUS server must also send back a Framed-Mask set appropriately for the Tunnel Network of the VPN. When using a net30 style Topology, the client receives this IP address and the server side is set as one IP address lower than the address given to the client.