RADIUS filter-id

IP traffic filter rules, also known as IP ACLs, provide a user access policy that defines what IP traffic from the user is permitted. IP ACLs can be specified in two ways:

  • By using the filter-id attribute that gives the ID of a pre-defined ACL. A filter-id is an alphabetic-string identifier, or name, corresponding to an IP ACL that is pre-configured on the access-control device.

  • By using the NAS-filter-rule attribute which explicitly defines a set of filter rules.

Filter-id attributes and NAS-Filter-Rule attributes may be intermixed in the RADIUS user entry. Filter-id attributes are expanded as they are read so they are added to the ACL in the correct order.

NOTE:

This feature does not modify any existing commands. CLI show commands currently display the applied RADIUS defined ACL rules. ACL rules specified by a filter-id attribute are expanded and displayed as if they were NAS-Filter-Rule entries. The list of rules will be a snapshot of the CLI ACL at the time of authentication. Updates to the ACL are not applied until the client reauthenticates.

A filter-id name may refer to an IPv4 ACL, an IPv6 ACL, or both. ACLs for both families are checked and expanded if found. All other ACL types, including MAC and router ACLs, are ignored when processing filter-id attributes. Any number of filter-id attributes may be specified subject to length limitations of a RADIUS packet. The limit for all platforms is 100 ACEs per client ACL.

NOTE:

RADIUS ACL rules do not support source IP or source L4 port qualifiers. If any source IP or source L4 port qualifiers are found in the CLI ACL, the client will fail authentication and an error will be logged.

CLI ACLs include an optional log keyword that captures rule hits for debugging. No logging for ACL rules that are applied via filter-id is available. However, all rules from ACLs have an implicit cnt keyword which allows the administrator to see the hit count for each rule.

RADIUS user entry

NAS-Filter-Rule += "permit in 10 from any to any cnt",
Filter-ID += "104",
NAS-Filter-Rule += "permit in 30 from any to any cnt",
Filter-ID += "106",
NAS-Filter-Rule += "permit in 55 from any to any cnt",
Filter-ID += "146",
NAS-Filter-Rule += "permit in 70 from any to any cnt",