Skip to content

tac_plus‐ng: RADIUS Downloadable ACLs for Cisco Devices

Jump to bottom
Marc Huber edited this page May 15, 2025 · 6 revisions

Downloadable RADIUS ACLs are now supported, as a fresh-and-not-so-well-tested feature.

Downloadable ACL sample definition:

    dacl demoacl {
        data = "
            deny ip host 10.0.0.0 any
            permit ip any any
        "
    }

In user context, you can then

    set radius[Cisco:Cisco-AVPair] = "ACS:CiscoSecure-Defined-ACL=${dacl:demoacl}"

which will instruct the (Cisco) device to query for that ACL via RADIUS.

The device will see the demoacl portion as something like #ACSACL#demoacl-12345678, with 12345678 as hex version or checksum.

MAVIS support is there, too. One of the demo scripts (mavis_tacplus-ng-demo-database.pl) shows how to handle that.

Clone this wiki locally