Thursday, July 10, 2014

How to assign ACLs to Cisco VPN user via RADIUS

While setting up per user ACLs in RADIUS for my VPN users I noticed some issues with current on-line documentation. I am using a Cisco ASA 9.2(2) as the VPN concentrator and FreeRADIUS 3.0.2 as the RADIUS server.  In the RADIUS users file you need to add your ACLs in this manner:

testuser1  Cleartext-Password := "testme"
   Cisco-AVPair = "ip:inacl#101=permit ip any",
   Cisco-AVPair += "ip:inacl#102=deny ip any any",
   Service-Type = Framed-User,
   Framed-Protocol = PPP,
   Framed-IP-Address =,
   Framed-IP-Netmask =,
   Reply-Message = "This is a test message"

You should notice the use of "ip:inacl" not "ip.inacl" as most current on-line documentation suggests.  Also, make sure you use "+=" for every line other than the first. 


  1. You can configure downloadable access lists on Cisco Secure ACS 5.x as a Named Permissions Object and then assign it to an Authorization Profile which will be chosen in the result section of the Rule in the Access-Service.
    Meanwhile, if you know about how to configure vpn express on cisco router the please do let me know.

  2. Does windows Server (2000 and 2003) has its own RADIUS bolt on Windows IAS? i want to configure ipvanish vpn