OpenVPN/Freeradius issue

bluerains

Hello, I've had an ticket opened in redmine. This issue was regarding the number of radreply entries that pfsense can handle. Mainly the issue was, according to your engineer,

" The radius client library used in pfSense doesn't support RFC7499 (https://www.rfc-editor.org/rfc/rfc7499.html) and so RADIUS request/response payloads have an upper limit of 4096 bytes. Thus, there is a limit to the maximum number of attributes one can receive"

Anyway, my question is that the reason I use pfsense in combination with openvpn/freeradius is to enable user login to our network and using the Cisco AV-Pair, I can have very granular control where I can only allow certain user to access certain IPs. Meaning that if user "A" login, he can only access 10.5.0.10 device where as User B can only access 10.5.0.12. And both are NOT ALLOW to see each other device (or IP).

This was able to be done using entries in the RadReply table in such (for example):

ip:inacl#71=permit any host 10.7.0.65 host 10.100.4.198
ip:inacl#70=permit any host 10.7.0.65 host 10.100.4.137
ip:inacl#7=permit any host 10.7.0.65 host 10.100.11.102
ip:inacl#69=permit any host 10.7.0.65 host 10.100.4.109
ip:inacl#68=permit any host 10.7.0.65 host 10.100.32.22

Now, the question is, did pfsense customized this feature ONLY will work on pfsense or can I do this by building my own OpenVPN with freeRadius where OpenVPN have also the same feature of able to "block" (or route) according to this Cisco-AVPair? Since Pfsense can not offer a solution currently I need to look else where for a solution.

Because I am in middle of building a OpenVPN/FreeRadius server, but if this is a pfsense ONLY feature (meaning you guys wrote custom script to make this work). Then I will need to look for another solution.

Thank you very much!