Hi
After looking through the source code on v 1.148.2.3 I can see that the reason that cisco-avpair += within the users file is not being sent to the firewall for ACL's above a certain number is due to the fact that the maximum Radius Packet size is 4k.
This is coded under radius.c for max_packet_len 4096
I can modify the entry to increase the packets size and recompile, which may work in that further cisco-avpair += may be pushed to the firewall, but this will probably cause a number of other problems.
Apart from this is there any other way to increase the number of Cisco-Avpair's within freeradius to be pushed to a firewall or is this the maximum ?
Thanks,
Niall
_____________________________________________
From: Niall Browne
Sent: Tuesday, June 28, 2005 10:20 AM
To: 'freeradius-users@lists.freeradius.org'
Subject: RE: Issue with increasing the number of ACL's in users file
I sent this week and did not receive a response.
Since then I have again gone through all files in detail, viewed countless debugs, and searched all past posts re freeradius, with no success.
Anyone have any idea what may be causing this or have seen a similar problem in the past ?
Thanks,
Niall
_____________________________________________
From: Niall Browne
Sent: Wednesday, June 22, 2005 8:49 PM
To: 'freeradius-users@lists.freeradius.org'
Subject: Issue with increasing the number of ACL's in users file
Hi
I am having a problem with an apparent limit on ACL's on my freeradius servers. I have been running this servers for a number of years, and have always had the number of ACL's on the users file below 52, and have never had any problems.
I noticed as soon as I increased the ACL's above 52 it appeared to authenticate in the logs, however the auth connection through Cisco VPN simply continued to try to authenticate and nothing happened. As soon as I removed the ACL's below 52 and restarted it works fine.
I dumped the logs
/usr/local/freeradius/sbin/radiusd -p 1647 -sfxxyz -l stdout
When I then auth'd and viewed the stdout logs, they are identical for <52 and then >52 (when compared). The only difference is that the ACL's after the magic 52 mark do not show in the stout, and this causes my timeout to fail. When I revert to <52 I can see the last ACL's and all works fine.
I have checked through the configs including radiusd.conf however I cannot find a hard coded limitation on ACL's anywhere.
Is anyone aware of how to resolve this ?
Thanks in advance,
Niall