MAX_PACKET_LEN setting limiting number of Cisco- Avpair's
Alan DeKok
aland at ox.org
Wed Jun 29 01:47:12 CEST 2005
Niall Browne <nbrowne at Yodlee.com> wrote:
> After looking through the source code on v 1.148.2.3 I can see that the
> reason that cisco-avpair += within the users file is not being sent to the
> firewall for ACL's above a certain number is due to the fact that the
> maximum Radius Packet size is 4k.
That would happen for a large number of ACL's.
> This is coded under radius.c for max_packet_len 4096
That's what the RFC's say it shoul dbe.
> I can modify the entry to increase the packets size and recompile, which
> may work in that further cisco-avpair += may be pushed to the firewall, but
> this will probably cause a number of other problems.
I don't think so. It's only one place in the source tree, so the
rest of the server won't care. And if the client accepts the packet,
and applies all of the ACL's, then that's all that matters.
> Apart from this is there any other way to increase the number of
> Cisco-Avpair's within freeradius to be pushed to a firewall or is this the
> maximum ?
You may be able to set up pools of ACL's, and say "this user is in
pool X", but you'd have to consult Cisco docs for more information.
Alan DeKok.
More information about the Freeradius-Users
mailing list