[PacketFence-users] how to deploy acl via radius attribute 26?

[平嘉伟 <jia...@le...>]

Hi folks!
         I have a pf 13.2 installation for wired 802.1x authentication with Huawei 57xx switches.
         Test-pc: win10
         Test-switch-model: Huawei S5720
         Test-switch-vrp-verion: V200R011C10SPC600
         802.1x authentication and role based vlan assignment working perfectly.

         Now here is the thing:
         I define an acl in [switch-group]-[roles]-[OA-MACHINE]-[access-list] for testing.
         The acl is pretty simple and has been tested with Huawei switch:
         acl 10001 deny dst-port 3389
         meaning: deny if tcp destination port is 3389
         after test-machine passed authentication , got correct role[OA-MACHINE] , the radius reply is:
[cid:image001.jpg@01DAF95A.B2251B00]
         BUT, there is no ACL info in reply!
         After digging, I found radius-filter which is capable to send acl by using radius attribute 26-82 [Huawei data-filter], but it is hard to use.
         On the other hand, [access-list] of [switch-group]-[roles] is much more user-friendly.
         So, my question is:
how to make pf send acl which is predefined in [switch-group]-[roles]-[SOME ROLE]-[access-list] to Huawei switch using radius attribute 26-82[Huawei data-filter]?

         Any advice is appreciated.

         Joel.