Hello Dany,

To implement dynamic acl, your radius server should return an attribute to the router:

cisco-avpair = "ip:inacl=my_user_access_list"

this is for selecting an extended access list, already defined in the router, named "my_user_access_list"

or you could return several :

cisco-avpair = "ip:inacl#1="deny 10.10.10.10 0.0.0.0"

cisco-avpair = "ip:inacl#1="permit any any"

Those line build a dynamic access list 1.

cisco-avpair = "ip:inacl#1="deny 10.10.10.10 0.0.0.0"