Vendor-Specific Attributes

Updated: October 21, 2008

Applies To: Windows Server 2008, Windows Server 2008 R2

Network Policy Server (NPS) allows you to add vendor-specific attributes (VSAs) to individual network policies, providing you with the ability to deploy new Remote Authentication Dial-In User Service (RADIUS) client products that have proprietary functionality that are not defined in Request for Comments (RFC) 2865.

NPS includes VSAs from a number of vendors in its multivendor dictionary. However, over time vendors create new products that use VSAs, and the multivendor dictionary cannot be updated frequently in an efficient manner.

You can add attributes that are not in the NPS multivendor dictionary as Vendor-Specific attributes (RADIUS standard attribute type 26) on the Settings tab of a network policy. To use attribute type 26 to create a custom attribute, an administrator must know the VSA format and the exact information to enter. The VSA formats are documented in the following section. For information about what values to enter, see your network access server (NAS) documentation. The following figure shows the VSA structure.

Vendor-Specific Attribute Structure

The Type value is one byte long and is set to 26 (0x1A) to indicate a VSA.

The Length value is one byte long and is set to the number of bytes in the VSA.

Vendor-ID is 4 octets long. The high-order octet is 0, and the low-order is 3 octets. Together, they make up the Structure and Identification of Management Information (SMI) Network Management Private Enterprise Code of the vendor.

The String field in the VSA consists of one or more octets. To conform to the recommendation of RFC 2865, the String field should consist of the fields as shown in the following figure.

Structure of the String Field

The Vendor Type value is used to indicate a specific VSA for the vendor.

The Vendor Length value is set to the number of bytes in the string.

The Attribute-Specific field contains the data for the specific vendor attribute.

Vendors who do not conform to RFC 2865 use attribute type 26 to identify a VSA, but do not use the Vendor Type, Vendor Length, and Attribute-Specific fields within the String field.

When adding a VSA for a particular NAS, you must know whether the attribute conforms to RFC 2865. For information about whether your NAS uses the VSA format documented in the figure earlier in this section, see your NAS documentation.

While you configure a custom VSA, if the VSA format conforms to RFC 2865, use the Yes. It conforms option and then configure the attribute with the vendor-assigned attribute number, attribute format, and attribute value as defined in NAS documentation. If the VSA format does not conform to RFC 2865, choose No. It does not conform, and then configure the attribute with the hexadecimal attribute value, which includes the string of the VSA format (everything after Vendor-ID) as defined in NAS documentation.

For a complete list of Microsoft VSAs that you can use with NPS, see sections through of Microsoft Vendor-Specific Attributes (VSAs) in the Microsoft Developer Network Library at

Community Additions