Vendor-specific attribute overview

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Vendor-specific attribute overview

IAS provides the ability to specify RADIUS attributes that are returned with a RADIUS response message. These RADIUS attributes can be specified for each remote access policy and are configured on the Advanced tab in the properties of a profile for a remote access policy. For more information, see Configure Attributes for a Profile.

In addition to the standard RADIUS attributes, which are described in RFCs 2865 and 2866, you might also need to configure vendor-specific attributes (VSAs). VSAs allow vendors to support their own proprietary RADIUS attributes that are not included in RFCs 2865 and 2866. IAS includes VSAs from a number of vendors in its dictionary; however, the VSAs provided with IAS in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition do not include VSAs for all vendors. There is no process for centrally updating and distributing new versions of the IAS dictionary. Instead, you can manually create new VSAs for each remote access policy profile.

Some network access server (NAS) manufacturers use vendor-specific attributes (VSAs) to provide functionality that is not supported in standard attributes. IAS enables you to create or edit VSAs to take advantage of proprietary functionality supported by some NAS vendors. For more information about vendor-specific functionality and the VSAs that you can configure, see your access server documentation.

Before adding a VSA, check the list of attributes in the IAS dictionary. If the required VSA is present, use it. If not, you must add a VSA to the profile. VSAs are added by specifying the Vendor-Specific attribute on the Advanced tab in the properties of a profile for a remote access policy. For more information, see Configure vendor-specific attributes for a remote access policy.

If you want to add VSAs to the remote access policy profile to support proprietary functionality for your access point, you must determine whether the VSA conforms to the format recommended in RFC 2865.

  • If it does, you must specify:

    • A network access vendor by either name or vendor code.

    • A vendor-assigned attribute number.

    • The attribute format (that is, the type of data, such as string or hexadecimal).

    • The attribute value.

  • If it does not, you must specify:

    • A network access vendor by either name or vendor code.

    • A hexadecimal attribute value that represents the attribute data.

Ordering of multiple VSAs

If you need to configure more than one VSA, you should arrange them in the appropriate order in the Multivalued Attribute Information dialog box. For example, if you are using a filtering VSA that automatically disconnects users who do not meet specific criteria, you should ensure that the attribute appears at the top of the list. Use the Move Up and Move Down buttons in the Multivalued Attribute Information dialog box to arrange the attributes in the correct order.