Home » Technical Resources » How To Define Vendor Specific Attributes

How To Define Vendor Specific Attributes

tutorial_training-150x143RADIUS Attribute-Value-Pairs (AVPs) are the building blocks of RADIUS. They identify users, specify network elements, configure services and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs). These are frequently defined by hardware and software vendors to support their proprietary features and distinguish their products. Conversely, they are also defined by various alliances and consortiums in order to promote interoperability. What may not be as commonly recognized is that VSA definition can be a powerful tool used by enterprises in defining their authorization policies based upon such things as groups, roles and privilege levels.

This article focuses on helping the enterprise which is interested in exploring this application of VSAs in defining authorization policies. If you are a hardware or software supplier whose VSAs are used by customers and others outside of your own organization then please contact Interlink Networks Product Management to get your VSAs published in a RAD-Series RADIUS dictionary.

Once you have determined your organization’s need for VSAs, here are the basic steps to define them in the RAD-Series RADIUS Server.

    1. Get Your Organization’s Private Enterprise Number

In order to prevent conflicts among different vendors’ VSAs, each VSA includes the vendor’s Private Enterprise Number (PEN). These numbers are assigned and administered by IANA.
Check IANA’s list of Private Enterprise Numbers. If your organization does not already have a PEN then apply online for a PEN.

    1. Configure a New Vendor

Add an entry to the end of the vendors configuration file of the form

#   Vendor Description
VendorName.Attr     VendorName.Value    PEN     VendorName

VendorName.Attr is the macro name used to define this vendor’s VSAs
VendorName.Value is the macro name used to define named values for this vendor’s VSAs
PEN is your organization’s Private Enterprise Number
VendorName is the label used to reference this vendor and its VSAs in configurations

As an example, here is the configuration for Interlink Networks

#   Interlink Networks
Interlink.Attr  Interlink.Value     6728    Interlink

 

    1. Configure VSA Definitions

Using the VendorName.Attr macro previously defined, add VSAs to the dictionary.custom configuration file of the form

#   Vendor Description
VendorName.Attr     VSA-Name    VSA-Code    VSA-Type    Pruning-Rules

VendorName.Attr is the macro name used to define VSAs in dictionary.custom
VSA-Name is the label used to identify the VSA in configurations and logfiles
VSA-Code is the integer code used to identify the VSA in RADIUS packets
VSA-Type is the data type for the VSA, most often string or integer
Pruning-Rules are the rules indicating how many instances are allowed in a RADIUS response

It is a good practice to prefix VSA-Names with the vendor’s name or acronym so as to avoid conflicts with other vendors’ VSA-Names.

As an example, to define an VSA to identify a user’s department inside Interlink Networks (ILN)

Interlink.Attr  ILN-Department  55  integer     (0,0,0,INTERNAL,NOLOG)

Note that the first three positions of the pruning rules indicate the number of instances allowed in the response to the NAS for (Access-Accepts, Access-Rejects, Access-Challenges) with the following values defined

0 for 0 instances allowed
1 for 1 instances allowed
* for multiple instances allowed

Flags can be configured optionally following the three pruning rules. The flags most commonly used by enterprises are

INTERNAL indicates that the VSA is used internally and is never inserted in a RADIUS request or response packet. This is most likely the case for any VSA defined by an enterprise for the purpose of defining policies.
NOLOG indicates that the VSA is never written in any logfiles. This is a matter of the administrator’s preferences.

    1. Configure Named Values for Integer VSAs

Integer type VSAs can optionally have names associated with particular values using the form

VendorName.Value    VSA-Name    Value-Name  Integer-Value

VendorName.Value is the macro name used to define named values for this vendor’s VSAs
VSA-Name is the VSA which can be assigned the value
Value-Name is the name assigned to the integer value for this VSA
Integer-Value is the value assigned to the label

As an example, here are some values for the ILN-Department VSA defined in the previous step

Interlink.Value     ILN-Department  ILN-Administration  1
Interlink.Value     ILN-Department  ILN-Sales           2
Interlink.Value     ILN-Department  ILN-Marketing       3
Interlink.Value     ILN-Department  ILN-Engineering     4
Interlink.Value     ILN-Department  ILN-Support         5

 

    1. Add the Vendor to any Client Needing to Receive the VSAs

If a vendor’s VSAs are to be returned to a particular NAS then the NAS must be configured in the clients file as supporting that vendor. Unless your enterprise is developing hardware or software which acts as a RADIUS client, you are unlikely to need to perform this step. The format is

NAS-IPorFQDN	SharedSecret	type=VendorName:NAS	V1

NAS-IPorFQDN is the IP address or FQDN of the NAS
SharedSecret is the shared secret configured in both the NAS and here
type= is a clients file configuration keyword
VendorName is the label used to reference this vendor and its VSAs in configurations
:NAS is a clients file configuration keyword
V1 is a clients file configuration keyword

As an example, many RADIUS clients support various Microsoft VSAs and Cisco VSAs. Here is a NAS which is configured to support both Microsoft and Cisco VSAs

192.168.9.27  05h@r3d53cr3T   type=Microsoft+Cisco:NAS    V1

This tutorial demonstrates the basics of configuring vendors and VSAs in the RAD-Series Server. Other configuration options can be found in the Administrator’s Guide

Comments are closed.

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!