RADIUS Attribute-Value-Pairs (AVPs) are the building blocks of RADIUS. They identify users, specify network elements, configure services and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs). These are frequently defined by hardware and software vendors to support their proprietary features and distinguish their products. Conversely, they are also defined by various alliances and consortiums in order to promote interoperability. What may not be as commonly recognized is that VSA definition can be a powerful tool used by enterprises in defining their authorization policies based upon such things as groups, roles and privilege levels.
This article focuses on helping the enterprise which is interested in exploring this application of VSAs in defining authorization policies. If you are a hardware or software supplier whose VSAs are used by customers and others outside of your own organization then please contact Interlink Networks Product Management to get your VSAs published in a RAD-Series RADIUS dictionary.
Once you have determined your organization’s need for VSAs, here are the basic steps to define them in the RAD-Series RADIUS Server.
- Get Your Organization’s Private Enterprise Number
In order to prevent conflicts among different vendors’ VSAs, each VSA includes the vendor’s Private Enterprise Number (PEN). These numbers are assigned and administered by IANA.
Check IANA’s list of Private Enterprise Numbers. If your organization does not already have a PEN then apply online for a PEN.
- Configure a New Vendor
Add an entry to the end of the vendors configuration file of the form
# Vendor Description VendorName.Attr VendorName.Value PEN VendorName
VendorName.Attr is the macro name used to define this vendor’s VSAs
VendorName.Value is the macro name used to define named values for this vendor’s VSAs
PEN is your organization’s Private Enterprise Number
VendorName is the label used to reference this vendor and its VSAs in configurations
As an example, here is the configuration for Interlink Networks
# Interlink Networks Interlink.Attr Interlink.Value 6728 Interlink
- Configure VSA Definitions
Using the VendorName.Attr macro previously defined, add VSAs to the dictionary.custom configuration file of the form
# Vendor Description VendorName.Attr VSA-Name VSA-Code VSA-Type Pruning-Rules
VendorName.Attr is the macro name used to define VSAs in dictionary.custom
VSA-Name is the label used to identify the VSA in configurations and logfiles
VSA-Code is the integer code used to identify the VSA in RADIUS packets
VSA-Type is the data type for the VSA, most often string or integer
Pruning-Rules are the rules indicating how many instances are allowed in a RADIUS response
It is a good practice to prefix VSA-Names with the vendor’s name or acronym so as to avoid conflicts with other vendors’ VSA-Names.
As an example, to define an VSA to identify a user’s department inside Interlink Networks (ILN)
Interlink.Attr ILN-Department 55 integer (0,0,0,INTERNAL,NOLOG)
Note that the first three positions of the pruning rules indicate the number of instances allowed in the response to the NAS for (Access-Accepts, Access-Rejects, Access-Challenges) with the following values defined
0 for 0 instances allowed
1 for 1 instances allowed
* for multiple instances allowed
Flags can be configured optionally following the three pruning rules. The flags most commonly used by enterprises are
INTERNAL indicates that the VSA is used internally and is never inserted in a RADIUS request or response packet. This is most likely the case for any VSA defined by an enterprise for the purpose of defining policies.
NOLOG indicates that the VSA is never written in any logfiles. This is a matter of the administrator’s preferences.
- Configure Named Values for Integer VSAs
Integer type VSAs can optionally have names associated with particular values using the form
VendorName.Value VSA-Name Value-Name Integer-Value
VendorName.Value is the macro name used to define named values for this vendor’s VSAs
VSA-Name is the VSA which can be assigned the value
Value-Name is the name assigned to the integer value for this VSA
Integer-Value is the value assigned to the label
As an example, here are some values for the ILN-Department VSA defined in the previous step
Interlink.Value ILN-Department ILN-Administration 1 Interlink.Value ILN-Department ILN-Sales 2 Interlink.Value ILN-Department ILN-Marketing 3 Interlink.Value ILN-Department ILN-Engineering 4 Interlink.Value ILN-Department ILN-Support 5
- Add the Vendor to any Client Needing to Receive the VSAs
If a vendor’s VSAs are to be returned to a particular NAS then the NAS must be configured in the clients file as supporting that vendor. Unless your enterprise is developing hardware or software which acts as a RADIUS client, you are unlikely to need to perform this step. The format is
NAS-IPorFQDN SharedSecret type=VendorName:NAS V1
NAS-IPorFQDN is the IP address or FQDN of the NAS
SharedSecret is the shared secret configured in both the NAS and here
type= is a clients file configuration keyword
VendorName is the label used to reference this vendor and its VSAs in configurations
:NAS is a clients file configuration keyword
V1 is a clients file configuration keyword
As an example, many RADIUS clients support various Microsoft VSAs and Cisco VSAs. Here is a NAS which is configured to support both Microsoft and Cisco VSAs
192.168.9.27 05h@r3d53cr3T type=Microsoft+Cisco:NAS V1
This tutorial demonstrates the basics of configuring vendors and VSAs in the RAD-Series Server. Other configuration options can be found in the Administrator’s Guide
Comments are closed.