Beginning with Version 8.2, the RAD-Series RADIUS Server has greatly expanded dictionary support. The new feature benefits include:
- The ability to define VSAs in a greater variety of formats
- Ease of defining and managing an organization’s own VSAs
- Ease of upgrading to new versions without having to merge previous dictionary changes
RADIUS Attribute-Value-Pairs (AVPs) are the building blocks of RADIUS. They identify users, specify network elements, configure services and report session details. The RADIUS RFCs define a set of standard attributes such as User-Name, User-Password, NAS-Identifier, Session-Timeout and Acct-Output-Octets. In addition to the standard RADIUS attributes, RADIUS can be extended with Vendor Specific Attributes (VSAs). These are frequently defined by hardware and software vendors to support their proprietary features and distinguish their products. Conversely, they are also defined by various alliances and consortiums in order to promote interoperability. What may not be as commonly recognized is that VSA definition can be a powerful tool used by enterprises in defining their authorization policies based upon such things as groups, roles and privilege levels.
RFC 2865 specifies that VSAs SHOULD have the following format
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Vendor-Id +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Vendor-Id (cont) | Vendor type | Vendor length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Attribute-Specific... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Type (26) indicates that the attribute is vendor specific
Length is the length of the entire VSA in number of octets
Vendor-Id is the vendor’s Private Enterprise Number registered with IANA
Vendor Type identifies the vendor’s attribute
Vendor Length is the length in octets of Vendor Type, Vendor Length and Attribute Specific
Attribute Specific is the value of the vendor’s attribute
The RAD-Series vendors file now supports optional parameters for configuring the size of vendors type and length fields in order to support those vendors which have chosen a format different from that recommended in RFC 2865. If the parameters are omitted then the field sizes default to one octet.
The RAD-Series Server now supports the loading of multiple dictionaries and the previous dictionary has been reorganized so that each vendor has its own dictionary. The server loads the standard dictionary from the configuration directory and any additional dictionaries as specified by the %INCLUDE directive. The %INCLUDE directive can be invoked in any dictionary being loaded. The standard dictionary includes
%INCLUDE dictionary.Interlink %INCLUDE dictionary.Merit %INCLUDE dictionary.Microsoft %INCLUDE dictionary.VSAs %INCLUDE dictionary.custom
and dictionary.VSAs has %INCLUDE directives for numerous vendors’ dictionaries. This new architecture has several advantages
- VSAs for new vendors can be easily added by adding their dictionary file and adding a %INCLUDE directive to dictionary.VSAs
- A vendor’s dictionary can be updated without impacting other definitions by updating or replacing just one file
- If for any reason an administrator wants to limit his application to only those vendors used in his network then the run-time dictionary can be easily reduced by removing %INCLUDE directives from dictionary.VSAs
The RAD-Series Server includes an empty dictionary.custom reserved for the system administrator’s use. By defining enterprise specific VSAs in dictionary.custom, the system administrator will be able upgrade RAD-Series versions including new dictionaries without ever having to re-merge his definitions into the new release’s dictionary again.
Interlink Networks, LLC will continue to add new vendor dictionaries in upcoming releases. Please contact us to let us know which vendors’ VSAs you need added.