https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543541#M535582 <HTML><HEAD></HEAD><BODY><P>I tried this with my local NPS. Tunnel-Tag is listed under standard attributes, not under Microsoft.</P><P>When I use it in the policy, it does not make it into the RADIUS response at all. Perhaps it's used for some other NPS function beside RADIUS.</P></BODY></HTML> Fri, 16 Jun 2017 22:27:48 GMT vibobrov 2017-06-16T22:27:48Z https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543538#M535577 <HTML><HEAD></HEAD><BODY><P>This is a weird one. </P><P>But concerns me because I am migrating a customer's ACS 5.2 to ISE 2.2 and in one of their ACS Policy Results they include a VSA called MS-Tunnel-Tag inside the Microsoft VSA dictionary.&nbsp; Customer performs a lot of dynamic VLAN assignments using 802.1X.&nbsp; Microsoft mentions this VSA in this <A href="https://technet.microsoft.com/en-us/library/cc754422(v=ws.10).aspx">TechNet</A> posting as being possibly required by some vendors, and I also see reference to 4170 in <A href="http://www.deepsoftware.com/iasviewer/attributeslist.html">this posting</A> about IAS (predecessor to NPS). </P><P></P><P>The weird part is that the Vendor-Type is 4170 (decimal) and this is (to my knowledge) illegal since the Vendor-Type may only be 0-255 since it's an 8bit field (see <A href="https://tools.ietf.org/html/rfc2548">RFC2548</A>).&nbsp; Both ISE 2.2 and latest Wireshark conform to the RFC.&nbsp; But our friend ACS 5.2 below allows &gt;32bit values, including 4170!</P><P></P><P>The customer also uses a large fleet of Microsoft NPS servers (Radius platform) alongside ACS, and Tunnel-Tag is also there!</P><P>There is also an <A href="https://supportforums.cisco.com/discussion/9552051/yet-another-ias-8021x-dynamic-vlan-question">old Cisco Support posting </A>where IAS is mentioned in context of this Vendor-Type.&nbsp; I makes me think that it's not a complete fiction...</P><P><IMG alt="ACS-MS-tunnel-tag.PNG" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/108356_ACS-MS-tunnel-tag.PNG" style="width: 620px; height: 344px;" /></P><P>And used multiple with different VLAN values throughout their deployment</P><P><IMG class="jive-image image-4" src="https://community.cisco.com/legacyfs/online/fusion/108359_pastedImage_7.png" style="max-height: 900px; max-width: 1200px;" /></P><P></P><P></P><P>When I started migrating ACS to ISE I tried this and ISE doesn't allow this value.</P><P><IMG alt="ISE-outofrange.PNG" class="jive-image image-2" src="https://community.cisco.com/legacyfs/online/fusion/108357_ISE-outofrange.PNG" style="width: 620px; height: 406px;" /></P><P></P><P>When I did a Wireshark trace of the ACS Access-Accept packet I see that the 4170 is not found.&nbsp; 4170 is 0x104a (hex) and&nbsp; it appears that even though it's configured as 0x104a, only the lower portion of the 32bit word is sent on the wire.</P><P><IMG class="jive-image image-3" src="https://community.cisco.com/legacyfs/online/fusion/108358_pastedImage_3.png" style="max-height: 900px; max-width: 1200px;" /></P><P>So it seems that ACS wrongly accepts values greater than 255?</P><P></P><P>I did a test by removing the MS-Tunnel-Tag from their lab ACS and there was no detrimental impact (the NAD is a WX5004 from H3C).</P><P>The other attributes that one commonly finds in these return policies took care of the VLAN assignment.</P><P></P><P><STRONG>I am just wondering whether anyone knows if the <SPAN style="text-decoration: underline;">MS-Tunnel-Tag</SPAN> was something historical?</STRONG></P><P><STRONG>And how is it possible that ACS and NPS allowed that Vendor-Type to be configured in a Radius Access-Accept policy?</STRONG></P><P></P><P></P></BODY></HTML> Thu, 15 Jun 2017 23:13:38 GMT https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543538#M535577 Arne Bier 2017-06-15T23:13:38Z https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543539#M535578 <HTML><HEAD></HEAD><BODY><P>4170 is an internal ID that NPS/IAS use to catalogue attributes. You can find in c:\windows\system32\ias\dnary.xml:</P><P>&lt;Attribute&gt;</P><P>&lt;ID&gt;4170&lt;/ID&gt;</P><P>&lt;Name&gt;Tunnel-Tag&lt;/Name&gt;</P><P>&lt;Syntax&gt;Integer&lt;/Syntax&gt;</P><P>&lt;MultiValued&gt;0&lt;/MultiValued&gt;</P><P>&lt;VendorID&gt;311&lt;/VendorID&gt;</P><P>&lt;Is-Security-Sensitive&gt;0&lt;/Is-Security-Sensitive&gt;</P><P>&lt;IsAllowedInProfile&gt;1&lt;/IsAllowedInProfile&gt;</P><P>&lt;IsAllowedInCondition&gt;0&lt;/IsAllowedInCondition&gt;</P><P>&lt;IsAllowedInProxyProfile&gt;1&lt;/IsAllowedInProxyProfile&gt;</P><P>&lt;IsAllowedInProxyCondition&gt;0&lt;/IsAllowedInProxyCondition&gt;</P><P>&lt;LDAPName&gt;msTunnelTag&lt;/LDAPName&gt;</P><P>&lt;IsTunnelAttribute&gt;0&lt;/IsTunnelAttribute&gt;</P><P>&lt;/Attribute&gt;</P><P></P><P>Based on the packet capture in your screenshot, you're looking at VSA attribute (26/0x1a), Vendor Microsoft (311/0x137), Attribute 74 (0x4a). 6 is the length of the attribute, including ID, 00 00 00 02 is the value.</P><P>I can't find this attribute 74 in any Microsoft dictionaries i looked at.</P><P>ISE allows you to create custom attributes in the dictionary. Based on the length the type of the attribute should be UINT32.</P></BODY></HTML> Fri, 16 Jun 2017 00:46:54 GMT https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543539#M535578 vibobrov 2017-06-16T00:46:54Z https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543540#M535580 <HTML><HEAD></HEAD><BODY><P>Hi Viktor</P><P></P><P>Thanks for the IAS c:\windows\system32\ias\dnary.xml reference.</P><P>Are you able to check</P><P>- whether <STRONG>IAS can return</STRONG> this value in a radius Access-Accept message to a NAS? </P><P>- what the radius packet looks like when it does so?</P><P></P><P>Yes - attribute 74 (0x4a) is not valid at all, and it's a result of chopping the WORD 0x104a in half! </P><P></P><P>I guess my point was that ACS GUI allows the user to enter some <EM>bogus</EM> value, and then the ACS UDP/Radius stack takes only the 8bits of that user-entered value (no bounds checking). </P><P>The Wireshark that I shared was taken from the ACS that sent the Access-Accept.</P><P></P><P>So my conclusion is that even if the customer's intention was to send MS-Tunnel-Tag (x104a) to a NAS, and ACS GUI allows the value to be entered, the resulting VSA that ACS puts in the Radius packet is garbage (0x4a).</P><P></P><P>Garbage in, garbage out?</P><P></P><P>cheers</P></BODY></HTML> Fri, 16 Jun 2017 03:52:11 GMT https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543540#M535580 Arne Bier 2017-06-16T03:52:11Z https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543541#M535582 <HTML><HEAD></HEAD><BODY><P>I tried this with my local NPS. Tunnel-Tag is listed under standard attributes, not under Microsoft.</P><P>When I use it in the policy, it does not make it into the RADIUS response at all. Perhaps it's used for some other NPS function beside RADIUS.</P></BODY></HTML> Fri, 16 Jun 2017 22:27:48 GMT https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543541#M535582 vibobrov 2017-06-16T22:27:48Z https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543542#M535584 <HTML><HEAD></HEAD><BODY><P>Hi Victor</P><P></P><P>thanks for verifying the effects of this in NPS.&nbsp; It helped me greatly.</P><P></P><P>cheers</P></BODY></HTML> Tue, 20 Jun 2017 23:53:41 GMT https://community.cisco.com/t5/network-access-control/microsoft-vendor-specific-attribute-vendor-type-4170/m-p/3543542#M535584 Arne Bier 2017-06-20T23:53:41Z