https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149933#M562809 <P>yes, they are not RFC compliance.</P> <P>&nbsp;</P> Fri, 11 Sep 2020 20:26:19 GMT balaji.bandi 2020-09-11T20:26:19Z https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149827#M562801 <P>Hi all,</P><P>What is the role VSA (vendor specific attribute) in Radius and why it is important?</P><P>When we configure Switch to integrate with ISE, we need to send vsa information to ISE. What will happen if we don't add vsa config in switch?</P><P>Sorry for my question but I still can't understand the important of VSA even after I've tried reading some documents.</P> Fri, 11 Sep 2020 17:06:31 GMT https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149827#M562801 SaintEvn 2020-09-11T17:06:31Z https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149885#M562804 <P>High level :</P> <P>&nbsp;</P> <P><SPAN>Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.</SPAN></P> <P>&nbsp;</P> <DIV class="paragraph"> <P>The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.</P> </DIV> <DIV class="paragraph"> <P>The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute</P> <P>name such as<SPAN>&nbsp;</SPAN><CODE>Cisco-AVPair</CODE><SPAN>&nbsp;</SPAN>is a good name, whereas<SPAN>&nbsp;</SPAN><CODE>AV-Pair</CODE><SPAN>&nbsp;</SPAN>would not be a good name.</P> <P>&nbsp;</P> <P>here is the example: ISE point of view.</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253" target="_blank">https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253</A></P> <P>&nbsp;</P> <P>You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.</P> <P>&nbsp;</P> <P>If the RADIUS does not understand the value you get unexpected outcome.</P> </DIV> Fri, 11 Sep 2020 19:16:15 GMT https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149885#M562804 balaji.bandi 2020-09-11T19:16:15Z https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149912#M562807 <P>Thank you so much!<BR />So with third-party device that is not using standard RADIUS attribute, then the device should be configured to send its vsa to ISE.<BR />Otherwise, the ISE will not recongnize the device vendor and RADIUS AAA Process may not work correctly .<BR />Is my understanding correct ?</P> Fri, 11 Sep 2020 19:45:45 GMT https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149912#M562807 SaintEvn 2020-09-11T19:45:45Z https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149933#M562809 <P>yes, they are not RFC compliance.</P> <P>&nbsp;</P> Fri, 11 Sep 2020 20:26:19 GMT https://community.cisco.com/t5/network-access-control/radius-vendor-specific-attributes-vsas/m-p/4149933#M562809 balaji.bandi 2020-09-11T20:26:19Z