This is a weird one.

But concerns me because I am migrating a customer's ACS 5.2 to ISE 2.2 and in one of their ACS Policy Results they include a VSA called MS-Tunnel-Tag inside the Microsoft VSA dictionary.  Customer performs a lot of dynamic VLAN assignments using 802.1X.  Microsoft mentions this VSA in this TechNet posting as being possibly required by some vendors, and I also see reference to 4170 in this posting about IAS (predecessor to NPS).

The weird part is that the Vendor-Type is 4170 (decimal) and this is (to my knowledge) illegal since the Vendor-Type may only be 0-255 since it's an 8bit field (see RFC2548).  Both ISE 2.2 and latest Wireshark conform to the RFC.  But our friend ACS 5.2 below allows >32bit values, including 4170!

The customer also uses a large fleet of Microsoft NPS servers (Radius platform) alongside ACS, and Tunnel-Tag is also there!

There is also an old Cisco Support posting where IAS is mentioned in context of this Vendor-Type.  I makes me think that it's not a complete fiction...

And used multiple with different VLAN values throughout their deployment

When I started migrating ACS to ISE I tried this and ISE doesn't allow this value.

When I did a Wireshark trace of the ACS Access-Accept packet I see that the 4170 is not found.  4170 is 0x104a (hex) and  it appears that even though it's configured as 0x104a, only the lower portion of the 32bit word is sent on the wire.

So it seems that ACS wrongly accepts values greater than 255?

I did a test by removing the MS-Tunnel-Tag from their lab ACS and there was no detrimental impact (the NAD is a WX5004 from H3C).

The other attributes that one commonly finds in these return policies took care of the VLAN assignment.

I am just wondering whether anyone knows if the MS-Tunnel-Tag was something historical?

And how is it possible that ACS and NPS allowed that Vendor-Type to be configured in a Radius Access-Accept policy?