cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

368
Views
5
Helpful
3
Replies
Highlighted
Beginner

RADIUS Vendor Specific Attributes (VSAs)

Hi all,

What is the role VSA (vendor specific attribute) in Radius and why it is important?

When we configure Switch to integrate with ISE, we need to send vsa information to ISE. What will happen if we don't add vsa config in switch?

Sorry for my question but I still can't understand the important of VSA even after I've tried reading some documents.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB
*** Rate All Helpful Responses ***

View solution in original post

3 REPLIES 3
Highlighted
VIP Mentor

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB
*** Rate All Helpful Responses ***

View solution in original post

Highlighted
Beginner

Thank you so much!
So with third-party device that is not using standard RADIUS attribute, then the device should be configured to send its vsa to ISE.
Otherwise, the ISE will not recongnize the device vendor and RADIUS AAA Process may not work correctly .
Is my understanding correct ?

Highlighted
VIP Mentor

yes, they are not RFC compliance.

 

BB
*** Rate All Helpful Responses ***