Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4723
Views
5
Helpful
3
Replies

RADIUS Vendor Specific Attributes (VSAs)

Go to solution
SaintEvn
Level 1
Level 1

‎09-11-2020 10:06 AM

Hi all,

What is the role VSA (vendor specific attribute) in Radius and why it is important?

When we configure Switch to integrate with ISE, we need to send vsa information to ISE. What will happen if we don't add vsa config in switch?

Sorry for my question but I still can't understand the important of VSA even after I've tried reading some documents.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-11-2020 12:16 PM

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-11-2020 12:16 PM

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
SaintEvn
Level 1
Level 1

‎09-11-2020 12:45 PM - edited ‎09-11-2020 12:45 PM

Thank you so much!
So with third-party device that is not using standard RADIUS attribute, then the device should be configured to send its vsa to ISE.
Otherwise, the ISE will not recongnize the device vendor and RADIUS AAA Process may not work correctly .
Is my understanding correct ?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-11-2020 01:26 PM

yes, they are not RFC compliance.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents