cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5473
Views
5
Helpful
3
Replies

RADIUS Vendor Specific Attributes (VSAs)

SaintEvn
Level 1
Level 1

Hi all,

What is the role VSA (vendor specific attribute) in Radius and why it is important?

When we configure Switch to integrate with ISE, we need to send vsa information to ISE. What will happen if we don't add vsa config in switch?

Sorry for my question but I still can't understand the important of VSA even after I've tried reading some documents.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

High level :

 

Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

 

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

 

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute

name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

 

here is the example: ISE point of view.

 

https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

You do not have any issue with Cisco Switch they are standard and ISE understands AV information, only issue if you configuring 3rd party device ISE . the device needs to be defined as the correct AV pair to understand the value.

 

If the RADIUS does not understand the value you get unexpected outcome.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

SaintEvn
Level 1
Level 1

Thank you so much!
So with third-party device that is not using standard RADIUS attribute, then the device should be configured to send its vsa to ISE.
Otherwise, the ISE will not recongnize the device vendor and RADIUS AAA Process may not work correctly .
Is my understanding correct ?

balaji.bandi
Hall of Fame
Hall of Fame

yes, they are not RFC compliance.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help