locked
Configuring Vendor Specific Attributes (VSA) with Network Policy Server (NPS) for Windows 2008 (RADIUS Accounting) RRS feed

  • Question

  • Hello all,

    I'm having difficulty configuring the NPS to understand Vendor Specific Attributes (VSAs). We have a Session Border Controller (SBC) from the vendor Ingate. The Ingate SBC uses RADIUS accounting to send Call Detail Records (CDRs) as well as Media statistics of each call. We are receiving the data just fine, it's just that I don't know how to configure the VSAs and get the NPS to understand them. 

    I checked the Ingate documentation, and it says it is RFC 2866 compliant. The documentation also contains the info needed to configure the attributes. I have attached an image to show you all a sample. (Note: In the image, the last 2 rows are VSAs, the other's are commonly known). I've also attached a sample of the dictionary file that is located in the user guide which displays the VSAs.

    Now I followed the steps outlined here: http://technet.microsoft.com/en-us/library/cc731611(v=ws.10)

    But if you look at my attachment, there's no place in NPS to configure the Attribute Name, and then configure the value type. For instance, when I put VSA 128 as integer, NPS gives me an error saying that I need to input a value of some type.

    Please help!

    Thanks,

    John

    Monday, July 30, 2012 3:55 PM

Answers

  • Hi John,

    Thank you for the post.

    You miss operater "click Vendor Specific. In the details pane, click Add" in steps 2.

    2.In policy properties, click Settings, and then click Vendor Specific. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens.

    I have not found your vendor (SBC/Ingate) in vendor list, I assume the vendor code is 50. Here is the VSA screenshot for you.
    https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21206

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Thursday, August 9, 2012 5:21 AM
    Tuesday, July 31, 2012 8:53 AM

All replies

  • Hi John,

    Thank you for the post.

    You miss operater "click Vendor Specific. In the details pane, click Add" in steps 2.

    2.In policy properties, click Settings, and then click Vendor Specific. In the details pane, click Add. The Add Vendor Specific Attribute dialog box opens.

    I have not found your vendor (SBC/Ingate) in vendor list, I assume the vendor code is 50. Here is the VSA screenshot for you.
    https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21206

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Rick Tan Thursday, August 9, 2012 5:21 AM
    Tuesday, July 31, 2012 8:53 AM
  • Hey Rick,

    Thanks for the reply. The screenshot really helps. The vendor ID according to the Ingate documentation is 13465. 

    I have a couple more questions:

    1) In your screenshot, why did you assign an attribute value of 1 for the Integer? 
    2) How would you configure a String Attribute? What Attribute Value would you put in there? (if you could attach a screenshot, that would be fantastic!)

    Appreciate the help Rick.

    Thanks,

    John

    Tuesday, July 31, 2012 2:01 PM
  • Hi John,

    1) In your screenshot, why did you assign an attribute value of 1 for the Integer?
    I assigned value to 1 is based on your original post sample.

    IG-Acct-Input-Jitter    128  Four octets(32 bit unsigned value)-Integer   1

    2) How would you configure a String Attribute? What Attribute Value would you put in there?
    Just change the Attribute format to string in Configure VSA window. The value is controlled by the configurtions of your Ingate device.

    Regards


    Rick Tan

    TechNet Community Support

    Wednesday, August 1, 2012 9:05 AM
  • Hey Rick,

    I believe the "Sample" column of that document just indicates a sample of the data that is received. Are you saying that in the NPS under "Attribute Value", we have to just put a sample of the data that is being received? I just assumed something else was being expected.

    Please confirm.

    Thanks,

    John


    • Edited by John Ceci Wednesday, August 1, 2012 4:59 PM
    Wednesday, August 1, 2012 4:57 PM
  • Hi John,

    You just need to add VSA with "Attribute Value" if you want to change/configure the attribute. No need to add other default value VSA.
    http://technet.microsoft.com/en-us/library/cc725979(WS.10).aspx

    Regards


    Rick Tan

    TechNet Community Support

    • Proposed as answer by James McIllece Monday, August 6, 2012 8:06 PM
    • Marked as answer by Rick Tan Thursday, August 9, 2012 5:21 AM
    • Unmarked as answer by John Ceci Friday, August 17, 2012 5:44 PM
    Friday, August 3, 2012 4:02 AM
  • Hey Rick,

    I have added all of the VSAs in the way you described above, but now I have another problem.  When they are being received by the NPS, there is no distinction between the VSAs. First, take a look at a sample packet capture I took on the NPS (I've highlighted a few in red):


    Notice in the Packet Capture above that the Vendor Attribute number is located next to the t=Unknown-Attribute field (Example: t=Unknown-Attribute(128)). Below is a sample of what is being received and logged by NPS (I pulled this sample from the text log). I highlighted the VSAs in Bold:

    <Event>
    --Omitted Content-----
    <Acct-Input-Octets data_type="0">121600</Acct-Input-Octets>
    <Acct-Output-Octets data_type="0">800</Acct-Output-Octets>
    <Acct-Input-Packets data_type="0">608</Acct-Input-Packets>
    <Acct-Output-Packets data_type="0">4</Acct-Output-Packets>
    <Vendor-Specific data_type="2">00003499800600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499810600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">0000349990060000000C</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499910600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499820600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499830600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499840600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499850600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499860600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499870600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499880600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499890600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998A0600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998B0600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998C044E6F</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998D044E6F</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998E0650434D55</Vendor-Specific>
    <Vendor-Specific data_type="2">000034998F0650434D55</Vendor-Specific>
    <Vendor-Specific data_type="2">000034999505302E30</Vendor-Specific>
    <Vendor-Specific data_type="2">000034999605302E31</Vendor-Specific>
    <Vendor-Specific data_type="2">00003499970600000000</Vendor-Specific>
    <Vendor-Specific data_type="2">000034999805302E30</Vendor-Specific>
    <Vendor-Specific data_type="2">000034999905302E30</Vendor-Specific>
    <Vendor-Specific data_type="2">000034999A0600000000</Vendor-Specific>
    <Client-Vendor data_type="0">0</Client-Vendor>
    <Client-Friendly-Name data_type="1">Ingate SBC</Client-Friendly-Name>
    <Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name>
    <Packet-Type data_type="0">4</Packet-Type>
    <Reason-Code data_type="0">0</Reason-Code>
    </Event>

    ----------------------------------------------------------------------

    My question is: Why isn't NPS taking that vendor specific data that is being received and distinguishing them by their attribute numbers which I have defined in the Network Policy? 

    Thanks,

    John

    Friday, August 17, 2012 5:43 PM
  • Hi John,

    NPS log output format is hard-coded by design. Here is similar thread. Hope it helps you.
    http://social.technet.microsoft.com/Forums/en-US/winserverNAP/thread/658686de-d1ee-42f3-b307-14ac08941376

    Regards


    Rick Tan

    TechNet Community Support

    Monday, August 20, 2012 2:55 AM
  • Hey Rick,

    That link you sent seems more like a band-aid solution which doesn't get to the heart of the problem which is: NPS does not recognize Vendor Specific Attributes properly. If it did, NPS would be able to distinguish each attribute based on their Attribute ID. 

    I downloaded a 3rd party RADIUS server called TekRadius, and it was not only able to distinguish each VSA, but I was also able to attach an Attribute name along with the Attribute ID. 

    I think if Microsoft is serious about making this a viable service, they should include this feature in future releases.

    Thanks,

    John

    Friday, August 24, 2012 6:41 PM