Export (0) Print
Expand All

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs:

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 2.2.1.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name> (for example, MS-RAS-0-Laptop where "Laptop" is the name of the computer). The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using messenger service. (This is a UI/API option to "Send Messages to User" in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.) Also note that this service is deprecated in Windows Server 2008 and Windows Vista and PPP always sends "MSRAS-0<>" on a Windows Vista client. For Windows Messenger Service, see [MS-MSRP].

<2> Section 2.2.1.2: For Windows XP, the Attribute-Specific Value is "MSRASV5.10" and for Windows Vista, Windows 8 and Windows 8.1, this value is "MSRASV5.20".

<3> Section 2.2.1.15: When Windows is operating as a NAS in a RAS server or VPN server role, the late bound flag uses the late bound flag in the following way:

  1. An endpoint initiates a connection to a NAS.

  2. The NAS forwards the connection request to the RADIUS server using an access-request message.

  3. The RADIUS server processes the request and returns an access-accept message that contains the MS-IPv6-Filter attribute with a list of filters.

  4. The NAS implements the filter list for the endpoint connection and begins filtering traffic.

  5. The NAS and endpoint complete the connection request and the endpoint receives IP address information for the RAS connection.

  6. The NAS uses the IP addresses to alter the implemented filter list for the client connection. The filter list, if modified, based on the Late Bound flag is as follows:

    • 0x00000001: The source address is replaced with the address assigned to the endpoint.

    • 0x00000004: This is not implemented in Windows.

    • 0x00000010: The source prefix is replaced with 64.

<4> Section 2.2.2.1: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 RADIUS servers support this vendor-specific value for the RADIUS Tunnel-Type attribute.

<5> Section 3.1.5.1: The Remote Authentication Dial-In User Service (RADIUS) Protocol standard, as specified in [RFC2865], defines RADIUS attributes. One of the attributes in [RFC2865] section 5.26 defines a VSA for use by implementers to extend the attribute set. Microsoft has created a number of VSAs for use with RADIUS to support authenticated network access. Some of these VSAs are as specified in [RFC2548]. The remaining VSAs will be documented in section 2.2.1 of this document. The following table shows which RADIUS VSAs are implemented in the various versions of Windows.

Windows Server

Microsoft VSA

Reference

Section

Windows Server 2000

Windows Server2003

Windows Server2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

MS-CHAP-Response

[RFC2548]

2.1.3

X

X

X

X

X

X

MS-CHAP-Domain

[RFC2548]

2.1.4

X

X

X

X

X

X

MS-CHAP-Error

[RFC2548]

2.1.5

X

X

X

X

X

X

MS-CHAP-CPW-1

[RFC2548]

2.1.6

X

X

X

X

X

X

MS-CHAP-CPW-2

[RFC2548]

2.1.7

X

X

X

X

X

X

MS-CHAP-LM-Enc-PW

[RFC2548]

2.1.8

X

X

X

X

X

X

MS-CHAP-NT-Enc-PW

[RFC2548]

2.2

X

X

X

X

X

X

MS-CHAP2-Response

[RFC2548]

2.3.2

X

X

X

X

X

X

MS-CHAP2-Success

[RFC2548]

2.3.3

X

X

X

X

X

X

MS-CHAP2-CPW

[RFC2548]

2.3.4

X

X

X

X

X

X

MS-CHAP-MPPE-Keys

[RFC2548]

2.4.1

X

X

X

X

X

X

MS-MPPE-Send-Key

[RFC2548]

2.4.2

X

X

X

X

X

X

MS-MPPE-Recv-Key

[RFC2548]

2.4.3

X

X

X

X

X

X

MS-MPPE-Encryption-Types

[RFC2548]

2.4.4

X

X

X

X

X

X

MS-MPPE-Encryption-Policy

[RFC2548]

2.4.5

X

X

X

X

X

X

MS-BAP-Usage

[RFC2548]

2.5.1

X

X

X

X

X

X

MS-Link-Utilization-Threshold

[RFC2548]

2.5.2

X

X

X

X

X

X

MS-Link-Drop-Time-Limit

[RFC2548]

2.5.3

X

X

X

X

X

X

MS-Old-ARAP-Password

[RFC2548]

2.6.1

X

         

MS-New-ARAP-Password

[RFC2548]

2.6.2

X

         

MS-ARAP-PW-Change-Reason

[RFC2548]

2.6.3

X

         

MS-ARAP-Challenge

[RFC2548]

2.6.4

X

         

MS-RAS-Vendor

[RFC2548]

2.7.1

X

X

X

X

X

X

MS-RAS-Version

[RFC2548]

2.7.2

X

X

X

X

X

X

MS-Filter

[RFC2548]

2.7.3

X

X

X

X

X

X

MS-Acct-Auth-Type

[RFC2548]

2.7.4

X

X

X

X

X

X

MS-Acct-EAP-Type

[RFC2548]

2.7.5

X

X

X

X

X

X

MS-Primary-DNS-Server

[RFC2548]

2.7.6

X

X

X

X

X

X

MS-Secondary-DNS-Server

[RFC2548]

2.7.7

X

X

X

X

X

X

MS-Primary-NBNS-Server

[RFC2548]

2.7.8

X

X

X

X

X

X

MS-Secondary-NBNS-Server

[RFC2548]

2.7.9

X

X

X

X

X

X

MS-RAS-Client-Name

This document

MS-RAS-Client-Name (section 2.2.1.1 )

 

X

X

X

X

X

MS-RAS-Client-Version

This document

MS-RAS-Client-Version (section 2.2.1.2 )

 

X

X

X

X

X

MS-Quarantine-IPFilter

This document

MS-Quarantine-IPFilter (section 2.2.1.3 )

 

X

X

X

X

X

MS-Quarantine-Session-Timeout

This document

MS-Quarantine-Session-Timeout (section 2.2.1.4 )

 

X

X

X

X

X

MS-Identity-Type

This document

MS-Identity-Type (section 2.2.1.6 )

   

X

X

X

X

MS-Service-Class

This document

MS-Service-Class (section 2.2.1.7 )

   

X

X

X

X

MS-Quarantine-User-Class

This document

MS-Quarantine-User-Class (section 2.2.1.8 )

   

X

X

X

X

MS-Quarantine-State

This document

MS-Quarantine-State (section 2.2.1.9 )

   

X

X

X

X

MS-Quarantine-Grace-Time

This document

MS-Quarantine-Grace-Time (section 2.2.1.10 )

   

X

X

X

X

MS-Network-Access-Server-Type

This document

MS-Network-Access-Server-Type (section 2.2.1.11 )

   

X

X

X

X

MS-AFW-Zone

This document

MS-AFW-Zone (section 2.2.1.12 )

   

X

X

X

X

MS-AFW-Protection-Level

This document

MS-AFW-Protection-Level (section 2.2.1.13 )

   

X

X

X

X

MS-Machine-Name

This document

MS-Machine-Name (section 2.2.1.14 )

   

X

X

X

X

MS-IPv6-Filter

This document

MS-IPv6-Filter (section 2.2.1.15 )

   

X

X

X

X

MS-IPv4-Remediation-Servers

This document

MS-IPv4-Remediation-Servers (section 2.2.1.16 )

   

X

X

X

X

MS-IPv6-Remediation-Servers

This document

MS-IPv6-Remediation-Servers (section 2.2.1.17 )

   

X

X

X

X

Not-Quarantine-Capable

This document

Not-Quarantine-Capable (section 2.2.1.18 )

   

X

X

X

X

MS-Quarantine-SoH

This document

MS-Quarantine-SOH (section 2.2.1.19 )

   

X

X

X

X

MS-RAS-Correlation-ID

This document

MS-RAS-Correlation-ID (section 2.2.1.20 )

   

X

X

X

X

MS-Extended-Quarantine-State

This document

MS-Extended-Quarantine-State (section 2.2.1.21 )

   

X

X

X

X

HCAP-User-Groups

This document

HCAP-User-Groups (section 2.2.1.22 )

   

X

X

X

X

HCAP-Location-Group-Name

This document

HCAP-Location-Group-Name (section 2.2.1.23 )

   

X

X

X

X

HCAP-User-Name

This document

HCAP-User-Name (section 2.2.1.24 )

   

X

X

X

X

MS-User-IPv4-Address

This document

MS-User-IPv4-Address (section 2.2.1.25 )

   

X

X

X

X

MS-User-IPv6-Address

This document

MS-User-IPv6-Address (section 2.2.1.26 )

   

X

X

X

X

MS-RDG-Device-Redirection

This document

MS-RDG-Device-Redirection (section 2.2.1.27 )

   

X

X

X

X

MS-Tunnel-Type

This document

MS-Tunnel-Type (section 2.2.2.1 )

     

X

X

X

<6> Section 3.1.5.3: Microsoft RADIUS clients and RADIUS servers ignore VSAs in the following conditions:

<7> Section 3.2.5.1.9: The Microsoft RRAS server sends this attribute in Access-Request and Accounting-Request messages to the RADIUS server. This attribute can be sent by any RADIUS client, not just RRAS.

<8> Section 3.2.5.1.15: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 RADIUS servers support this vendor-specific value for the RADIUS Tunnel-Type attribute.

<9> Section 3.2.5.2: When sending a response to a client configured as not compatible with NAP, in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, RADIUS servers will exclude from the response the following attributes, described in section 3.2.5: MS-Quarantine-User-Class, MS-Quarantine-State, MS-Quarantine-Grace-Time, MS-Machine-Name, MS-IPv4-Remediation-Servers, MS-IPv6-Remediation-Servers, Not-Quarantine-Capable, and MS-Extended-Quarantine-State.

<10> Section 3.3.4.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name> (for example, MS-RAS-0-Laptop, where "Laptop" is the name of the computer in a string format). The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using the messenger service. (This is a UI/API option to "Send Messages to User" in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.) Also note that this service is deprecated in Windows Server 2008 and Windows Vista and PPP always sends "MSRAS-0<>" on a Windows Vista client. For Windows Messenger Service, see [MS-MSRP].

<11> Section 3.3.4.1: For Windows XP, the Attribute-Specific Value is "MSRASV5.10"; for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, this value is "MSRASV5.20".

<12> Section 3.3.4.1: When configured to support NAP, the Microsoft RRAS, DHCP, and HRARADIUS client send this attribute in an Access-Request message to a RADIUS server.

<13> Section 3.3.4.1: When configured to support NAP, the Microsoft RRAS server sends this attribute in an Access-Request message to the RADIUS server.

<14> Section 3.3.4.1: The Microsoft HCAP server sends this attribute in Access-Request messages to the RADIUS server.

Microsoft HCAP allows a user to integrate a Microsoft NAP solution with Cisco Network Admission Control, and the endpoint's IPv6 address obtained from Cisco Network Admission Control is put into this attribute by Microsoft HCAP.

<15> Section 3.3.5.1.15: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 VPN servers support this vendor-specific value for the RADIUS Tunnel-Type Attribute.

<16> Section 3.3.5.2.1: Only the Microsoft RRASRADIUS client supports this attribute when configured to support RQS/RQC; if received by an HRA or a DHCP server acting as a RADIUS client, it is silently discarded.

<17> Section 3.3.5.2.2: Only the Microsoft RRAS server RADIUS client supports this attribute when configured to support RQS/RQC; if received by an HRA or a DHCP RADIUS client, it is silently discarded.

For RQS/RQC, see VPN Connection with RQC / RQS quarantine (section 4.1).

<18> Section 3.3.5.2.9: Only the Microsoft RRAS server and DHCP servers acting as RADIUS clients support this attribute when configured to support NAP; if received by an HRARADIUS client, it is silently discarded.

<19> Section 3.3.5.2.13: No existing Microsoft product acting as a RADIUS client uses this VSA.

<20> Section 5.1: Windows does not support such a mode. However, IPsec can be configured on Windows to ensure equivalent behavior.

 
Show:
© 2014 Microsoft