4.1 VPN Connection with RQC/RQS Quarantine
Figure 2: VPN Connection with RQC/RQS Quarantine example
In this example, a RAS server is configured as a RADIUS client to use RADIUS as the authentication, authorization, and accounting protocol to a RADIUS server. Based on the data known to RAS, the RAS server formulates an Access-Request packet as follows:
Attribute 0: NAS-Identifier = NAS Computer Name
Attribute 1: MS-RAS-Client-Name = MSRAS-0-<NAS Client ComputerName>
Attribute 2: MS-RAS-Client-Version = MSRASV5.20
Attribute 3: NAS-IP-Address = IP address of the RAS server
Attribute 4: Service-Type = Framed OR Callback Framed
Attribute 5: Framed-Protocol = PPP
Attribute 6: NAS-port = Port number
Attribute 7: NAS-port-Type = Virtual
Attribute 8: Calling-Station-ID = NAS client IP address
Attribute 9: Tunnel-Type = PPTP/L2TP/SSTP
Attribute 10: Tunnel-Medium-Type = IP
Attribute 11: Tunnel-Client-Endpoint = NAS client IP address
Attribute 12: MS-RAS-Version = MSRASV5.20
This is forwarded to the RADIUS server. The RADIUS server authenticates and authorizes the request. Based on the RADIUS server configuration, it responds with an Access-Accept packet with the following attributes:
Attribute 0: MS-Quarantine-State = 0 [Full access]
Attribute 1: MS-Quarantine-Session-Timeout = Time in seconds
Attribute 2: MS-Quarantine-IPFilter = List of IPv4 traffic filters
Attribute 3: MS-Filter = List IPv4 traffic filters
Attribute 4: MS-IPv6-Filter = List IPv6 traffic filters
Attribute 5: Tunnel-Type = List of tunnel types (PPTP/L2TP)
Note: Attributes 5 would be in the Access-Accept packet, provided they are set in the Settings placeholder other than the Conditions place holder for the relevant Network Policy configured on a RADIUS server.
For more information on RQC/RQS Quarantine, see [MSFT-NAQC].