4.1 VPN Connection with RQC/RQS Quarantine

Figure 2: VPN Connection with RQC/RQS Quarantine example

In this example, a RAS server is configured as a RADIUS client to use RADIUS as the authentication, authorization, and accounting protocol to a RADIUS server. Based on the data known to RAS, the RAS server formulates an Access-Request packet as follows:

• Attribute 0: NAS-Identifier = NAS Computer Name

• Attribute 1: MS-RAS-Client-Name = MSRAS-0-<NAS Client ComputerName>

• Attribute 2: MS-RAS-Client-Version = MSRASV5.20

• Attribute 3: NAS-IP-Address = IP address of the RAS server

• Attribute 4: Service-Type = Framed OR Callback Framed

• Attribute 5: Framed-Protocol = PPP

• Attribute 6: NAS-port = Port number

• Attribute 7: NAS-port-Type = Virtual

• Attribute 8: Calling-Station-ID = NAS client IP address

• Attribute 9: Tunnel-Type = PPTP/L2TP/SSTP

• Attribute 10: Tunnel-Medium-Type = IP

• Attribute 11: Tunnel-Client-Endpoint = NAS client IP address

• Attribute 12: MS-RAS-Version = MSRASV5.20

This is forwarded to the RADIUS server. The RADIUS server authenticates and authorizes the request. Based on the RADIUS server configuration, it responds with an Access-Accept packet with the following attributes:

• Attribute 0: MS-Quarantine-State = 0 [Full access]

• Attribute 1: MS-Quarantine-Session-Timeout = Time in seconds

• Attribute 2: MS-Quarantine-IPFilter = List of IPv4 traffic filters

• Attribute 3: MS-Filter = List IPv4 traffic filters

• Attribute 4: MS-IPv6-Filter = List IPv6 traffic filters

• Attribute 5: Tunnel-Type = List of tunnel types (PPTP/L2TP)

Note: Attributes 5 would be in the Access-Accept packet, provided they are set in the Settings placeholder other than the Conditions place holder for the relevant Network Policy configured on a RADIUS server.

For more information on RQC/RQS Quarantine, see [MSFT-NAQC].