6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.1.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name> (for example, MS-RAS-0-Laptop where "Laptop" is the name of the computer). The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using messenger service. (This is a UI/API option to "Send Messages to User" in Windows NT operating system, Windows 2000, Windows XP, and Windows Server 2003.) Also, note that this service is deprecated in Windows Vista and Windows Server 2008 and PPP always sends "MSRAS-0<>" on a Windows Vista client. For Windows Messenger Service, see [MS-MSRP].

<2> Section 2.2.1.2: For Windows XP, the Attribute-Specific Value is "MSRASV5.10" and for Windows Vista, Windows 8 and Windows 8.1, this value is "MSRASV5.20".

<3> Section 2.2.1.15: When Windows is operating as a NAS in a RAS server or VPN server role, the late bound flag uses the late bound flag in the following way:

  1. An endpoint initiates a connection to a NAS.

  2. The NAS forwards the connection request to the RADIUS server using an access-request message.

  3. The RADIUS server processes the request and returns an access-accept message that contains the MS-IPv6-Filter attribute with a list of filters.

  4. The NAS implements the filter list for the endpoint connection and begins filtering traffic.

  5. The NAS and endpoint complete the connection request and the endpoint receives IP address information for the RAS connection.

  6. The NAS uses the IP addresses to alter the implemented filter list for the client connection. The filter list, if modified, based on the Late Bound flag is as follows:

    • 0x00000001: The source address is replaced with the address assigned to the endpoint.

    • 0x00000004: This is not implemented in Windows.

    • 0x00000010: The source prefix is replaced with 64.

<4> Section 2.2.2.1: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 RADIUS servers support this vendor-specific value for the RADIUS Tunnel-Type attribute.

<5> Section 3.1.5.1: The Remote Authentication Dial-In User Service (RADIUS) Protocol standard, as specified in [RFC2865], defines RADIUS attributes. One of the attributes in [RFC2865] section 5.26 defines a VSA for use by implementers to extend the attribute set. Microsoft has created a number of VSAs for use with RADIUS to support authenticated network access. Some of these VSAs are as specified in [RFC2548]. The remaining VSAs will be documented in section 2.2.1 of this document. The following table shows which RADIUS VSAs are implemented in the various versions of Windows.

Windows Server

Microsoft VSA

Reference

Section

Windows Server 2000

Windows Server 2003

Windows Server 2008

Windows Server 2008 R2

Windows Server 2012

Windows Server 2012 R2

MS-CHAP-Response

[RFC2548]

2.1.3

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-Domain

[RFC2548]

2.1.4

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-Error

[RFC2548]

2.1.5

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-CPW-1

[RFC2548]

2.1.6

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-CPW-2

[RFC2548]

2.1.7

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-LM-Enc-PW

[RFC2548]

2.1.8

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-NT-Enc-PW

[RFC2548]

2.2

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP2-Response

[RFC2548]

2.3.2

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP2-Success

[RFC2548]

2.3.3

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP2-CPW

[RFC2548]

2.3.4

Yes

Yes

Yes

Yes

Yes

Yes

MS-CHAP-MPPE-Keys

[RFC2548]

2.4.1

Yes

Yes

Yes

Yes

Yes

Yes

MS-MPPE-Send-Key

[RFC2548]

2.4.2

Yes

Yes

Yes

Yes

Yes

Yes

MS-MPPE-Recv-Key

[RFC2548]

2.4.3

Yes

Yes

Yes

Yes

Yes

Yes

MS-MPPE-Encryption-Types

[RFC2548]

2.4.4

Yes

Yes

Yes

Yes

Yes

Yes

MS-MPPE-Encryption-Policy

[RFC2548]

2.4.5

Yes

Yes

Yes

Yes

Yes

Yes

MS-BAP-Usage

[RFC2548]

2.5.1

Yes

Yes

Yes

Yes

Yes

Yes

MS-Link-Utilization-Threshold

[RFC2548]

2.5.2

Yes

Yes

Yes

Yes

Yes

Yes

MS-Link-Drop-Time-Limit

[RFC2548]

2.5.3

Yes

Yes

Yes

Yes

Yes

Yes

MS-Old-ARAP-Password

[RFC2548]

2.6.1

Yes

MS-New-ARAP-Password

[RFC2548]

2.6.2

Yes

MS-ARAP-PW-Change-Reason

[RFC2548]

2.6.3

Yes

MS-ARAP-Challenge

[RFC2548]

2.6.4

Yes

MS-RAS-Vendor

[RFC2548]

2.7.1

Yes

Yes

Yes

Yes

Yes

Yes

MS-RAS-Version

[RFC2548]

2.7.2

Yes

Yes

Yes

Yes

Yes

Yes

MS-Filter

[RFC2548]

2.7.3

Yes

Yes

Yes

Yes

Yes

Yes

MS-Acct-Auth-Type

[RFC2548]

2.7.4

Yes

Yes

Yes

Yes

Yes

Yes

MS-Acct-EAP-Type

[RFC2548]

2.7.5

Yes

Yes

Yes

Yes

Yes

Yes

MS-Primary-DNS-Server

[RFC2548]

2.7.6

Yes

Yes

Yes

Yes

Yes

Yes

MS-Secondary-DNS-Server

[RFC2548]

2.7.7

Yes

Yes

Yes

Yes

Yes

Yes

MS-Primary-NBNS-Server

[RFC2548]

2.7.8

Yes

Yes

Yes

Yes

Yes

Yes

MS-Secondary-NBNS-Server

[RFC2548]

2.7.9

Yes

Yes

Yes

Yes

Yes

Yes

MS-RAS-Client-Name

This document

MS-RAS-Client-Name (section 2.2.1.1)

Yes

Yes

Yes

Yes

Yes

MS-RAS-Client-Version

This document

MS-RAS-Client-Version (section 2.2.1.2)

Yes

Yes

Yes

Yes

Yes

MS-Quarantine-IPFilter

This document

MS-Quarantine-IPFilter (section 2.2.1.3)

Yes

Yes

Yes

Yes

Yes

MS-Quarantine-Session-Timeout

This document

MS-Quarantine-Session-Timeout (section 2.2.1.4)

Yes

Yes

Yes

Yes

Yes

MS-Identity-Type

This document

MS-Identity-Type (section 2.2.1.6)

Yes

Yes

Yes

Yes

MS-Service-Class

This document

MS-Service-Class (section 2.2.1.7)

Yes

Yes

Yes

Yes

MS-Quarantine-User-Class

This document

MS-Quarantine-User-Class (section 2.2.1.8)

Yes

Yes

Yes

Yes

MS-Quarantine-State

This document

MS-Quarantine-State (section 2.2.1.9)

Yes

Yes

Yes

Yes

MS-Quarantine-Grace-Time

This document

MS-Quarantine-Grace-Time (section 2.2.1.10)

Yes

Yes

Yes

Yes

MS-Network-Access-Server-Type

This document

MS-Network-Access-Server-Type (section 2.2.1.11)

Yes

Yes

Yes

Yes

MS-AFW-Zone

This document

MS-AFW-Zone (section 2.2.1.12)

Yes

Yes

Yes

Yes

MS-AFW-Protection-Level

This document

MS-AFW-Protection-Level (section 2.2.1.13)

Yes

Yes

Yes

Yes

MS-Machine-Name

This document

MS-Machine-Name (section 2.2.1.14)

Yes

Yes

Yes

Yes

MS-IPv6-Filter

This document

MS-IPv6-Filter (section 2.2.1.15)

Yes

Yes

Yes

Yes

MS-IPv4-Remediation-Servers

This document

MS-IPv4-Remediation-Servers (section 2.2.1.16)

Yes

Yes

Yes

Yes

MS-IPv6-Remediation-Servers

This document

MS-IPv6-Remediation-Servers (section 2.2.1.17)

Yes

Yes

Yes

Yes

Not-Quarantine-Capable

This document

Not-Quarantine-Capable (section 2.2.1.18)

Yes

Yes

Yes

Yes

MS-Quarantine-SoH

This document

MS-Quarantine-SOH (section 2.2.1.19)

Yes

Yes

Yes

Yes

MS-RAS-Correlation-ID

This document

MS-RAS-Correlation-ID (section 2.2.1.20)

Yes

Yes

Yes

Yes

MS-EYestended-Quarantine-State

This document

MS-Extended-Quarantine-State (section 2.2.1.21)

Yes

Yes

Yes

Yes

HCAP-User-Groups

This document

HCAP-User-Groups (section 2.2.1.22)

Yes

Yes

Yes

Yes

HCAP-Location-Group-Name

This document

HCAP-Location-Group-Name (section 2.2.1.23)

Yes

Yes

Yes

Yes

HCAP-User-Name

This document

HCAP-User-Name (section 2.2.1.24)

Yes

Yes

Yes

Yes

MS-User-IPv4-Address

This document

MS-User-IPv4-Address (section 2.2.1.25)

Yes

Yes

Yes

Yes

MS-User-IPv6-Address

This document

MS-User-IPv6-Address (section 2.2.1.26)

Yes

Yes

Yes

Yes

MS-RDG-Device-Redirection

This document

MS-RDG-Device-Redirection (section 2.2.1.27)

Yes

Yes

Yes

Yes

MS-Tunnel-Type

This document

MS-Tunnel-Type (section 2.2.2.1)

Yes

Yes

Yes

<6> Section 3.1.5.3: Microsoft RADIUS clients and RADIUS servers ignore VSAs in the following conditions:

  • A VSA is received in a RADIUS message by a RADIUS client or RADIUS server that it is not supported per the preceding table. For example, do not send a Not-Quarantine-Capable VSA to a RADIUS server in an Access-Request message. If a RADIUS server receives such an attribute in an Access-Request message, it ignores it.

  • A VSA is received by a RADIUS client or RADIUS server with invalid data (for example, a RADIUS client receives a Not-Quarantine-Capable VSA with a length of 2).

  • A VSA is received with an unknown vendor ID/vendor type combination (for example, a RADIUS client receives a VSA with the vendor ID set to 0x00000137 and the vendor type set to 0xAA).

<7> Section 3.2.5.1.9: The Microsoft RRAS server sends this attribute in Access-Request and Accounting-Request messages to the RADIUS server. This attribute can be sent by any RADIUS client, not just RRAS.

<8> Section 3.2.5.1.15: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 RADIUS servers support this vendor-specific value for the RADIUS Tunnel-Type attribute.

<9> Section 3.2.5.2: When sending a response to a client configured as not compatible with NAP, in Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, RADIUS servers will exclude from the response the following attributes, described in section 3.2.5: MS-Quarantine-User-Class, MS-Quarantine-State, MS-Quarantine-Grace-Time, MS-Machine-Name, MS-IPv4-Remediation-Servers, MS-IPv6-Remediation-Servers, Not-Quarantine-Capable, and MS-Extended-Quarantine-State.

<10> Section 3.3.4.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name> (for example, MS-RAS-0-Laptop, where "Laptop" is the name of the computer in a string format). The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using the messenger service. (This is a UI/API option to "Send Messages to User" in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.) Also note that this service is deprecated in Windows Server 2008 and Windows Vista and PPP always sends "MSRAS-0<>" on a Windows Vista client. For Windows Messenger Service, see [MS-MSRP].

<11> Section 3.3.4.1: For Windows XP, the Attribute-Specific Value is "MSRASV5.10"; for Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2, this value is "MSRASV5.20".

<12> Section 3.3.4.1: When configured to support NAP, the Microsoft RRAS, DHCP, and HRA RADIUS client send this attribute in an Access-Request message to a RADIUS server.

<13> Section 3.3.4.1: When configured to support NAP, the Microsoft RRAS server sends this attribute in an Access-Request message to the RADIUS server.

<14> Section 3.3.4.1: The Microsoft HCAP server sends this attribute in Access-Request messages to the RADIUS server.

Microsoft HCAP allows a user to integrate a Microsoft NAP solution with Cisco Network Admission Control, and the endpoint's IPv6 address obtained from Cisco Network Admission Control is put into this attribute by Microsoft HCAP.

<15> Section 3.3.5.1.15: Only Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 VPN servers support this vendor-specific value for the RADIUS Tunnel-Type Attribute.

<16> Section 3.3.5.2.1: Only the Microsoft RRAS RADIUS client supports this attribute when configured to support RQS/RQC; if received by an HRA or a DHCP server acting as a RADIUS client, it is silently discarded.

<17> Section 3.3.5.2.2: Only the Microsoft RRAS server RADIUS client supports this attribute when configured to support RQS/RQC; if received by an HRA or a DHCP RADIUS client, it is silently discarded.

For RQS/RQC, see VPN Connection with RQC / RQS quarantine (section 4.1).

<18> Section 3.3.5.2.9: Only the Microsoft RRAS server and DHCP servers acting as RADIUS clients support this attribute when configured to support NAP; if received by an HRA RADIUS client, it is silently discarded.

<19> Section 3.3.5.2.13: No existing Microsoft product acting as a RADIUS client uses this VSA.

<20> Section 5.1: Windows does not support such a mode. However, IPsec can be configured on Windows to ensure equivalent behavior.

Show: