RADIUS attributes carry data values that are used in the authentication, authorization, and accounting functions carried out by RADIUS clients, servers, and proxies. These attributes can appear in network access and accounting requests and in response messages. An attribute represents a specific data item, such as a user name or the tunneling protocol in use, sent between the RADIUS client and server. Some attributes can be included more than once, the effect of which is dependent on the specific attribute. When used as RADIUS proxy, NPS preserves the order of the attributes received from the client in messages transmitted to a RADIUS server. There are two types of RADIUS attributes: standard attributes and vendor-specific attributes (VSAs). Standard attributes are defined in RFCs 2865 through 2869 and are used by all RADIUS clients and servers. VSAs are proprietary. Not all RADIUS clients and servers imple-ment all VSAs. For more information, see the section “Vendor-Specific Attributes” later in this chapter.
RADIUS messages have a common structure consisting of a fixed-size portion and a variable-size portion. The fixed-size portion contains fields common to all RADIUS messages. The variable-size portion contains RADIUS attributes, which can be standard attributes or VSAs. RADIUS attributes carry data values that are used in authentication, authorization, and accounting of network access. An authentication exchange is one of the following: Access-Request/Access-Accept for a successful authentication and authorization, Access-Request/Access-Reject for an unsuccessful authentication or authorization, or Access-Request/Access-Challenge when the RADIUS server needs more information to evaluate authentication and authorization. An accounting exchange consists of an Accounting-Request and an Accounting-Response. When RADIUS proxies are between RADIUS clients and RADIUS servers, they modify RADIUS messages by adding or removing a Proxy-State attribute.