Creating Vendor-Specific Attributes

Many vendors use the server for interoperability testing when writing new NAS software or defining new VSAs. While giving advice to NAS vendors is a little out of the scope of a FreeRADIUS book, this advice is included in the hope that doing so will help vendors to create simple and inter-operable specifications. Whenever a vendor chooses non-standard formats or data types for their attributes, it becomes nearly impossible for any RADIUS server to understand those attributes.

The VSA format should be the format defined in RFC 2865, Section 5.26. This type is automatically used by the server when a new vendor dictionary is defined.

The data types for each attribute should be one of the well-known data types defined above. Any other data type will not be understood by most RADIUS servers.

The attribute names should be prefixed with the name of the vendor in order to avoid global naming conflicts. For example, an attribute name such as Cisco-AVPair is a good name, whereas AV-Pair would not be a good name.

Vendor dictionaries should also avoid any attribute options. That is, tagged and/or encrypted VSAs are not recommended.

The attribute numbers should be assigned at the discretion of the vendor, starting from one and going to 255. Taking care when assigning numbers is recommended, as the space is limited. Some vendors have chosen to pack new attributes into strings, such as with Cisco-AVPair. This practice is useful, but alternatives that do not pack integers or IP addresses in ASCII form are preferable.