Microsoft Vendor-specific RADIUS Attributes
RFC 2548

Document Type RFC - Informational (March 1999; Errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2548 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                            G. Zorn
Request for Comments: 2548                         Microsoft Corporation
Category: Informational                                       March 1999

              Microsoft Vendor-specific RADIUS Attributes

Status of this Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   This document describes the set of Microsoft vendor-specific RADIUS
   attributes.  These attributes are designed to support Microsoft
   proprietary dial-up protocols and/or provide support for features
   which is not provided by the standard RADIUS attribute set [3].  It
   is expected that this memo will be updated whenever Microsoft defines
   a new vendor-specific attribute, since its primary purpose is to
   provide an open, easily accessible reference for third-parties
   wishing to interoperate with Microsoft products.

1.  Specification of Requirements

   In this document, the key words "MAY", "MUST, "MUST NOT", "optional",
   "recommended", "SHOULD", and "SHOULD NOT" are to be interpreted as
   described in [2].

2.  Attributes

   The following sections describe sub-attributes which may be
   transmitted in one or more RADIUS attributes of type Vendor-Specific
   [3].  More than one sub-attribute MAY be transmitted in a single
   Vendor-Specific Attribute; if this is done, the sub-attributes SHOULD
   be packed as a sequence of Vendor-Type/Vendor-Length/Value triples
   following the inital Type, Length and Vendor-ID fields.  The Length
   field of the Vendor-Specific Attribute MUST be set equal to the sum
   of the Vendor-Length fields of the sub-attributes contained in the
   Vendor-Specific Attribute, plus six.  The Vendor-ID field of the
   Vendor-Specific Attribute(s) MUST be set to decimal 311 (Microsoft).

Zorn                         Informational                      [Page 1]
RFC 2548      Microsoft Vendor-specific RADIUS Attributes     March 1999

2.1.  Attributes for Support of MS-CHAP Version 1

2.1.1.  Introduction

   Microsoft created Microsoft Challenge-Handshake Authentication
   Protocol (MS-CHAP) [4] to authenticate remote Windows workstations,
   providing the functionality to which LAN-based users are accustomed.
   Where possible, MS-CHAP is consistent with standard CHAP [5], and the
   differences are easily modularized.  Briefly, the differences between
   MS-CHAP and standard CHAP are:

      * MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP
        option 3, Authentication Protocol.

      * The MS-CHAP Response packet is in a format designed for
        compatibility with Microsoft Windows NT 3.5, 3.51 and 4.0,
        Microsoft Windows95, and Microsoft LAN Manager 2.x networking
        products.  The MS-CHAP format does not require the authenticator
        to store a clear-text or reversibly encrypted password.

      * MS-CHAP provides an authenticator-controlled authentication
        retry mechanism.

      * MS-CHAP provides an authenticator-controlled password changing
        mechanism.

      * MS-CHAP defines an extended  set of reason-for-failure codes,
        returned in the Failure packet Message field.

   The attributes defined in this section reflect these differences.

2.1.2.  MS-CHAP-Challenge

   Description

      This Attribute contains the challenge sent by a NAS to a Microsoft
      Challenge-Handshake Authentication Protocol (MS-CHAP) user.  It
      MAY be used in both Access-Request and Access-Challenge packets.

   A summary of the MS-CHAP-Challenge Attribute format is shown below.
   The fields are transmitted from left to right.

Zorn                         Informational                      [Page 2]
RFC 2548      Microsoft Vendor-specific RADIUS Attributes     March 1999

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Vendor-Type  | Vendor-Length |           String...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   Vendor-Type
      11 for MS-CHAP-Challenge.

   Vendor-Length
      > 2

   String
      The String field contains the MS-CHAP challenge.

2.1.3.  MS-CHAP-Response

   Description

      This Attribute contains the response value provided by a PPP
      Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP)
      user in response to the challenge.  It is only used in Access-
      Request packets.

   A summary of the MS-CHAP-Response Attribute format is shown below.
   The fields are transmitted from left to right.

Zorn                         Informational                      [Page 3]
RFC 2548      Microsoft Vendor-specific RADIUS Attributes     March 1999
Show full document text