Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
Windows 2000 operating system
Windows XP operating system
Windows Server 2003 operating system
Windows Vista operating system
Windows Server 2008 operating system
Windows 7 operating system
Windows Server 2008 R2 operating system
Windows 8 operating system
Windows Server 2012 operating system
Windows 8.1 operating system
Windows Server 2012 R2 operating system
Windows 10 operating system
Windows Server 2016 operating system
Windows Server operating system
Windows Server 2019 operating system
Windows Server 2022 operating system
Windows 11 operating system
Windows Server 2025 operating system
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.2.1.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name>, for example, MS-RAS-0-Laptop where "Laptop" is the name of the computer in a string format. The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using messenger service. To "Send Messages to User" is a UI/API option in Windows NT operating system, Windows 2000, Windows XP, and Windows Server 2003. Also, note that this service is deprecated in Windows except in Windows NT, Windows 2000, Windows XP, and Windows Server 2003. PPP always sends "MSRAS-0<>" on Windows-based clients except on Windows 2000 and Windows XP. For Windows Messenger Service, see [MS-MSRP].
<2> Section 2.2.1.2: For Windows XP, the Attribute-Specific Value is "MSRASV5.10". Otherwise for Windows-based clients, this value is "MSRASV5.20" except for Windows 2000 and Windows XP.
<3> Section 2.2.1.6: When Windows is operating as a NAS in a RAS server or VPN server role, the Late Bound flag is used in the following way:
An endpoint initiates a connection to a NAS.
The NAS forwards the connection request to the RADIUS server using an Access-Request message.
The RADIUS server processes the request and returns an Access-Accept message that contains the MS-IPv6-Filter attribute with a list of filters.
The NAS implements the filter list for the endpoint connection and begins filtering traffic.
The NAS and endpoint complete the connection request, and the endpoint receives IP address information for the RAS connection.
The NAS uses the IP addresses to alter the implemented filter list for the client connection. The filter list, if modified, based on the Late Bound flag is as follows:
0x00000001: The source address is replaced with the address assigned to the endpoint.
0x00000004: This is not implemented in Windows.
0x00000010: The source prefix is replaced with 64.
<4> Section 3.1.5.1: The Remote Authentication Dial-In User Service (RADIUS) Protocol standard, as specified in [RFC2865], defines RADIUS attributes. One of the attributes in [RFC2865] section 5.26 defines a VSA for use by implementers to extend the attribute set. Microsoft has created several VSAs for use with RADIUS to support authenticated network access. Some of these VSAs are as specified in [RFC2548]. The remaining VSAs will be documented in section 2.2.1 of this document. The following table shows which RADIUS VSAs are implemented in the various applicable Windows Server releases.
|
Microsoft VSA |
Reference |
Section |
Windows 2000 Server |
Windows Server 2003 |
Windows Server 2008 |
Windows Server 2008 R2 |
Windows Server 2012 |
Windows Server 2012 R2 |
Windows Server 2016 |
Windows Server operating system |
Windows Server 2019 |
|---|---|---|---|---|---|---|---|---|---|---|---|
|
MS-CHAP-Response |
[RFC2548] |
2.1.3 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-Domain |
[RFC2548] |
2.1.4 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-Error |
[RFC2548] |
2.1.5 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-CPW-1 |
[RFC2548] |
2.1.6 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-CPW-2 |
[RFC2548] |
2.1.7 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-LM-Enc-PW |
[RFC2548] |
2.1.8 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-NT-Enc-PW |
[RFC2548] |
2.2 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP2-Response |
[RFC2548] |
2.3.2 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP2-Success |
[RFC2548] |
2.3.3 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP2-CPW |
[RFC2548] |
2.3.4 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-CHAP-MPPE-Keys |
[RFC2548] |
2.4.1 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-MPPE-Send-Key |
[RFC2548] |
2.4.2 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-MPPE-Recv-Key |
[RFC2548] |
2.4.3 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-MPPE-Encryption-Types |
[RFC2548] |
2.4.5 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-MPPE-Encryption-Policy |
[RFC2548] |
2.4.4 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-BAP-Usage |
[RFC2548] |
2.5.1 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Link-Utilization-Threshold |
[RFC2548] |
2.5.2 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Link-Drop-Time-Limit |
[RFC2548] |
2.5.3 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Old-ARAP-Password |
[RFC2548] |
2.6.1 |
Yes |
|
|
|
|
|
|
|
|
|
MS-New-ARAP-Password |
[RFC2548] |
2.6.2 |
Yes |
|
|
|
|
|
|
|
|
|
MS-ARAP-PW-Change-Reason |
[RFC2548] |
2.6.3 |
Yes |
|
|
|
|
|
|
|
|
|
MS-ARAP-Challenge |
[RFC2548] |
2.6.4 |
Yes |
|
|
|
|
|
|
|
|
|
MS-RAS-Vendor |
[RFC2548] |
2.7.1 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-RAS-Version |
[RFC2548] |
2.7.2 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Filter |
[RFC2548] |
2.7.3 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Acct-Auth-Type |
[RFC2548] |
2.7.4 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Acct-EAP-Type |
[RFC2548] |
2.7.5 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Primary-DNS-Server |
[RFC2548] |
2.7.6 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Secondary-DNS-Server |
[RFC2548] |
2.7.7 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Primary-NBNS-Server |
[RFC2548] |
2.7.8 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-Secondary-NBNS-Server |
[RFC2548] |
2.7.9 |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
MS-RAS-Client-Name |
This document |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
MS-RAS-Client-Version |
This document |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
MS-Network-Access-Server-Type |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-Machine-Name |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-IPv6-Filter |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
|
MS-RAS-Correlation-ID |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-User-IPv4-Address |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-User-IPv6-Address |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-RDG-Device-Redirection |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
|
|
MS-Tunnel-Type |
This document |
|
|
Yes |
Yes |
Yes |
Yes |
|
|
|
<5> Section 3.1.5.3: Microsoft RADIUS clients and RADIUS servers ignore VSAs in the following conditions:
A VSA is received in a RADIUS message by a RADIUS client or RADIUS server that it is not supported per the preceding table. For example, do not send a Not-Quarantine-Capable VSA to a RADIUS server in an Access-Request message. If a RADIUS server receives such an attribute in an Access-Request message, it ignores it.
A VSA is received by a RADIUS client or RADIUS server with invalid data (for example, a RADIUS client receives a Not-Quarantine-Capable VSA with a length of 2).
A VSA is received with an unknown vendor ID/vendor type combination (for example, a RADIUS client receives a VSA with the vendor ID set to 0x00000137 and the vendor type set to 0xAA).
<6> Section 3.2.5.1.6: The Microsoft RRAS server sends this attribute in Access-Request and Accounting-Request messages to the RADIUS server. This attribute can be sent by any RADIUS client, not just RRAS.
<7> Section 3.2.5.1.9: Only Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 RADIUS servers support this vendor-specific value for the RADIUS Tunnel-Type attribute.
<8> Section 3.3.4.1: Windows endpoints always use the format MS-RAS-x-<RAS Client Computer Name>, for example, MS-RAS-0-Laptop, where "Laptop" is the name of the computer in a string format. The value of x is either 0 or 1, where 0 indicates that the messenger service is not running on the endpoint machine and 1 indicates that the messenger service is running. This information is useful to decide whether the Microsoft RRAS Administrator can send messages to the user by using the messenger service. To "Send Messages to User" is a UI/API option in Windows NT, Windows 2000, Windows XP, and Windows Server 2003.) Also, note that this service is deprecated in Windows except in Windows NT, Windows 2000, Windows XP, and Windows Server 2003. PPP always sends "MSRAS-0<>" on Windows-based clients, except on Windows 2000 and Windows XP. For Windows Messenger Service, see [MS-MSRP].
<9> Section 3.3.4.1: For Windows XP, the Attribute-Specific Value is "MSRASV5.10". Otherwise for Windows, this value is "MSRASV5.20", except for Windows 2000, Windows XP, and Windows Server 2003.
<10> Section 3.3.5.1.9: Only Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 VPN servers support this vendor-specific value for the RADIUS Tunnel-Type Attribute.
<11> Section 5.1: Windows does not support such a mode. However, IPsec can be configured on Windows to ensure equivalent behavior.