This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 55.00000000000001%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
My org is moving from Cisco network switches to OcNos network switches. I want to continue to authenticate our network admins using radius to manage our data center network equipment but OcNos latest version is now enforcing "Management-Privilege-Level" radius attribute 136 from RFC 5607 RADIUS NAS-Management Authorization. But I can't find or figure out how to add that radius attribute to Microsoft NPS. It was easy with Cisco equipment to just use vendor specific radius attribute 26 to pass the Cisco-AV-Pair shell:priv-lvl=15 value but now hitting a wall to support "Management-Privilege-Level" radius attribute 136. Any advice would be helpful from the community. I am looking at other tools like FreeRadius but was hoping to avoid having to move to another software to get this working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 43%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I am also in a similar situation. Did you ever find a solution to getting Microsoft NPS to work?
No, I have moved on to looking at other products.
A lot of commercial solutions support Management-Privilege-Level radius attribute. We are just trying to do our research and testing to find a solution that will fit our business needs for today and cover us for tomorrow.
Hello All,
I think that this can be achieved by editing %SystemRoot%\Windows\ias\dnary.xml on the NPS to add the Management-Privilege-Level to the NPS dictionary.
The FreeRADIUS documentation contains the useful information:
By default, Ascend NASes send the Ascend specific attributes as NON VSA’s, which conflict with new RADIUS attributes assigned by the IETF. This was a very bad screw-up by Ascend that still causes many headaches, but sometimes we have to live with it, so we try to cope the best we can.
The out-of-the-box NPS dictionary contains these "bad" Ascend attributes. The Management-Privilege-Level ID (136) corresponds to Ascend-Client-Secondary-DNS. If one adds this attribute from the "Vendor Specific" NPS dialog, then one can effectively add the Management-Privilege-Level attribute.
Unfortunately, the Ascend-Client-Secondary-DNS attribute definition specifies a syntax of InetAddr and the InetAddr value that would correspond to a value of 15 (0.0.0.15) is not a valid InetAddr.
One needs to modify the Ascend-Client-Secondary-DNS attribute definition, changing its ID to something else (or delete the attribute definition) and then add a new definition for Management-Privilege-Level.
After editing the dnary.xml file, one needs to restart IAS and the out-of-process COM server hosting the NPS data store.
For demonstration purposes, I added Ascend attributes 135 and 137, so that one can see their encoding:
RADIUS: Code = 2, Id = 2
136 = 00-00-00-0F [....]
137 = 00-00-00-3E [...>]
135 = 0C-00-00-0D [....]
FramedProtocol = 00-00-00-01 [....]
ServiceType = 00-00-00-02 [....]
EAPMessage = 03-02-00-04 [....]
Class = 9C-BC-08-3B-00-00-01-37-00-01-02-00-AC-1F-21-34-00-00-00-00-60-F7-C8-02-18-4F-38-12-01-DA-A7-C7-F8-6A-3C-1D-00-00-00-00-00-00-00-09 [??.;...7....?.!4....`??..O8..????j<.........]
VendorSpecific = 00-00-01-37-16-4A-01-00-00-00-48-00-00-00-01-00-00-00-01-00-FF-FF-28-00-00-00-01-00-00-00-20-00-00-00-00-00-00-00-01-00-00-00-01-00-00-00-01-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 [...7.J....H.........??(....... ...............................................]
VendorSpecific = 00-00-01-37-07-06-00-00-00-02 [...7......]
VendorSpecific = 00-00-01-37-08-06-00-00-00-0E [...7......]
VendorSpecific = 00-00-01-37-0A-07-01-48-4F-4D-45 [...7...HOME]
VendorSpecific = 00-00-01-37-10-24-80-0D-86-EC-D9-CA-2B-E1-70-45-AD-9B-4D-75-C8-3F-4B-C6-02-F5-17-9D-E7-B8-2F-D1-86-3B-25-48-7E-5F-B5-74 [...7.$?.????+?pE??Mu??K?.?.???/??;%H~_?t]
VendorSpecific = 00-00-01-37-11-24-80-0E-72-C0-2A-99-7D-CB-50-F6-72-E2-86-5C-9A-DA-F5-DE-6B-AE-92-B3-22-38-6C-3A-BC-32-1C-56-57-E1-B3-22 [...7.$?.r?*?}?P?r??\????k???"8l:?2.VW??"]
VendorSpecific = 00-00-01-37-1A-2D-01-53-3D-44-33-38-30-33-33-32-38-44-44-39-45-41-39-43-43-46-30-44-41-38-37-31-35-41-41-36-34-34-31-32-39-34-34-43-37-38-34-32-41 [...7.-.S=D3803328DD9EA9CCF0DA8715AA64412944C7842A]
Signature = 68-C5-A7-8C-49-D2-06-4E-64-D2-8D-C6-56-53-54-8A [h???I?.Nd???VST?]
The only thing that can't be easily fixed is the (localized) description text for the attribute - that is stored a resource string in a DLL.
A non-localized Description can be added to the dnary.xml file, but the dnary.xsd schema limits the length of this string to two characters. The schema can be changed, but I chose to set the description to an empty string (to override the out-dated and now incorrect description).
I have attached the version of dnary.xml that I am now using. I deleted all of the Ascend attributes and also all of the USRobotics attributes, just leaving the Microsoft, Cisco (widely used) and Nortel (nostalgic reasons) vendor specific attributes.
Gary