Add RADIUS attributes to a remote access policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add RADIUS attributes to a remote access policy

  1. Open Internet Authentication Service.

  2. In the console tree, click Remote Access Policies.

  3. Right-click the policy for which you want to configure a RADIUS attribute, and then click Properties.

  4. Click Edit Profile, click the Advanced tab, and then click Add.

  5. In the list of available RADIUS attributes, double-click the attribute that you want to add to the profile. If the Multivalued Attribute Information dialog box appears, click Add.

  6. In Attribute, supply a value from the following table, and then click Add. If you want to add another value to the attribute, click Add again, and then configure the attribute.

If the attribute format is In Attribute value Attributes in this format include


Type the value specified in your access server documentation.



Select the value from the list.



Type the IP address to be specified in the attribute.


Octet String

Type the string or the hexadecimal value that you provide.



Type the string that you provide.



Select either True or False.



  • To open Internet Authentication Service, click Start, click Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.

  • You can only use the Generate-Session-Timeout attribute if your user account database is either a Security Accounts Manager (SAM) database or the user account database for an Active Directory domain. When the value of Generate-Session-Timeout is set to True, the ForceLogoff value for a SAM database should be set to 0 (zero). In Local Security Settings, ForceLogoff is set to 0 when Network security: Force logoff when logon hours expire is enabled. For more information, see Edit security settings on a Group Policy object. For information about changing the ForceLogoff value for the SAM database at the command prompt, see Net accounts.

  • You can configure wireless connection policy so that wireless clients periodically reauthenticate. This ensures that the client Wired Equivalent Privacy (WEP) encryption keys are changed often enough to provide adequate security for the wireless connection. To configure reauthentication, set the session timeout in your remote access policy or connection request policy for wireless connections (using the Session-Timeout attribute) to the interval you prefer (for example, 10 minutes). Additionally, configure the Termination-Action attribute with Attribute value set to RADIUS-Request. If the Termination-Action attribute is not set to RADIUS-Request, wireless access points might end the connection during reauthentication. For more information, see your hardware documentation.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also


Elements of a remote access policy
Vendor-specific attribute overview
Configure vendor-specific attributes for a remote access policy