Microsoft Radius VSAs

Microsoft Point-to-Point Encryption (MPPE) is an encryption technology developed by Microsoft to encrypt point-to-point (PPP) links. These PPP connections can be via a dialup line or over a VPN tunnel such as PPTP. MPPE is supported by several RADIUS network-device vendors that Cisco Secure ACS supports. The following Cisco Secure ACS RADIUS protocols support the Microsoft RADIUS VSA:

Cisco IOS
Cisco VPN 3000
Cisco VPN 5000
Ascend

Note the information in Table A-5.

Table A-5. Microsoft RADIUS
Attribute	Value	Type of Value	Additional Description (If Necessary)
MS-CHAP-Response	1	string
MS-CHAP-Error	2	string
MS-MPPE-Encryption-Policy	7	integer	Signifies whether the use of encryption is allowed or required. If the Policy field is equal to 1 (Encryption-Allowed), any or none of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used. If the Policy field is equal to 2 (Encryption-Required), any of the encryption types specified in the MS-MPPE-Encryption-Types attribute can be used, but at least one must be used.
MS-MPPE-Encryption-Types	8	integer	Signifies the types of encryption available for use with MPPE. A 4-octet integer is interpreted as a string of bits.
MS-CHAP-Domain	10	string
MS-CHAP-Challenge	11	string
MS-CHAP-MPPE-Keys	12	string	Contains two session keys for use by MPPE. This attribute is included only in Access-Accept packets. Note that the MS-CHAP-MPPE-Keys attribute value is autogenerated by Cisco Secure ACS; there is no value to set in the HTML interface.
MS-MPPE-Send-Key	16	string	Contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets sent from the NAS to the remote host. This attribute is only included in Access-Accept packets.
MS-MPPE-Recv-Key	17	string	Contains a session key for use by MPPE. As the name implies, this key is intended for encrypting packets received by the NAS from the remote host. This attribute is only included in Access-Accept packets.

Table A-5. Microsoft RADIUS