VSAs in CCIE Security

A.

Virtual Sub-Attribute (VSA) is an extension to the Remote Authentication Dial-In User Service (RADIUS) protocol, which is commonly used for network access control, including VPN and Wi-Fi authentication. VSAs enable the exchange of vendor-specific information between a RADIUS server and a RADIUS client.

Regarding the given options, here is the explanation for each statement:

A. VSAs may be implemented on any RADIUS server: This statement is incorrect because VSAs are vendor-specific extensions to the RADIUS protocol. Therefore, they are not universal and cannot be implemented on any RADIUS server.

B. VSAs are proprietary, and therefore may only be used on the RADIUS server of that vendor. For example, a Cisco VSA may only be used on a Cisco RADIUS server, such as ACS or IS: This statement is partially correct because VSAs are vendor-specific, which means they are created and used by the specific vendor only. Hence, a VSA created by a particular vendor can only be interpreted and used by that vendor's RADIUS server. For instance, a Cisco VSA can only be used by a Cisco RADIUS server such as ACS or ISE.

C. VSAs do not apply to RADIUS; they are a TACACS attribute: This statement is incorrect because VSAs are used in RADIUS to pass vendor-specific information. In contrast, Terminal Access Controller Access-Control System (TACACS) uses different attributes to send specific information.

D. Each VSA is defined in an RFC and is considered to be a standard: This statement is incorrect because VSAs are vendor-specific extensions and are not defined in any Request for Comments (RFC) documents. However, some vendors have created proprietary documentation to define their VSAs.

In conclusion, the correct answer is B. VSAs are proprietary, and therefore may only be used on the RADIUS server of that vendor. For example, a Cisco VSA may only be used on a Cisco RADIUS server, such as ACS or IS.