RADIUS attribute from microsoft
MS-AFW-Protection-Level is a vendor-specific attribute (VSA).
It is used as a hint for dynamic selection of a preconfigured IPsec policy by the endpoint requesting access.
The fields of MS-AFW-Protection-Level MUST be set as follows:
Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x31.
Vendor-Length: An 8-bit unsigned integer that MUST be set to 6.
Attribute-Specific Value: A 32-bit unsigned integer in network byte order that MUST indicate
the protection level that the RADIUS server authorizes for the endpoint.
It MUST be set to one of the following values.
0x00000001 Indicates that the certificate payload specified in the response can be used for signing data.
0x00000002 Indicates that the certificate payload in the HCEP response can be used for signing and encrypting data.
FreeRADIUS Vendor-Specific dictionary values:
1 - HECP-Response-Sign-Only
2 - HECP-Response-Sign-And-Encrypt