RADIUS attribute from microsoft


If the RADIUS User-Name attribute ( section 5.1) is found in the request, the RADIUS 
      server MUST ignore this attribute. Otherwise, the RADIUS server SHOULD convert the SID to a 
      Fully Qualified User Name using Active Directory Domain Services (AD DS). Once the Fully 
      Qualified User Name is available, the server MUST follow the same processing 
      rules specified for MS-RAS-Client-Name. If the server fails to obtain the Fully Qualified User Name 
      from AD DS, the server SHOULD send an Access-Reject message back to the NAS and stop processing.
      Used to specify the security-identifier (SID). A security identifier (SID) uniquely identifies a security 
      principal. Each security principal has a unique SID that is issued by a security agent. The agent can be a 
      Windows local system or domain. The agent generates the SID when the security principal is created. The SID 
      can be represented as a character string or as a structure. When represented as strings, for example 
      in documentation or logs, SIDs are expressed as follows:

      The fields of MS-User-Security-Identity MUST be set as follows:
            Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x28 for MS-User-Security-Identity.
            Vendor-Length: An 8-bit unsigned integer that MUST be set to 2 plus the length of the Attribute-Specific 
            Value field. Its value MUST be at least 3.
            Attribute-Specific Value: This field MUST contain the account SID of the user requesting access in the 
            format of a binary SID used to authenticate a remote access client.