RADIUS attribute from microsoft
If the RADIUS User-Name attribute ( section 5.1) is found in the request, the RADIUS server MUST ignore this attribute. Otherwise, the RADIUS server SHOULD convert the SID to a Fully Qualified User Name using Active Directory Domain Services (AD DS). Once the Fully Qualified User Name is available, the server MUST follow the same processing rules specified for MS-RAS-Client-Name. If the server fails to obtain the Fully Qualified User Name from AD DS, the server SHOULD send an Access-Reject message back to the NAS and stop processing. Used to specify the security-identifier (SID). A security identifier (SID) uniquely identifies a security principal. Each security principal has a unique SID that is issued by a security agent. The agent can be a Windows local system or domain. The agent generates the SID when the security principal is created. The SID can be represented as a character string or as a structure. When represented as strings, for example in documentation or logs, SIDs are expressed as follows: The fields of MS-User-Security-Identity MUST be set as follows: Vendor-Type: An 8-bit unsigned integer that MUST be set to 0x28 for MS-User-Security-Identity. Vendor-Length: An 8-bit unsigned integer that MUST be set to 2 plus the length of the Attribute-Specific Value field. Its value MUST be at least 3. Attribute-Specific Value: This field MUST contain the account SID of the user requesting access in the format of a binary SID used to authenticate a remote access client.