Apply QoS profile using RADIUS attributes

Similar Messages

• Applying service policy using radius and VPDN

  anyone had any success doing this?
  I've been following the suggested config at http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1058626 but not having any success.
  sessions terminate on my 7301 via L2TP through another provider - this all works fine.
  I have the following AVPair defined in the user RADIUS profile:
  Cisco-AVPair = "ip:sub-qos-policy-out=DROP-P2P"
  and the matching policy map defined on the 7301 but it does not get applied to the user session.
  Debug L2X errors gives the following message:
  001867: Oct 30 16:12:50.655 UTC: L2X: Unknown AVP 76 in CM SCCRQ
  001868: Oct 30 16:12:50.655 UTC: L2X: Ignoring unknown AVP 76
  if I apply the policy map in the virtual-template it does get applied, but obviously to all users on that template which is not what I want.
  edit: - btw the 7301 is on 12.4 so this feature should be available.
  thanks
  Liam.

  With a router it won't be possible to get different policy for users in a single template. Following link may help you
  http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1081783

• How to set UCS Locales using Radius/Tacacs+ Attributes

  I know how to set a remotely authenticated/authorized users Role using the Radius av-pairs with UCS.
  What Radius attribute/av-pair syntax is needed to set the users Locale within UCS?
  I have tried shell:roles="role@locales" and shell:locales="locale name" with no success.

  Something else to note:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Configuring locales to the user roles are not valid as these are global-system users:
  -          aaa
  -          admin
  -          operations
  Locales can be configured only with following user roles:
  -          Network
  -          Server-equipment
  -          Server-profile
  -          Server-security
  -          Storage

• Anyconnect profiles using by using different extended key attributes

  Hi,
  I have an anyconnect VPN with workstations located in the same OU in Active Directory.  The current anyconnect deployment uses seperate OUs to determine what profile is applied to the client.
  I'm looking for a solutiuon to enable machines to be located in a single OU & still have the ability to apply different profiles to machines.
  The only way I can think of doing this is using machine certificates in Active Directory & configuring different extended key attributes.
  Any advice/suggestions or information on the best way of doing this would be greatly appreciated

  Resolved my own issue today. The error does nothing to describe the actual cause. The user's private key was corrupted (uncertain as to how). The certificate GUI in Windows showed it was okay, but running "certutil -store -user my" showed the error "Missing stored keyset" on the certificate in question.
  The resolution was to delete the certificate and enroll for a new one, with a new key pair.

• NPAS: How do I use Cisco ASA RADIUS attribute 146?

  We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN.  We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
  We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one.  At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
  that corresponds to a policy rule in NPAS based on the matched group membership.  This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
  that doesn't correspond to them, the ASA doesn't set up the session for them.
  Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3.  This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server.  We would like to use this attribute in our policies in NPAS
  to help with policy matching.  By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
  The question becomes, how can I use this upstream RADIUS attribute in my policy conditions?  I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work. 
  These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA).  The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
  of is matched and authentication is successful.  This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
  Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html

  Philippe:
  Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
  Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA).  Each AD group basically is designed to map to a specific tunnel group.  Each RADIUS policy
  contains vendor-specific attribute 85 with the name of the tunnel group.  So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
  - the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA.  If the tunnel group name matches the one associated to the user group
  you selected from the list in the AnyConnect client, a VPN tunnel is established.  Otherwise, the ASA rejects the connection attempt.
  Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group.  If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
  order to gain different access, using tunnel-group-lock or group-lock won't work.  This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
  will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time.  If that name doesn't match the one they picked, the tunnel will not be established.  This will happen every time if the tunnel group is
  associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
  Group-lock (attribute 25) works similarly.  In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
  name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
  We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name).   Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
  to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies.  In this way, people could be members of more than one of the AD security groups related to VPN at a time.  The
  problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible.

• WLC QoS Profiles not applying egress

  In regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, does anyone know if this is supposed to work ingress AND egress or is it just designed to work one way?  I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code.
  If it is designed to work one way only is there a different way to apply it ingress and egress simultanenously off the WLC?

  Hello,
  WLC QoS bandwidth policies do in fact only apply in the downstream direction. Clients will still be able to upload at an unlimited speed.
  You will need to look at another solution if you need to limit upload speeds -- one example would be user-based rate limiting on the 6500 platform:
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd803e5017.html
  There are likely other solutions available as well.
  -Patrick Croak
  Wireless TAC

• Assigned a QoS profile based on client identity

  A client can be assigned a QoS profile based on its identity, through AAA, but how?

  You need a RADIUS server.
  Make sure the AAA override is enabled on the WLAN then try to use the folloiwng RADIUS attribute on the RADIUS server:
  RADIUS-Cisco Airespace -> Airespace-QOS-Level
  return the value of the QOS level in this attribute to the usres based on their identity.
  HTH
  Amjad
  p.s: never tried the above. so tell us if it worked correctly with you.
  Rating useful replies is more useful than saying "Thank you"

• CAR radius attributes

  hello,
  We have a Cisco Access Registrar and it work great with an cisco asn-gateway. we have the CAR server give out an sal profile when it authenticates a device (the authentication is done using domain name on the device). the sla profile is matched with the QOS info on the asn-gateway router and thus the service flow is created. We are trying out another Vendor called Wichorus for their asn-gateway. under their config the router is expecting back couple of radius attributes to setup the service flow with the proper qos info. These are the values is expecting back:
  service-data-flow-id
  service-profile-id
  I was wondering if anyone has had any luck with different radius attributes on the CAR. This is what Wichorus has configured on their AAA server for a certain profile:
           Wimax-PFD := 0x01,
           Wimax-PDFID := 1,
           Wimax-SDFID := 1,
           Wimax-SProfileID := 1
  CAR ver  - 4.2.2
  Thanks.

  You mean add your own custom attribute?
  Vanilla or Vendor Specific?
  Im 99% sure you cant do this because
  1) what would the router do with it?
  2) Most IETF no's are used already
  3) You cant add new Cisco VSAs
  4) A Cisco device wont like you adding non Cisco VSAs

• ACS 5.5 Radius Attribute not listed in Radius Directory

                     Hello Community,
  iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
  I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
  In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
  But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
  come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
  Thanks a lot
  regards

  Hi
  As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
  For more information regarding Authorization profile configuration, please go through the following link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

• Radius Attributes Supported by WLC? Guest bandwidth limiting

  Hello all..
  I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

  Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
  I've never tried this through RADIUS though.
  Regards,
  Richard

• Wireless QoS Profiles

  Is anyone running Wireless QoS using 5508's? I have been reading lots of info, but still struggle with some of this. I have not dealt with QoS much on a wired network and never on a wireless network. I know there has to be a shared comfiguration between both. The whole point of QoS is end to end. When looking into the Wireless QoS profiles in the WLC, the Gold profile, which is stated for video doesnt even have any values configured? So even selecting this profile for the WLAN SSID, the values not being configured, tell me its not benifitting me at all.
  Now can someone give me "slimmed" down info on ToS, CoS, and DSCP?
  Another question I have is does my application need these values configured? In my video encoder there is an area for ToS and the value is 0, do I need to configure this for the traffic to be noticed on the network?

  Steven
  There is a lot to QOS on the network. There are three main points to keep in mind when working on QOS.
  COS = Layer 2 packet markings
  DSCP = Layer 3 packet markings
  1. Marking
  2. Trusting
  3. Queuing
  I suggest doing the research on what's important to your business and marking the more important traffic higher then the not so important traffic. If you are using Cisco Switches, I suggest using 4 classes because you only get 4 queues with most Cisco switches. 
  You need to trust DSCP for your Controller based AP's.  You should trust DSCP on all of your switch uplinks.
  Egress Queuing is very important. You need to allocate bandwidth to the queues on your ports. This assures that each queue gets the bandwidth that you want it to have.
  Wireless QOS is a bit different. The client needs to set the DSCP value, then the controller needs to allow the DSCP value to be set to a specific level. You need to set the "platinum" profile to a 802.1p Tag to 6, this will allow packets to be marked with a COS value of 5 (I don't understand why Cisco did it this way, but it's how it is).  Then you need to apply Platinum to your voice vlan.
  Here is a link to my forum where I have posted a lot more regarding QOS. I hope this helps.
  http://goatnetworking.com/forum/viewforum.php?f=8&sid=7e3372e32d3b9a20f9391696f7bed442

• PPPoX Virtual-Template assignment via Radius Attribute

  I'd like to optionally apply ACLs to PPP users (PPPoX).  I see two strategies: a) apply an ACL directly via radius attributes or b) define the ACL in the Virtual-Template on the BRAS and determine the Virtual-Template ID via radius attribute.  Has anyone done this?  If so, any suggestions on the best way to move forward?  I think I'd prefer option B as I could also use it to assign VRFs etc (one Virtual-Template per VRF).
  TIA

  The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute.  On the switch I configured the default setting for attribute 11 to apply inbound "
  radius-server attribute 11 default direction in".  If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied.  It works, just a bit confusing because of that default-acl still showing up.  Anyone else experience the same?

• How to apply Qos in the precedence of cache server

  m in an isp  and iwant to apply the QOS to enhance my network internet performance
  actually i  have two requests , i will start with showing brief topology about my network and start asking the questions .
  here is the topology below :
  from the topology above , my access is only on R1 which is BGP internet gateway router and R2 is my ISP router.
  1- i want to apply Qos on R1 so that a subnet of 32 ips to have gurantee bandwidth of 30M .
  assume  the subnet  is 10.20.30.0/27  that need to be bw gurantee .
  2- i want the download traffic by idman or ftp on my Router R1 dont exceed 50 % of my total bw .
  i mean that i have 450M bandwith from my isp , & sometimes we have a  slow in browsing , so i want to enhance the browsing quality because  its more important that downloading files from internet.
  here is my two requests above , i dont know how it will work with the precedence of the cache server .
  anyway , i will paste my config of router and i will replace my puplic ips with xxx for privacy .
  7200Gateway#sh run
  Building configuration...
  Current configuration : 10149 bytes
  upgrade fpd auto
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 7200Gateway
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 50000
  enable secret xxxxxxxxxxxxxx
  no aaa new-model
  ip source-route
  ip wccp 80 redirect-list CACHE80
  ip wccp 90 redirect-list CACHE90
  ip cef
  no ip domain lookup
  ip accounting-threshold 4294967295
  login block-for 180 attempts 3 within 60
  login quiet-mode access-class telnet
  login on-failure log
  login on-success log
  no ipv6 cef
  multilink bundle-name authenticated
  username xxxxxx password xxxxx
  archive
  log config
    hidekeys
  interface GigabitEthernet0/1
  description LAN
  bandwidth 230000
  ip address 10.160.150.2 255.255.255.0
  ip wccp 80 redirect in
  ip policy route-map CACHE-REDIRECT
  load-interval 30
  duplex auto
  speed auto
  media-type rj45
  negotiation auto
  interface FastEthernet0/2
  no ip address
  shutdown
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description Cache
  bandwidth 150000
  ip address x.x.x.x 255.255.255.248
  ip wccp redirect exclude in
  load-interval 30
  duplex auto
  speed 1000
  media-type rj45
  negotiation auto
  interface GigabitEthernet0/3
  description Internet
  bandwidth 230000
  ip address x.x.x.x 255.255.255.252
  ip wccp 90 redirect in
  load-interval 30
  duplex full
  speed 1000
  media-type sfp
  negotiation auto
  router bgp zzzzzzz
  no synchronization
  bgp log-neighbor-changes
  network xxxx mask xxxxx
  network xxxx mask xxxx
  network xxxx mask xxxxx
  network xxxx mask xxxx
  network xxxx mask xxxxx
  network xxxx mask xxxx
  redistribute connected
  redistribute static
  neighbor zzzzzzzz remote-as zzzzzzz
  neighbor zzzzzzz password zzzzzzz
  neighbor zzzzzz route-map Pipo out
  no auto-summary
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  ip route xxxxxxxx 255.255.0.0 xxxxxxxxxx
  no ip http server
  no ip http secure-server
  ip flow-top-talkers
  top 200
  sort-by bytes
  cache-timeout 5000
  ip access-list extended bb
  permit ip xxxx.xxxx.xx.0 0.0.1.255 any
  ip access-list extended CACHE80
  permit tcp xxxxxxx any eq www
  ip access-list extended CACHE90
  permit tcp any xxxxx.0 0.0.0.255
  ip access-list extended pipo
  permit ip xxxxx xxxxxxx any
    permit ip xxxxx xxxxxxx any
  ip access-list extended private
  permit tcp 172.16.0.0 0.0.255.255 any eq www
  permit ip 10.20.30.0 0.0.0.255 any
  ip access-list extended telnet
  permit ip xxxxxx xxxxxxx.255.255 any log
  permit ip xxxx xxxxx 0.0.0.255 any log
  ip prefix-list bb seq 5 permit xxxxx
  ip prefix-list bbseq 10 permit xxxxxx
  logging history size 500
  no cdp run
  route-map pipo permit 10
  match ip address prefix-list pipo1
  route-map pipo permit 20
  match ip address prefix-list newsubnet
  set metric 500
  set origin incomplete
  set as-path prepend xxxxxxxxx
  route-map permit 10
  match ip address prefix-list bibo
  route-map CACHE-REDIRECT permit 10
  match ip address  private
  set ip next-hop 1vvvvvv
  route-map CACHE-REDIRECT permit 20
  match ip address bibo e1
  set ip next-hop vvvvvv
  route-map CACHE-REDIRECT permit 30
  match ip address pipo
  set ip next-hop vvvvvvvvvv
  route-map CACHE-REDIRECT permit 100
  snmp-server community xxxxxx RO
  control-plane
  dial-peer cor custom
  line con 0
  password xxxxxxxx
  logging synchronous
  login
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  exec-timeout 60 0
  password xxxxxxxxxxxxxxxxx
  logging synchronous
  login local
  end

  Hi Vinay,
  Please check the program. I have used the replace statement but it is not working.
  IF NOT v_sap_bom_rec IS INITIAL.
  Spliting the records at '~' delimiter
      SPLIT v_sap_bom_rec AT c_del INTO  wa_bom_file-model_name
                                         wa_bom_file-product_code
                                         wa_bom_file-description
                                         wa_bom_file-product_type
                                         wa_bom_file-mfg_part_num
                                         wa_bom_file-mfg_part_desc.
      REPLACE cl_abap_char_utilities=>horizontal_tab IN wa_bom_file-mfg_part_desc WITH space .
      wa_bom_file-status = c_status.
      APPEND wa_bom_file  TO i_bom_file.
  But it is not working.
  Please help me..
  Thanks
  Neelima

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Ise 1.1 ActivatedGuest not able to authenticate using radius pap

  Hi,
  I want to create guest accounts using the sponsor portal and use radius to authenticate with these accounts; Afaik this  is supported as from 1.1mr1 (Show Version output      : 1.1.1.268)
  When we create an account with the ActivatedGuest Identity group, in the sponsor portal the account is marked as active.
  Username Status   First Name   Last Name   Email Address
  aazeaze1 ACTIVE azea azeaze
  However in ise, using radius, we receive an access-reject:
  24210  Looking up User in Internal Users IDStore - aazeaze1
  24206  User disabled
  after logging in successfully to the guest portal with this account, the radius request also succeeds.
  Questions
  1) is this scenario supported?
  2) is there anything else that should configured?
  Regards

  Hi,
  FYI it works if you don't use the fromlogin time profile , that's only for LWA/CWA.
  cheers