Applying service policy using radius and VPDN

anyone had any success doing this?
I've been following the suggested config at http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1058626 but not having any success.
sessions terminate on my 7301 via L2TP through another provider - this all works fine.
I have the following AVPair defined in the user RADIUS profile:
Cisco-AVPair = "ip:sub-qos-policy-out=DROP-P2P"
and the matching policy map defined on the 7301 but it does not get applied to the user session.
Debug L2X errors gives the following message:
001867: Oct 30 16:12:50.655 UTC: L2X: Unknown AVP 76 in CM SCCRQ
001868: Oct 30 16:12:50.655 UTC: L2X: Ignoring unknown AVP 76
if I apply the policy map in the virtual-template it does get applied, but obviously to all users on that template which is not what I want.
edit: - btw the 7301 is on 12.4 so this feature should be available.
thanks
Liam.

With a router it won't be possible to get different policy for users in a single template. Following link may help you
http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1081783

Similar Messages

  • Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

    hi,
    is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
    in detail, we would like to assign this policy
        policy-map SET_EF
         class class-default
           set dscp ef
    to an interface. All traffic should be marked with a defined DSCP value.
    This works find when doing it statically with
        interface FastEthernet2/1
             service-policy input SET_EF
    but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
    that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
    we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
    unfortunately this seems to not work on Catalyst 45k and 37k.
    In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
    it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
        4503-E#sh aaa attributes
        AAA ATTRIBUTE LIST:
            Type=1     Name=disc-cause-ext                 Format=Enum
            Type=2     Name=Acct-Status-Type               Format=Enum
        <snip>
            Type=345   Name=sub-policy-In                  Format=String
            Type=346   Name=sub-qos-policy-in              Format=String
            Type=347   Name=sub-policy-Out                 Format=String
            Type=348   Name=sub-qos-policy-out             Format=String
    any input is welcome :-))
    best reagrds

    additionally to this discussion, i've just opened a service request with TAC.
    unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

  • Can't apply service-policy to atm int?

    Attempted to apply service-policy output MPLS-EGRESS to ATM Int:
    class-map match-any GOLD
    match mpls experimental topmost 5
    match ip precedence 5
    class-map match-any BRONZE
    match mpls experimental topmost 3
    match ip precedence 3
    class-map match-any SILVER
    match mpls experimental topmost 4
    match ip precedence 4
    policy-map MPLS-EGRESS
    class GOLD
    priority percent 5
    set mpls experimental topmost 5
    class SILVER
    bandwidth percent 10
    random-detect
    set mpls experimental topmost 4
    class BRONZE
    bandwidth percent 20
    random-detect
    set mpls experimental topmost 3
    class class-default
    set mpls experimental topmost 0
    fair-queue
    random-detect
    interface ATM4/0.102 point-to-point
    description TRUNK LINK TO PE_B
    bandwidth 16000
    ip address xxx.xxx.xxx.xxx 255.255.255.252
    no ip redirects
    no ip proxy-arp
    ip ospf message-digest-key xxx
    no snmp trap link-status
    mpls ip
    pvc PE_B 10/102
    tx-ring-limit 3
    oam-pvc manage
    encapsulation aal5snap
    service-policy output MPLS-EGRESS
    And it *appears* to apply without error, but logs show:
    Jul 28 09:34:32.550 aest: %SCHED-3-SEMLOCKED: Virtual Exec attempted to lock a semaphore, already locked by itself -Traceback= 0x61317864 0x62658A88 0x620F0A4C 0x60DD3668 0x60DD5648 0x6135ABD8 0x61379744 0x62644508 0x626444EC
    Jul 28 09:34:33.870 aest: I/f ATM4/0.102 VC 10/102 class GOLD requested bandwidth 0 (kbps), available only 0 (kbps)
    And ATM4/0.102 does not include the service-policy output MPLS-EGRESS when I do a show run nor when I do a sho policy-map interface?

    Resolved my own issue - I needed:
    vbr-nrt 32000 16000
    under the atm sub int...

  • Query Service - Filters using "IN" and "*" (asterisk)

    Hi All,
    Is there any way to use "IN" and "*" (asterisk of a regular expression) in a filter to be used in query services?
    In other words:
    1) How to create a query using a selection-options as it is done in SELECT statement
    2) How to use regular expressions in a query (use of a asterisk)?
    Please, my question is regarding the Query Service. Nothing in the [Query Service help|http://help.sap.com/saphelp_nw70/helpdata/en/fd/022008bc9311d4b2e80050dadfb92b/frameset.htm] could help me regarding these two points.
    Thanks.

    Hi Fabio,
    this is not objects, not general but very very basic:
    data:
      lt_kna1   type table of kna1,
      lt_r_name type range of kna1-name1. "defines a range like inj select-options
    field-symbols:
      <r_name> like line of lt_r_name. "field-symbol for one line of the ranges table
    append initial line to lt_r_name assigning <r_name>.
    <r_name>-sign = 'I'.
    <r_name>-option = 'CP'.
    <r_name>-low = 'EN*'.
    select *
      into table lt_kna1
      from kna1
      where name1 in lt_r_name
    Also: Use F1 on [SELECT-OPTIONS|http://help.sap.com/abapdocu_702/en/abapselect-options.htm] and [DATA - RANGE OF |http://help.sap.com/abapdocu_702/en/abapdata_ranges.htm]
    Regards,
    Clemens

  • Connect to WPA using RADIUS and certificates

    Hello all,
    I have set up my Airport Extreme N to use WPA enterprise encryption via a freeRADIUS server using EAP. I created my own public key infrastructure using openSSL and I am able to connect to the WLAN with my Windows XP notebook using this authentification method.
    Now with my macs I am kind of lost. First I installed the root certificate using the keychain app into X509Anchors and the client certificate into the login keychain.
    Both certificates are marked with a red X saying that they have been signed by an unkown instance, even if I set them to Always trust in the menu.
    Now I fired up my Airport Card in my iMac and tried to use the internet connection app to login into the WLAN. When I try to choose the protocol "TLS" and click Configure I cannot chose the freshly imported certificates.
    Do I have to add something special to the certificates to make them work under MacOS X, or can I take the same certificate for Windows and Mac?
    Thanks for your help!
    Best regards
    Thomas

    The solution to the problem was that the certificate created with OpenSSL in the pem format has to be converted into the p12-format to make it selectable in the TLS dialog.
    Now I authenticate my MacBook Pro with certificates at my AirPort Extreme (pre N-version) using a freeRADIUS server as a backend.

  • Apply QoS profile using RADIUS attributes

    Hi all,
    Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
    With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
    Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
    Can non-WMM client traffic be marked using this approach?
    Plenty to think about here...
    Any discussion welcome!
    Cheers
    Rob

    Yo can apply QoS RADIUS override.
    http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
    Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
    i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
    Thanks,

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • Cannot configure service-policy on SIP-400

    I have cisco 7606 with SIP-400 on slot1 , and I try to apply service-policy output on the interface pos1/1/0, after enter the command, the system
    generate the error "queue-limit is invalid command w/o other queueing feature".
    Why I cannot apply the service-policy?

    Thanks Marcio.
    I have added failover details to the client's tnsnames file (see below), but still i get the '500 - The Network Adapter could not establish the connection' error:
    TESTDB =
    (DESCRIPTION =
    (ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb01-vip)(PORT = 1526))
    (ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb02-vip)(PORT = 1526))
    (LOAD_BALANCE = TRUE)
    (FAILOVER = TRUE)
    (CONNECT_DATA =
    (SERVER = DEDICATED)
    (SERVICE_NAME = ESTDB)
    (FAILOVER_MODE =
    (BACKUP=lontestdb02-vip)
    (TYPE=select)
    (METHOD=preconnect)
    (RETRIES=180)
    (DELAY=5)
    Bal - the output of crs_stat -t is as follows (please note the listener on node 1 is intentionally down)
    -bash-3.00$ crs_stat -t
    Name Type Target State Host
    ora....B1.inst application ONLINE ONLINE lonestdb01
    ora....B2.inst application ONLINE ONLINE lonestdb02
    ora....DB1.srv application ONLINE ONLINE lonestdb01
    ora....DB2.srv application ONLINE ONLINE lonestdb02
    ora....BOTH.cs application ONLINE ONLINE lonestdb01
    ora....DB1.srv application ONLINE ONLINE lonestdb02
    ora....LIVE.cs application ONLINE ONLINE lonestdb01
    ora....DB2.srv application ONLINE ONLINE lonestdb02
    ora....NDBY.cs application ONLINE ONLINE lonestdb02
    ora.ESTDB.db application ONLINE ONLINE lonestdb02
    ora....01.lsnr application OFFLINE OFFLINE
    ora....b01.gsd application ONLINE ONLINE lonestdb01
    ora....b01.ons application ONLINE ONLINE lonestdb01
    ora....b01.vip application ONLINE ONLINE lonestdb01
    ora....02.lsnr application ONLINE ONLINE lonestdb02
    ora....b02.gsd application ONLINE ONLINE lonestdb02
    ora....b02.ons application ONLINE ONLINE lonestdb02
    ora....b02.vip application ONLINE ONLINE lonestdb02
    Many thanks to everyone that's helped so far
    Rup

  • Account Assignment is not populated while creating service PO using BAPI

    Hi All,
    I am creating a service PO using BAPI_PO_CREATE1 and Its creating PO, But when I go to ME23n and check Account Assignment in Services then Its empty.
    Please help me as I am not able to understand what could be the problem...
    Thanks & Regards,
    Prabhat Pandey

    Thanks for your most valuable answer.
    Regards,
    Prabhat

  • Applying a service policy on an ACE vlan

    Hi All
    Our ACE is held at a remote site and i just want to apply a Service policy on the client vlan which is also
    our mgmt/access vlan.
    As i am new to ACE s i thought i  would run it past you guyst before i apply it - I am not going to lose
    connectivity to my ACE am i -
    Heres the Service policy -
    policy-map multi-match CLIENT-VIPS
      class VIP-150
        loadbalance vip inservice
        loadbalance policy lb-logic
    class-map match-all VIP-150
      2 match virtual-address xx.xx.xx.150 any
    I was going to apply it  on vlan 121
    int vlan 121
    service-policy input CLIENT-VIPS
    Now the way i read it
    - it should only affect access to the virtual address specified
    Its not going to cut off my access to the ACE by only allowing
    that address through is it ?
    Could be a career damaging move if so for me
    Thanks for your advice
    Steve

    Hello Steve,
    If you are not modifying the MGMT class or policy, you do not need to worry about, like you mentioned, this LB policy is just intended to allow connections to that VIP, nothing else.
    As always it is a good practice to not apply this during production time, as well you can create a test context, where you can test all this without using the production context, so you can play safe and learn at the same time.
    Thanks, hope this help.

  • Error while applying the Service Policy

    Hi,
    I am getting the below error while applying the service policy to the Interface.
    I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
    PE#sh policy-map setexp-GBoIP
      Policy Map setexp-GBoIP
        Class GBoIP-traffic
          set mpls experimental imposition 4
         police cir 1024000 bc 32000
           conform-action transmit
           exceed-action drop
    PE(config-if)#int vlan 2007
    PE(config-if)#service-policy input setexp-GBoIP
    QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
    As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
    PE(config-if)#service-policy out TEST
    bandwidth command is not supported in output direction for this interface
    PE(config-if)#service-policy output TEST
    priority command is not supported in output direction for this interface
    Any idea why so ?
    Thanks in Advance.
    Regards,
    Nilesh

    Check the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
    OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
    You may also log a SR.
    Thanks,
    Hussein

  • Stopping sql server services while applying Service pack On SQL server 2008 and 2008 R2

    Hi,
    I am planning to apply service pack 3 for SQL 2008 R2 and Service pack 4 for SQL server 2008. This is my first time and I am applying first QA and DEV environment. I have one confusion. In cluster once you fail over sql resources to active node all of the
    sql services including SQLSERVER and Agent are automatically stopped in passive node where we apply service pack. But in Stand alone, The services are not automatically stopped. Do I need to manually  stop those services like SQLSERVER, Agent, Browser
    and others if any  before I start applying service pack?
    Early Response is highly appreciated.
    Thanks In Advance

    Hello,
    You don’t need to stop SQL Server services. Let SQL Server setup do it as needed.
    Please read the following article for the cluster you would like to update:
    https://support.microsoft.com/kb/958734?wa=wsignin1.0
    The following article may be useful too:
    http://www.sqlcoffee.com/Tips0014.htm
    Hope this helps.
    Regards,
    Alberto Morillo
    SQLCoffee.com

  • Prevalence between service policy and rate limit

    Hi,
    I have a question, on the wan interface on my router I have configured two QoS configuration: one is based on rate-limit pointing to a an specified traffic but also I have a configuration with a service policy that include the same traffic with a restriction of bandwidth . I do not know what policy has prevalence if the service policy or the rate limit.
    Regards.

    Hi Rajan ,
    Thanks for teh reply.
    I'm but confused with your answer....
    We have SRM 5 implemented at our place and I see that service carts  created in the system using the link "ORDER" when converted to PO's in Sourcing create Purchase orders with HIERARCHY structure i.e. 1 header and 1 item(with the actual service line) but when they are replicated to ECC,we have done an enheancement to create LIMIT PO's for service orders.
    Hence I wanted to know when do we need to create SERVICE HIRERACHY based PO's in SRM and when we need to create LIMIT PO's directly in SRM?
    Also I understand that in SRM,for limit PO's,when the PO item is deleted in PROCESS PO trasnctions,the items are not returned back to sourcing.We dont want this to happen for all types of PO's(both material and Service).We want that when a PO item is deleted,the item should return back to sourcing.
    But other then above functionality,what are the advantages of creating SERVICE based HIERARHCY PO's v/s LIMIT PO's in SRM?
    Please advise.
    Any inputs from Experts on this forum will be appreciated.
    Thanks in advance.

  • HT1695 Recently my iphone is consuming too much data, I have installed a data monitoring app and I found that - although I turned off all notifications and push email - push services is using around a 1mega/hour from cellular data (even if I am using wi-f

    Recently my iphone is consuming too much data, I have installed a data monitoring app and I found that - although I turned off all notifications and push email - push services is using around a 1mega/hour from cellular data (even if I am using wi-fi) !!!

    cpupower frequency-info
    analyzing CPU 0:
    driver: acpi-cpufreq
    CPUs which run at the same hardware frequency: 0 1 2 3
    CPUs which need to have their frequency coordinated by software: 0
    maximum transition latency: 10.0 us.
    hardware limits: 800 MHz - 2.30 GHz
    available frequency steps: 2.30 GHz, 2.30 GHz, 1.80 GHz, 1.60 GHz, 1.40 GHz, 1.20 GHz, 1000 MHz, 800 MHz
    available cpufreq governors: conservative, powersave, ondemand, performance
    current policy: frequency should be within 800 MHz and 2.30 GHz.
    The governor "conservative" may decide which speed to use
    within this range.
    current CPU frequency is 800 MHz.
    cpufreq stats: 2.30 GHz:0,02%, 2.30 GHz:0,05%, 1.80 GHz:0,05%, 1.60 GHz:0,03%, 1.40 GHz:0,01%, 1.20 GHz:0,16%, 1000 MHz:0,38%, 800 MHz:99,29% (1017)
    boost state support:
    Supported: yes
    Active: yes
    25500 MHz max turbo 4 active cores
    25500 MHz max turbo 3 active cores
    25500 MHz max turbo 2 active cores
    25500 MHz max turbo 1 active cores
    Thax

  • HT204053 What are the pros and cons of 1) choosing to use the SAME Apple ID for iCloud services on one side, and purchases on the iTunes Store, App Store, and iBookstore, on the other side; or 2) to have and use two separate Apple Ids for these "two sides

    All is in the title, so I repeat it below with a better identation.
    What are the pros and cons of
    1) choosing to use the SAME
                                                  Apple ID for iCloud services on one side, and
                                                  purchases on the iTunes Store, App Store, and iBookstore, on the other side; or
    2) to have and use two separate Apple Ids for these "two sides"?
    P.S.
    I have loads and loads of free podcasts in iTunes in my iMac, that are certainly more thant the 5 gigas the iCloud provides for free, so I don't want those to go to the cloud. But this is perhaps a different question...
    Also need to mention that I have itunes on a mac, a pc and an iphone.
    Sorry to look so silly with this question, but I don't get the "big picture".

    You need to create a user account for your wife (or yourself depending on who has the current user account). When syncing, each of you should sign in as a separate user, login to iTunes and then sync. I had this problem when my sister got an iPhone. When we did her initial sync, everything on my iPhone showed up on hers. Apple gave me this solution.

Maybe you are looking for