Applying service policy using radius and VPDN
anyone had any success doing this?
I've been following the suggested config at http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1058626 but not having any success.
sessions terminate on my 7301 via L2TP through another provider - this all works fine.
I have the following AVPair defined in the user RADIUS profile:
Cisco-AVPair = "ip:sub-qos-policy-out=DROP-P2P"
and the matching policy map defined on the 7301 but it does not get applied to the user session.
Debug L2X errors gives the following message:
001867: Oct 30 16:12:50.655 UTC: L2X: Unknown AVP 76 in CM SCCRQ
001868: Oct 30 16:12:50.655 UTC: L2X: Ignoring unknown AVP 76
if I apply the policy map in the virtual-template it does get applied, but obviously to all users on that template which is not what I want.
edit: - btw the 7301 is on 12.4 so this feature should be available.
thanks
Liam.
With a router it won't be possible to get different policy for users in a single template. Following link may help you
http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1081783
Similar Messages
-
Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?
hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF
class class-default
set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1
service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Type=2 Name=Acct-Status-Type Format=Enum
<snip>
Type=345 Name=sub-policy-In Format=String
Type=346 Name=sub-qos-policy-in Format=String
Type=347 Name=sub-policy-Out Format=String
Type=348 Name=sub-qos-policy-out Format=String
any input is welcome :-))
best reagrdsadditionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012...... -
Can't apply service-policy to atm int?
Attempted to apply service-policy output MPLS-EGRESS to ATM Int:
class-map match-any GOLD
match mpls experimental topmost 5
match ip precedence 5
class-map match-any BRONZE
match mpls experimental topmost 3
match ip precedence 3
class-map match-any SILVER
match mpls experimental topmost 4
match ip precedence 4
policy-map MPLS-EGRESS
class GOLD
priority percent 5
set mpls experimental topmost 5
class SILVER
bandwidth percent 10
random-detect
set mpls experimental topmost 4
class BRONZE
bandwidth percent 20
random-detect
set mpls experimental topmost 3
class class-default
set mpls experimental topmost 0
fair-queue
random-detect
interface ATM4/0.102 point-to-point
description TRUNK LINK TO PE_B
bandwidth 16000
ip address xxx.xxx.xxx.xxx 255.255.255.252
no ip redirects
no ip proxy-arp
ip ospf message-digest-key xxx
no snmp trap link-status
mpls ip
pvc PE_B 10/102
tx-ring-limit 3
oam-pvc manage
encapsulation aal5snap
service-policy output MPLS-EGRESS
And it *appears* to apply without error, but logs show:
Jul 28 09:34:32.550 aest: %SCHED-3-SEMLOCKED: Virtual Exec attempted to lock a semaphore, already locked by itself -Traceback= 0x61317864 0x62658A88 0x620F0A4C 0x60DD3668 0x60DD5648 0x6135ABD8 0x61379744 0x62644508 0x626444EC
Jul 28 09:34:33.870 aest: I/f ATM4/0.102 VC 10/102 class GOLD requested bandwidth 0 (kbps), available only 0 (kbps)
And ATM4/0.102 does not include the service-policy output MPLS-EGRESS when I do a show run nor when I do a sho policy-map interface?Resolved my own issue - I needed:
vbr-nrt 32000 16000
under the atm sub int... -
Query Service - Filters using "IN" and "*" (asterisk)
Hi All,
Is there any way to use "IN" and "*" (asterisk of a regular expression) in a filter to be used in query services?
In other words:
1) How to create a query using a selection-options as it is done in SELECT statement
2) How to use regular expressions in a query (use of a asterisk)?
Please, my question is regarding the Query Service. Nothing in the [Query Service help|http://help.sap.com/saphelp_nw70/helpdata/en/fd/022008bc9311d4b2e80050dadfb92b/frameset.htm] could help me regarding these two points.
Thanks.Hi Fabio,
this is not objects, not general but very very basic:
data:
lt_kna1 type table of kna1,
lt_r_name type range of kna1-name1. "defines a range like inj select-options
field-symbols:
<r_name> like line of lt_r_name. "field-symbol for one line of the ranges table
append initial line to lt_r_name assigning <r_name>.
<r_name>-sign = 'I'.
<r_name>-option = 'CP'.
<r_name>-low = 'EN*'.
select *
into table lt_kna1
from kna1
where name1 in lt_r_name
Also: Use F1 on [SELECT-OPTIONS|http://help.sap.com/abapdocu_702/en/abapselect-options.htm] and [DATA - RANGE OF |http://help.sap.com/abapdocu_702/en/abapdata_ranges.htm]
Regards,
Clemens -
Connect to WPA using RADIUS and certificates
Hello all,
I have set up my Airport Extreme N to use WPA enterprise encryption via a freeRADIUS server using EAP. I created my own public key infrastructure using openSSL and I am able to connect to the WLAN with my Windows XP notebook using this authentification method.
Now with my macs I am kind of lost. First I installed the root certificate using the keychain app into X509Anchors and the client certificate into the login keychain.
Both certificates are marked with a red X saying that they have been signed by an unkown instance, even if I set them to Always trust in the menu.
Now I fired up my Airport Card in my iMac and tried to use the internet connection app to login into the WLAN. When I try to choose the protocol "TLS" and click Configure I cannot chose the freshly imported certificates.
Do I have to add something special to the certificates to make them work under MacOS X, or can I take the same certificate for Windows and Mac?
Thanks for your help!
Best regards
ThomasThe solution to the problem was that the certificate created with OpenSSL in the pem format has to be converted into the p12-format to make it selectable in the TLS dialog.
Now I authenticate my MacBook Pro with certificates at my AirPort Extreme (pre N-version) using a freeRADIUS server as a backend. -
Apply QoS profile using RADIUS attributes
Hi all,
Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
Can non-WMM client traffic be marked using this approach?
Plenty to think about here...
Any discussion welcome!
Cheers
RobYo can apply QoS RADIUS override.
http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
Thanks, -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
Cannot configure service-policy on SIP-400
I have cisco 7606 with SIP-400 on slot1 , and I try to apply service-policy output on the interface pos1/1/0, after enter the command, the system
generate the error "queue-limit is invalid command w/o other queueing feature".
Why I cannot apply the service-policy?Thanks Marcio.
I have added failover details to the client's tnsnames file (see below), but still i get the '500 - The Network Adapter could not establish the connection' error:
TESTDB =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb01-vip)(PORT = 1526))
(ADDRESS = (PROTOCOL = TCP)(HOST = lontestdb02-vip)(PORT = 1526))
(LOAD_BALANCE = TRUE)
(FAILOVER = TRUE)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = ESTDB)
(FAILOVER_MODE =
(BACKUP=lontestdb02-vip)
(TYPE=select)
(METHOD=preconnect)
(RETRIES=180)
(DELAY=5)
Bal - the output of crs_stat -t is as follows (please note the listener on node 1 is intentionally down)
-bash-3.00$ crs_stat -t
Name Type Target State Host
ora....B1.inst application ONLINE ONLINE lonestdb01
ora....B2.inst application ONLINE ONLINE lonestdb02
ora....DB1.srv application ONLINE ONLINE lonestdb01
ora....DB2.srv application ONLINE ONLINE lonestdb02
ora....BOTH.cs application ONLINE ONLINE lonestdb01
ora....DB1.srv application ONLINE ONLINE lonestdb02
ora....LIVE.cs application ONLINE ONLINE lonestdb01
ora....DB2.srv application ONLINE ONLINE lonestdb02
ora....NDBY.cs application ONLINE ONLINE lonestdb02
ora.ESTDB.db application ONLINE ONLINE lonestdb02
ora....01.lsnr application OFFLINE OFFLINE
ora....b01.gsd application ONLINE ONLINE lonestdb01
ora....b01.ons application ONLINE ONLINE lonestdb01
ora....b01.vip application ONLINE ONLINE lonestdb01
ora....02.lsnr application ONLINE ONLINE lonestdb02
ora....b02.gsd application ONLINE ONLINE lonestdb02
ora....b02.ons application ONLINE ONLINE lonestdb02
ora....b02.vip application ONLINE ONLINE lonestdb02
Many thanks to everyone that's helped so far
Rup -
Account Assignment is not populated while creating service PO using BAPI
Hi All,
I am creating a service PO using BAPI_PO_CREATE1 and Its creating PO, But when I go to ME23n and check Account Assignment in Services then Its empty.
Please help me as I am not able to understand what could be the problem...
Thanks & Regards,
Prabhat PandeyThanks for your most valuable answer.
Regards,
Prabhat -
Applying a service policy on an ACE vlan
Hi All
Our ACE is held at a remote site and i just want to apply a Service policy on the client vlan which is also
our mgmt/access vlan.
As i am new to ACE s i thought i would run it past you guyst before i apply it - I am not going to lose
connectivity to my ACE am i -
Heres the Service policy -
policy-map multi-match CLIENT-VIPS
class VIP-150
loadbalance vip inservice
loadbalance policy lb-logic
class-map match-all VIP-150
2 match virtual-address xx.xx.xx.150 any
I was going to apply it on vlan 121
int vlan 121
service-policy input CLIENT-VIPS
Now the way i read it
- it should only affect access to the virtual address specified
Its not going to cut off my access to the ACE by only allowing
that address through is it ?
Could be a career damaging move if so for me
Thanks for your advice
SteveHello Steve,
If you are not modifying the MGMT class or policy, you do not need to worry about, like you mentioned, this LB policy is just intended to allow connections to that VIP, nothing else.
As always it is a good practice to not apply this during production time, as well you can create a test context, where you can test all this without using the production context, so you can play safe and learn at the same time.
Thanks, hope this help. -
Error while applying the Service Policy
Hi,
I am getting the below error while applying the service policy to the Interface.
I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
PE#sh policy-map setexp-GBoIP
Policy Map setexp-GBoIP
Class GBoIP-traffic
set mpls experimental imposition 4
police cir 1024000 bc 32000
conform-action transmit
exceed-action drop
PE(config-if)#int vlan 2007
PE(config-if)#service-policy input setexp-GBoIP
QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
PE(config-if)#service-policy out TEST
bandwidth command is not supported in output direction for this interface
PE(config-if)#service-policy output TEST
priority command is not supported in output direction for this interface
Any idea why so ?
Thanks in Advance.
Regards,
NileshCheck the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
You may also log a SR.
Thanks,
Hussein -
Stopping sql server services while applying Service pack On SQL server 2008 and 2008 R2
Hi,
I am planning to apply service pack 3 for SQL 2008 R2 and Service pack 4 for SQL server 2008. This is my first time and I am applying first QA and DEV environment. I have one confusion. In cluster once you fail over sql resources to active node all of the
sql services including SQLSERVER and Agent are automatically stopped in passive node where we apply service pack. But in Stand alone, The services are not automatically stopped. Do I need to manually stop those services like SQLSERVER, Agent, Browser
and others if any before I start applying service pack?
Early Response is highly appreciated.
Thanks In AdvanceHello,
You don’t need to stop SQL Server services. Let SQL Server setup do it as needed.
Please read the following article for the cluster you would like to update:
https://support.microsoft.com/kb/958734?wa=wsignin1.0
The following article may be useful too:
http://www.sqlcoffee.com/Tips0014.htm
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
Prevalence between service policy and rate limit
Hi,
I have a question, on the wan interface on my router I have configured two QoS configuration: one is based on rate-limit pointing to a an specified traffic but also I have a configuration with a service policy that include the same traffic with a restriction of bandwidth . I do not know what policy has prevalence if the service policy or the rate limit.
Regards.Hi Rajan ,
Thanks for teh reply.
I'm but confused with your answer....
We have SRM 5 implemented at our place and I see that service carts created in the system using the link "ORDER" when converted to PO's in Sourcing create Purchase orders with HIERARCHY structure i.e. 1 header and 1 item(with the actual service line) but when they are replicated to ECC,we have done an enheancement to create LIMIT PO's for service orders.
Hence I wanted to know when do we need to create SERVICE HIRERACHY based PO's in SRM and when we need to create LIMIT PO's directly in SRM?
Also I understand that in SRM,for limit PO's,when the PO item is deleted in PROCESS PO trasnctions,the items are not returned back to sourcing.We dont want this to happen for all types of PO's(both material and Service).We want that when a PO item is deleted,the item should return back to sourcing.
But other then above functionality,what are the advantages of creating SERVICE based HIERARHCY PO's v/s LIMIT PO's in SRM?
Please advise.
Any inputs from Experts on this forum will be appreciated.
Thanks in advance. -
Recently my iphone is consuming too much data, I have installed a data monitoring app and I found that - although I turned off all notifications and push email - push services is using around a 1mega/hour from cellular data (even if I am using wi-fi) !!!
cpupower frequency-info
analyzing CPU 0:
driver: acpi-cpufreq
CPUs which run at the same hardware frequency: 0 1 2 3
CPUs which need to have their frequency coordinated by software: 0
maximum transition latency: 10.0 us.
hardware limits: 800 MHz - 2.30 GHz
available frequency steps: 2.30 GHz, 2.30 GHz, 1.80 GHz, 1.60 GHz, 1.40 GHz, 1.20 GHz, 1000 MHz, 800 MHz
available cpufreq governors: conservative, powersave, ondemand, performance
current policy: frequency should be within 800 MHz and 2.30 GHz.
The governor "conservative" may decide which speed to use
within this range.
current CPU frequency is 800 MHz.
cpufreq stats: 2.30 GHz:0,02%, 2.30 GHz:0,05%, 1.80 GHz:0,05%, 1.60 GHz:0,03%, 1.40 GHz:0,01%, 1.20 GHz:0,16%, 1000 MHz:0,38%, 800 MHz:99,29% (1017)
boost state support:
Supported: yes
Active: yes
25500 MHz max turbo 4 active cores
25500 MHz max turbo 3 active cores
25500 MHz max turbo 2 active cores
25500 MHz max turbo 1 active cores
Thax -
All is in the title, so I repeat it below with a better identation.
What are the pros and cons of
1) choosing to use the SAME
Apple ID for iCloud services on one side, and
purchases on the iTunes Store, App Store, and iBookstore, on the other side; or
2) to have and use two separate Apple Ids for these "two sides"?
P.S.
I have loads and loads of free podcasts in iTunes in my iMac, that are certainly more thant the 5 gigas the iCloud provides for free, so I don't want those to go to the cloud. But this is perhaps a different question...
Also need to mention that I have itunes on a mac, a pc and an iphone.
Sorry to look so silly with this question, but I don't get the "big picture".You need to create a user account for your wife (or yourself depending on who has the current user account). When syncing, each of you should sign in as a separate user, login to iTunes and then sync. I had this problem when my sister got an iPhone. When we did her initial sync, everything on my iPhone showed up on hers. Apple gave me this solution.
Maybe you are looking for
-
when i try to sync my ipod, itunes v11 says "waiting for sync to start" then a message appears "sync failed, device timed out.
-
Hi all. My iPhone is not emitting any sound when my headphones are not plugged in EXCEPT for ringtones. So, I can receive a call and hear it ring, but can't listen to music or watch YouTube videos without the headphones. I also can't here the little
-
Just had this issue come up. When I go to make calls, it never rings. It will eventually cancel the call. Also, when people try to call me, they say it will either ring and never reach my voicemail or they will instantly get my voicemail. This does n
-
My sprint sph-330 wont connect with my ipod 4g with bluetooth
my sprint sph-330 wont connect with my ipod 4g with bluetooth
-
Need help with saving data and keeping table history for one BP
Hi all I need help with this one , Scenario: When adding a new vendor on the system the vendor is suppose to have a tax clearance certificate and it has an expiry date, so after the certificate has expired a new one is submitted by the vendor. So i n