Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

Similar Messages

• ADSL QOS service policy

  My ISP has said they will set up their side to give 50% policed real time traffic and 30% for our application traffic burstable then 5% anything else burstable.  The QOS below is my attempt to do this but I was advised that to apply it to the Dialer 1 interface I hade to create a second policy-map (ADSLOut) which had the class-default and the child policy (QOSADSL) within that.
  When I did this I can't apply it to the Dialer 1 interface but if I use the child policy then it will allow me to apply that, will this work the same way.
  class-map match-all RealTime
   match ip dscp ef
  class-map match-all General
   match any
  class-map match-any Application
   match ip dscp cs3
   match ip dscp af41
  policy-map QOSADSL
   class RealTime
    bandwidth percent 50
   class Application
    priority percent 30
   class General
    priority percent 5
   class class-default
    shape peak percent 85
  policy-map ADSLOut
   class class-default
     service-policy QOSADSL
  interface Dialer1
  <Snipped>
   bandwidth 1240
   ip nbar protocol-discovery
   ip flow ingress
   ip flow egress
   load-interval 30
   tx-ring-limit 3
   tx-queue-limit 3
   service-policy output QOSADSL
  or
  service-policy output ADSLOut

  Hi @scotlandvisit,
  My first opinion is a recomendation: in the policy-map, when you're configuring LLQ use the priority command for delay-sensitive traffic (Voice) and the bandwidth command for the rest. This is because the priority command is used to indentify a class as a "strict priority class" which in my opinion should be the voice traffic and the bandwidth command is used to allocate bandwidth to nonpriority classes.
  The interface is not letting you apply the service-policy because you have to configure shaping inside the class-default of the parent policy-map. This shape is going to be the value in bps that you want to assing to the traffic classes that you've configured. For example, let's say that you want to allocate 1Mbps for all the classes.
  policy-map QOSADSL
   class RealTime
    priority percent 50
   class Application
    bandwidth percent 30
   class General
    bandwidth percent 5
   class class-default
    shape peak percent 85
  policy-map ADSLOut
   class class-default
    shape average 1000000
    service-policy QOSADSL
  interface Dialer1
   service-policy output ADSLOut
  Try this configuration and let me know.
  HTH.
  Rgrds,
  Martin, IT Specialist

• Applying service policy using radius and VPDN

  anyone had any success doing this?
  I've been following the suggested config at http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1058626 but not having any success.
  sessions terminate on my 7301 via L2TP through another provider - this all works fine.
  I have the following AVPair defined in the user RADIUS profile:
  Cisco-AVPair = "ip:sub-qos-policy-out=DROP-P2P"
  and the matching policy map defined on the 7301 but it does not get applied to the user session.
  Debug L2X errors gives the following message:
  001867: Oct 30 16:12:50.655 UTC: L2X: Unknown AVP 76 in CM SCCRQ
  001868: Oct 30 16:12:50.655 UTC: L2X: Ignoring unknown AVP 76
  if I apply the policy map in the virtual-template it does get applied, but obviously to all users on that template which is not what I want.
  edit: - btw the 7301 is on 12.4 so this feature should be available.
  thanks
  Liam.

  With a router it won't be possible to get different policy for users in a single template. Following link may help you
  http://www.cisco.com/en/US/customer/products/ps6566/products_feature_guide09186a0080610dad.html#wp1081783

• DMVPN per tunnel QOS. show policy-map multipoint not working

  Hi All,
  I have a DMVPN hub which is a 1841 with image c1841-advsecurityk9-mz.151-4.M1.bin .
  I have been using DMVPN and its awesome but now trying to get the QOS sorted out and having issues.
  I have configured the interface like so.
  interface Tunnel1
  ip address 10.255.255.1 255.255.255.0
  no ip redirects
  ip mtu 1400
  ip nhrp authentication xxx
  ip nhrp map multicast dynamic
  ip nhrp map group ADSL1 service-policy output ADSL1
  ip nhrp network-id 1
  ip nhrp redirect
  ip tcp adjust-mss 1360
  no ip split-horizon
  ip ospf 1 area 0
  tunnel source Loopback0
  tunnel mode gre multipoint
  tunnel key 1
  tunnel path-mtu-discovery
  tunnel protection ipsec profile VPN
  end
  policy-map ADSL1
  class class-default
    shape average 1000000
    service-policy Classes
  policy-map Classes
  class Silver
    bandwidth percent 25
    fair-queue
  class Gold
    bandwidth percent 50
    fair-queue
  class Scavanger
    bandwidth percent 5
  class class-default
    fair-queue
  The output of show dmvpn detail shows it has applied the QOS rule.
  NG-SR-WE-RT-2#show dmvpn detail
  Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
      N - NATed, L - Local, X - No Socket
      # Ent --> Number of NHRP entries with same NBMA peer
      NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
      UpDn Time --> Up or Down Time for a Tunnel
  ==========================================================================
  Interface Tunnel1 is up/up, Addr. is 10.255.255.1, VRF ""
     Tunnel Src./Dest. addr: 10.32.0.100/MGRE, Tunnel VRF ""
     Protocol/Transport: "multi-GRE/IP", Protect "VPN"
     Interface State Control: Disabled
  Type:Hub, Total NBMA Peers (v4/v6): 1
  # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb    Target Network
      1  x.x.x.x    10.255.255.2    UP    1d18h    D    10.255.255.2/32
  NHRP group: ADSL1
  Output QoS service-policy applied: ADSL1
  but my router cannot run show policy-map multipoint... it doesnt come up with a tab but i can write it in by hand.  Even when i write it in by hand it outputs blank.
  I cut the ADSL1 shape down to 512k and it didnt take affect so i dont think the qos is working at all.
  Is my feature set too low?
  Cheers,
  Simon

  Ray,
  There could be multiple reasons for it not to function, the config on hub seems just fine, we'd need to inspect the spokes and check (most likely) in debugs if correct group is being sent from spoke.
  Also coexistance of other service-policy etc etc.
  The feature is quite simple (some level of simplification), spoke says he is in group X when registering, hub assigns this NHRP mapping a service-policy.
  M.

• Radius accounting for QoS pppoe policy-map

  Hi folks
  I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
  The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
  From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
  the debug radius accounting :
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
  *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
  *Mar 12 05:29:00.419: RADIUS(0000000E): sending
  *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
  *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
  *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
  *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
  *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
  *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
  *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
  *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
  *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
  *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
  *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
  *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
  *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
  *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
  *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
  *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
  *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
  *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
  *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
  What I get in the freeradius log :
  Tue Mar 11 22:30:04 2014
          Acct-Session-Id = "0/0/3/0_00000005"
          Framed-Protocol = PPP
          Framed-IP-Address = 10.10.10.2
          User-Name = "olivier"
          Cisco-AVPair = "connect-progress=LAN Ses Up"
          Cisco-AVPair = "nas-tx-speed=10000000"
          Cisco-AVPair = "nas-rx-speed=10000000"
          Acct-Session-Time = 2646
          Acct-Input-Octets = 7428
          Acct-Output-Octets = 7428
          Acct-Input-Packets = 531
          Acct-Output-Packets = 531
          Acct-Authentic = RADIUS
          Acct-Status-Type = Interim-Update
          NAS-Port-Type = Virtual
          Cisco-NAS-Port = "0/0/3/0"
          NAS-Port = 50331648
          NAS-Port-Id = "0/0/3/0"
          Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
          Service-Type = Framed-User
          NAS-IP-Address = 192.168.38.133
          X-Ascend-Session-Svr-Key = "7982EA80"
          Acct-Delay-Time = 0
          Acct-Unique-Session-Id = "523eac6ae326a778"
          Timestamp = 1394602204
          Request-Authenticator = Verified
  user config in the users file on the freeradius server :
  olivier Cleartext-Password := "olivier"
          Service-Type = Framed-User,
          Cisco-AVPair += "ip:addr-pool=pppoepool",
          Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
  I see that the policy map name is pulled correctly from the radius server and applied to the session :
  #sh policy-map session uid 14
   SSS session identifier 14 -
    Service-policy output: TEST
      Class-map: TEST (match-all)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
        police:
            cir 8000 bps, bc 1500 bytes
          conformed 0 packets, 0 bytes; actions:
            transmit
          exceeded 0 packets, 0 bytes; actions:
            drop
          conformed 0 bps, exceed 0 bps
      Class-map: class-default (match-any)
        0 packets, 0 bytes
        5 minute offered rate 0 bps, drop rate 0 bps
        Match: any
  Any input very welcome

  Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
  This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
  As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
  And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
  the AAA server will have to restarted for taking this
  changes into account.
  Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
  In NavisRadius you could associate a dictionary to a
  device adding a client-class:
  # Client-IP Client-Secret Client-Class
  10.0.0.1 secret taos-old
  And then specifying the dictionary later in client_properties for this device:
  # This file contains information about client classes # and is used to set per-client specific information.
  # TAOS Devices in OLD mode with RFC conflicts
  taos-old
  Client-Dictionary=max_dictionary
  # Other devices now, etc.
  Hope it helps

• PPPoX Virtual-Template assignment via Radius Attribute

  I'd like to optionally apply ACLs to PPP users (PPPoX).  I see two strategies: a) apply an ACL directly via radius attributes or b) define the ACL in the Virtual-Template on the BRAS and determine the Virtual-Template ID via radius attribute.  Has anyone done this?  If so, any suggestions on the best way to move forward?  I think I'd prefer option B as I could also use it to assign VRFs etc (one Virtual-Template per VRF).
  TIA

  The only way I could get this to work is have the ACS server reference an ACL configured on the switch via name or number and send in the filter-id attribute.  On the switch I configured the default setting for attribute 11 to apply inbound "
  radius-server attribute 11 default direction in".  If you do a "sh authentication sessions interface gx/x" it'll show the filter-ID setting but if you do a "show ip interface gx/x" it still shows the default-acl being applied.  It works, just a bit confusing because of that default-acl still showing up.  Anyone else experience the same?

• Fundamental ACL & Service Policy related questions

  Hi All,
  apologies in advance for seemingly stupid questions but I was forced to ask them as I have ALWAYS had great difficulty in using debug on Cisco platforms. Nothing ever shows up when I set up debug despite configuring "logging console" and setting the level to 7 etc. I have no clue why that is and if it's because all debugging messages go to the debug log instead of being prnted on the console, or what it is...I just don't get it. When I'm saying logging console...please print it on the console! Anyway, that rant aside...
  I have a VERY simple topology like so
                                                                                      A few servers in this VLAN
  ISP <---> 3560G (Physical Routed Port) <--> SVI (VLAN)
                                                                                      ASA5520 <--> Internal VLAN
  With regards to ACLs and their direction, when an ACL is applied to a physical port (or in cases where QoS is enabled and a service-policy) is applied to either a routed physical port on the 3560, saying that the policy is applied in the "in" direction (or 'input' in case of service-policy) does that mean 'inbound' in either direction? As in IF that routed port is my direct connection to the ISP, and I set up "ip access-group myacl in" (or service-policy input myPolicymap) ...will that be applicable if the traffic enters that port from the ISP side OR from the internal network side, or "IN" for it is always JUST the ISP side because it's assuming that all traffic generated from inside the network going out to the Internet is implcitly allowed UNLESS an ACL somewhere in the network restricts that?
  then, in case of an SVI...I believe just like the physical routed port, I can ONLY implement an "Inbound" ACL on this as well. So when I implement either a Heirarchical policy-map or just an access-group "in", then what is "IN" ...traffic entering this VLAN from the internal network and those public servers going out to the Internet AND Traffic entering this VLAN from the ISP/Internet via the physical routed Port OR is it JUST the latter, or is it just the former?
  Now Lastly, when I have the physical ports to which the ASA and each of those physical servers are connected to sitting on the public VLAN, if I apply port-based ACLs or service-policies to them, then again, what direction is the "IN" ACL applied? Both? i.e. traffic coming into it from the public servers and the Internal network through the ASA, and the Internet OR just the traffic coming into it from the Internet, but the traffic going out from the servers to the Internet is not subjected to this ACL or service-policy
  Again, very sorry for a dumb question but I'm seeing bizzare things in my network so was just wondering before I decide on what kind of security I want to plan/design
  Thanks in advance

  The mystical difference between debug output going to the console versus showing up in syslog is "logging debug-trace".  On goes to syslog, "no logging debug-trace" goes to console.  I've been bit by this one myself.
  ACLs on physical ports have directionality like the cable plug: "in" is from the cable entering into the switch or firewall, "out" is leaving the device to run along the cable to somewhere else.  On Catalyst switches port ACLs are inbound (receiving packets) only.  Obviously, on directly connected devices, one devices out is the other devices in.
  ACLs on SVI's depend on whether your are running a base image or services image; services images can do IPv4 and IPv6 in both directions.  However, port ACL's trump routed ACL's; if both exist, the port ACL is the only one applied.  I think if a directly connected port has no port ACL, no ACL is applied at all; routed ACL's on SVI's only apply to transitions between VLANs inside the switch, not to traffic entering physical ports.
  -- Jim Leinweber, WI State Lab of Hygiene

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• Using ISE guest store via RADIUS

  I have a question concerning the guest store on the ISE.
  I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
  On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
  Has anyone already implemented a similar solution or any idea how to access the guest store?
  Thanks
  Thomas

  I just created a simple setup and tested the login.
  It doesn't work with a user created as a guest account.
  If I create the user in the normal internal identity store I works fine.
  Might there be a difference between ISE Versions?
  We are currently using Version 1.1.0.665 on a VM for testing purpose.
  This is what the details show:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24206  User disabled
  22057  The advanced option that is configured for a failed authentication request is used
  22061  The 'Reject' advanced option is configured in case of a failed authentication request
  11003  Returned RADIUS Access-Reject
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24212  Found User in Internal Users IDStore
  22037  Authentication Passed
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Guest
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept

• Service-policy output not working in Cisco 3560 switch

  We got some Cisco catalyst 3560 that we want to control the bandwidth
  on the ports. Can this be done, and how do i do it?
  Ive got 3550s that can do policy-map with the interface command;
  service-policy output(and input) <policyname>
  But 3560 only seems to handle service-policy input.
  If i try to configure output, it says the following:
  SW(config-if)#service-policy output 4mbit-out
  police command is not supported for this interface
  Configuration failed!
  Warning: Assigning a policy map to the output side of an interface not
  supported
  Any workarounds or new ways to accomplish bandwith-control on a 3560 ?
  regards,
  Rajib

  The 3560 & 3750 (& 2960) don't support egress policy-maps. They do however support queueing so it is possible to achieve similar results by applying an ingress policer to your user ports to classify (& police?) the traffic, at the egress port you can then queue the traffic based on it's DSCP or CoS value that it was classified with (same as 3550).
  It is also possible to restrict the bandwidth in use at an egress port with the interface command 'srr-queue bandwidth limit <10-90>' where 10-90 represents a percentage of the links bandwidth. For example if you want to restrict a 100Mbps port to 10Mbps you would use the command 'srr-queue bandwidth limit 10'
  HTH
  Andy

• Error while applying the Service Policy

  Hi,
  I am getting the below error while applying the service policy to the Interface.
  I have set the mpls exp 4 as well as want to limit the bandwidth to 1Mbps
  PE#sh policy-map setexp-GBoIP
    Policy Map setexp-GBoIP
      Class GBoIP-traffic
        set mpls experimental imposition 4
       police cir 1024000 bc 32000
         conform-action transmit
         exceed-action drop
  PE(config-if)#int vlan 2007
  PE(config-if)#service-policy input setexp-GBoIP
  QoS-ERROR: Addition/Modification made to policymap setexp-GBoIP and class GBoIP-traffic is not valid, command is rejected
  As well as I have created new clas--map with priority and Bandwidth and applied in output direction, I got the belwo error while applying the Service policy in
  PE(config-if)#service-policy out TEST
  bandwidth command is not supported in output direction for this interface
  PE(config-if)#service-policy output TEST
  priority command is not supported in output direction for this interface
  Any idea why so ?
  Thanks in Advance.
  Regards,
  Nilesh

  Check the current value of IGW_AWARDS_S sequence and make sure the MINVALUE in the patch (i.e. 10000) is not greater than the current one.
  OERR: ORA 4007 MINVALUE cannot be made to exceed the current value (Doc ID 19824.1)
  You may also log a SR.
  Thanks,
  Hussein

• Policy map/ class map/ service policy for IOS xr

  Hi,
  I need to create a policy map and class map/service policy to limit the amount of bandwidth that can be used on one interface both in and out.
  I need the cap for the bandwidth to traverse this circuit to ne 10 Meg.
  the IOS xr version we are using is 4.3.4
  I was hoping someone could help me out by giving me a configuration example I could follow.
  Thank you.

  for instance like this:
  policy-map police-in
  class class-default
  police rate 10 mpbs <optionally set burst>
  policy-map shape-out-parent
  class class-default
  shape 10 mpbs <optional burst config>
  service-policy shape-out-child
  policy-map shape-out-child
  class class-default
  queue-limit 10 packets
  int g 0/0/0/0
  service-policy police-in in
  service-policy shape-out-parent out
  also have a look at CL 2013/2014 (orlando/sanfran) ID 2904 for more QOS details
  and the support forum article of "asr9000 quality of service architecture"
  xander

• Service Policy won't attach to interface - NO error

  Hi,
  Am doing some simple CE VoIP QoS for a IPSEC/GRE Customer. I try to ATTACH the policy to the tunnel outbound and the command is accepted without any error but nothing appears in the config.
  Here's the base config:
  class-map match-all IPSEC-VPN
  match access-group name IKE_ACL
  class-map match-all ROUTING
  match ip dscp cs6
  class-map match-all NETWORK-MANAGEMENT
  match ip dscp cs2
  class-map match-any VOICE-SIGNAL
  match protocol rtp
  match ip precedence 3
  match ip dscp cs3
  match ip dscp af31
  match ip dscp af32
  class-map match-any VOICE-BEARER
  match ip precedence 5
  match ip dscp ef
  match ip dscp cs5
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  policy-map VoIP-QoS
  class VOICE-BEARER
  priority percent 34
  class VOICE-SIGNAL
  bandwidth percent 5
  class ROUTING
  bandwidth percent 2
  class NETWORK-MANAGEMENT
  bandwidth percent 2
  class IPSEC-VPN
  bandwidth percent 2
  class class-default
  (config)# int t203
  (config-if)#service-policy output SHAPE-ADSL-UPLINK
  NOTHING appears in the config and sh policy-map int t100 shows an unapplied policy.
  Using:
  c836-k9o3s8y6-mz.123-8.T5
  Another bug?
  Thx

  Policy should read (nested):
  policy-map SHAPE-ADSL-UPLINK
  class class-default
  bandwidth remaining percent 50
  random-detect
  random-detect ecn
  service-policy VoIP-QoS

• Anyconnect authentication via Radius (IAS) using AD groups

  Hi all,
  I'm trying to figure out how to setup our ASA to use AD group membership to assign users a profile using Radius.  The goal is to setup different access into the network. 
  For instance, one group would be allowed full access to the network, including access to infrastructure elements (ASA, routers, etc.)
  Another group will be given basic access to the network, but no access to the DMZ.
  Another group will be allowed access to the DMZ server, but not to the infrastructure.
  We're currently using Radius (IAS) on Windows Server 2003.  Is there a way to check group membership in AD using Radius? 
  I'd like to keep this as simple as possible, so I'm thinking of each profile using a different VPN Pool, then using split-tunneling to put routes, or not, to the required networks on the users device.  The users would only belong to one group in AD.  They will be able to choose their group, but if they're not a member they should be denied.
  I've done LDAP authentication using group membership, but we need good accounting and logging so we'd like to use the Radius server.  I've looked for this info everywhere, but it's pretty elusive. 
  Thanks for any suggestions, links, step-by-step instructions or volunteers to come on-site and help

  It's significantly easier with security products like Cisco Identity Services Engine, but you're adding infrastrcture and cost. Next best thing is DAP. DAP is actually pretty easy, don't let the config guide scare you away from it. IMO MS Radius stinks for anything other than basic authentication so I never use it for anything else.

• Command "service-policy input policy-name permit-any" will not work

  Hi all,
  have a SG500 with latest Firmware, but this command will not work.
  service-policy input QoS_01 permit-any
  i get this error message:
  % Wrong number of parameters or invalid range, size or characters entered
  without the option "permit-any or deny-any" the command is successfully.
  What is the reason?
  It is important, directly to specify this options. Otherwise to lose the access to the switch.
  Regards
  Stefan

  Hi Tom,
  i have a ACL / ACE and create a QoS "policy table" put the "policy class map" (with class mappings) in it.
  And now i will bind this QoS policy to a Ethernet port.
  cli tutorial example say:
  Use the service-policy Interface Configuration (Ethernet, Port-channel) mode command to bind a policy map to a port/port-channel. Use the no form of this command to detach a policy map from an interface.
  This command is only available in QoS advanced mode.
  Syntax
  service-policy input policy-map-name default-action [permit-any | deny-any]
  no service-policy input
  Example:
  witchxxxxxx(config-if)# service-policy input policy1 permit-any
  A cisco support open a ticket for me.
  -Stefan