Per user QoS Policy in ASA

Similar Messages

• ISE 1.2 & AD & Meraki - Per User Group Policy ?

  I am working on a PoC for a deployment in an MDU. We are using Meraki switches and access points. There are 250 units in the building, each unit will have it's own subnet. The goal is to have the tenant be able to connect to a common building SSID and be placed into their assigned VLAN. There will also be physical ports in each unit that will need to do the same. I am trying to figure out a way to use ISE to authorize on a per user basis and not based on groups of users. On the Meraki system there are group policies that will assign the VLAN for the user as well as any type of layer 7 firewalling and bandwidth control. So there will be 250 group policies, one for each unit. There is a deployment guide that shows how to setup ISE for use with Meraki and it is great but it assumes that there will be large groups like Employees, Contractors, etc.. that will be used. This is where I'm being tripped up, also... this is my first swing at a NAC deployment so I have a lot to learn.
  1.Can I setup each user in Active Directory to have a tag that ISE can then forward on to Meraki for the group policy? Say it's unit 101 and I have a group policy called 101 in Meraki, Meraki documentation says to use the Airespace-ACL-Name attribute in ISE to indicate the group policy to use. This gives me the ability to place a group into that policy but not an individual. Or would this be better done by creating the users in ISE directly? Omit AD entirely?
  2. Each unit will have devices that will need MAB because they are not 802.1x compatible. I need to do the same as above with them. I would create a separate SSID for these devices but then use the MAC address to authenticate them but will need to authorize them to go into a specific group policy.
  I know this isn't a typical ISE application but I think that this will work really well in the end, just need to iron out these details and get a test system functioning. Any help would be greatly appreciated!!!
  Thanks,
  Nathan

  Please find the Meraki_ISE integration doc. in attachment.
  When VLAN tagging is configured per user, multiple users can be associated to the same SSID, but their traffic is tagged with different VLAN IDs. This configuration is achieved by authenticating wireless devices or users against a customer-premise RADIUS server, which can return RADIUS attributes that convey the VLAN ID that should be assigned to a particular user’s traffic.
  In order to perform per-user VLAN tagging, a RADIUS server must be used with one of the following settings:
  MAC-based access control (no encryption)
  WPA2-Enterprise with 802.1x authentication
  A per-user VLAN tag can be applied in 3 different ways:
  The RADIUS server returns a Tunnel-Private-Group-ID attribute in the Access-Accept message, which specifies the VLAN ID that should be applied to the wireless user. This VLAN ID could override whatever may be configured in the MCC (which could be no VLAN tagging, or a per-SSID VLAN tag). To have this VLAN ID take effect, “RADIUS override” must be set to “RADIUS response can override VLAN tag” under the Configure tab on the Access Control page in the “VLAN setup” section.
  The RADIUS server returns a group policy attribute (e.g., Filter-ID) in the Access-Accept message. The group policy attribute specifies a group policy that should be applied to the wireless user, overriding the policy configured on the SSID itself. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user.
  On the Client Details page, a client can be manually assigned a group policy. If the group policy includes a VLAN ID, the group policy’s VLAN ID will be applied to the user. 

• "Make proxy settings per-machine (rather than per user)" Group Policy setting not applied until login as a local Administrator

  We want to deploy to all our desktop the pac file to configure proxy. We have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy settings per-machine (rather than per user)", and i've add a registry key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  Version\Internet Settings" with the pac file link.
  I've tested on my pc, and all was configured without any problem. I've try to login to my computer with another user (without admin rights) and the automatic configuration proxy was compiled and not modificable. It's seems that all works.
  But, our users are not local admin, so i've tried to deploy the GPO in a collegue computer. I've forced the update of GPO, checked on registry that all new keys are added, and i've reboot the pc. When i've check on IE settings, autoconfig URL was empty and
  grey. I'm disconnected from user and i've login to the pc with a local admin. With my surprise, the IE settings was compiled. When i'm come bac to the user profile the IE settings was compiled and not modificable.
  The problem is: i've over 750 users in 3 countries, and i don't want grant them the local admin permissions. How can i configure proxy settings via GPO without login to every machine at least one time?

  > have a Windows 2008 R2 server, and i've enabled the GPO "Make proxy
  > settings per-machine (rather than per user)", and i've add a registry
  > key AutoConfigURL in "HKLM\Software\Microsoft\Windows\Current
  > Version\Internet Settings" with the pac file link.
  In the past, we experienced various issues with machine proxy settings,
  so we don't use them anymore. The simple approach:
  Block access to the connections page through ADM template settings and
  deploy the proxy through GPP Internet Settings.
  This is what we do (with a pac file, too), and it works well :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• QoS roles on WLC, Per user or per conection?

  Hi guys.
  This morning I`m talking with my colleages about QoS roles on WLC and their behaviour, then a question has arisen me, because I know when I apply a QoS role or QoS profile it is a per-user role. Ok said my colleage, but What is the behaviour when several devices are using the same user with a QoS role applied?
  Good question, I always assumed that this QoS role applies to every different connection managing it like a new user connection, that is, every new connection with the same user (if the QoS role is, for example, 256k for this user) will have a bandwitdh of 256k, but now I'm not sure if the WLC manages every connection at this way or divide the bandwitdh defined for that used into as many parts as connection have with this user ( for ten connections, for example, 25,6k).
  Anyone can tell me how is the behaviour of the WLC in this scenario???
  Thanks in advanced.
  Best Regards.

  My2c.
  If you apply the values on QoS profile instead of User profile then it is applicable to users connected to that WLAN mapped QoS profile. This way total no. of users will divide the available bandwidth. However, user with p2p application might consume all available bandwidth.

• Flex connect with a per user ACL with APs locally switched

  Hi all,
  Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
  Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
  Thanks
  Sent from Cisco Technical Support iPad App

  Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
  As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
  Sent from Cisco Technical Support iPhone App

• Per session QoS for LNS

  We have some LNSs running 12.4 SP Services, running with the following config (qos specific lines and currently not working):
  class-map match-all voice-signaling
  match access-group 101
  class-map match-all voice-traffic
  match access-group 102
  policy-map sub-policy
  class voice-traffic
  priority 240
  class voice-signaling
  bandwidth 16
  policy-map XXX_qos-voice
  class class-default
  shape average 256000
  fair-queue
  service-policy sub-policy
  interface Virtual-Template1
  ip unnumbered Loopback0
  ip mroute-cache
  no peer default ip address
  ppp authentication chap
  no clns route-cache
  access-list 101 remark -- SCCP/H323/MGCP/SIP --
  access-list 101 permit tcp any any range 2000 2002
  access-list 101 permit tcp any any eq 1720
  access-list 101 permit tcp any any range 11000 11999
  access-list 101 permit udp any any eq 2427
  access-list 101 permit udp any any eq 4569
  access-list 101 permit udp any any eq 5036
  access-list 101 permit udp any any eq 5060
  access-list 102 remark -- RTP Traffic --
  access-list 102 permit udp any any range 16384 32767
  in the feature set for the IOS currently running it suggests this configuration should work, however it will not apply the policy via the Cisco-AVPair command (the command is visible via the debug AAA per user so radius is working, even when we test it by applying the service-policy to the actual virtual-template it errors saying it will only work on an MPL bundle. From what I have read it is suggested that even though this feature is supposed to work, it does not in practice and an upgrade to a feature set which includes QoS:per session shaping and queueing on LNS is needed.
  If anyone has any experience of the or has any suggestion of if we can achieve our QoS for voice per session with the current IOS that would be great.

  This feature is not related to the NPE type. This feature is performance impacting so you should do some tests to see if your NPE-400 can support the number of L2TP tunnels you want with this feature enabled. If it's not the case, you will have to upgrade your NPE.
  HTH
  Laurent.

• ASA5515X - WSE,AVC and IPS - Application block per user

  Can I enable web applicaction blocking based on user or group of users with WSE license or do I need another type of license.?
  Thanks,
  Ivan

  WSE is always packaged, at a minimum with AVC. that combination on an ASA is all the licensing you need to block web applications per user. You will of course need to implement a scheme to identify your users in order to use their identity in a policy. That can be via local database (seldom used as it doesn't scale well) or via integration with your Microsoft AD infrastructure (via active authentication or optionally using the free Context Directory Agent (CDA) server running on a VM in your environment) or via something like the Identity Services Engine (ISE - a licensed product).

• Limit the number of session per user in the Wired dot1x environment with ISE 1.2

  Hello,
  I need to check if there is any configuration/workaround to limit the number of sessions/access per user in the Wired dot1x configuration.
  I need to check if this feature is available or not to solve the following scenario:
  I have 2 SW ports configured to use dot1x authentication with ISE 1.2 server.
  If user A connects to the 1st port and authenticated then he will placed on a VLAN based on the authorization profile.
  The case, that I need to deny the same user to connect on a different machine with the same credentials.
  The ISE itself does not have this feature currently,  the only feature available is to limit the number of sessions for the guest user.
  Is there any workaround on the Cisco switches to solve this? Cisco WLC has this feature and for the VPN we can limit the number of sessions also from the ASA itself.
  Thanks.

  limit number of session per user using wired dot1x is not available in 1.3

• Is there any other way to achieve per user call forward restriction other than to create multiple voice policies?

  Hello,
  We mentioned the environment details below:
  Environment
  In our PBX environment, currently a user can forward calls to any local (within a region) internal extension. But for external PSTN call forwarding, a user needs to send a request and be approved by their manager. And the forwarding restriction
  is applied such that user is only allowed to forward to that particular PSTN number - to prevent toll fraud.
  Moving forward to Lync, using voice policy's call forwarding and simultaneous ring PSTN usages, I can set it to allow forward and simultaneous ring to custom PSTN usage and a custom route that will only send calls to these pre-approved
  external numbers.
  Outcome
  But in such a scenario,
   sSince all the custom external allowed numbers will have to be put into a single Route match table, User A will be able to successfully
  set up call forward to User B's number. (if they come to know about it somehow, that is)
  rü 
  Route matching list will be very long due to the number of users per hubsite that has call forwarding enabled.
  Questions
  Is there any other way to achieve per user call forward restriction other than to create multiple voice policies ? MSPL may be ?  
  2. Is there a limit in the number of entries you can have on the Route pattern matching regex expression ?
  Please advise. MANY THANKS.

  1) I think multiple policies may be your best bet, though it's not a fun one to manage, I agree.  MSPL could do it, but it would be more complex to maintain in the end.  Even gateways have limitations on routes.
  2) I'm not aware of a limit, though I'm not saying there's isn't one.  But if you hit it, you could move to a second usage/route combo.
  I'd suggest building out some PowerShell usage/route creation/organization script for this so it's not something that would need to be maintained within the GUI.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Using Windows Server 2012 per-User RDS CAL on Server 2008 R2 Session Host

  I have a Remote Desktop Licensing Server setup on my domain controller running Windows Server 2012 R2. I have installed a
  ’Windows Server 2012 Remote Desktop Services per-User CAL’ there and activated the licensing server already.
  Currently I use ONLY Windows Server 2008 R2 machines as RDS Session Hosts (in the future I plan to transition them to 2012 R2, hence the CAL I bought is
  already in the newest version).
  I have already configured my WS 2008 RDS Session Hosts: set
  Per-User licensing mode and specified license server address. The connectivity between my Session Host(s) and my License Server seems to be ok as the
  Remote Desktop Session Host Configuration window on the Session Host correctly lists the 2012 per-user
  license (CAL installed on server) from the license server.
  On the License Server I can also see event logs entries (in
  Microsoft-Windows-TerminalServices-Licensing/Admin), indicating that the user has been issued a license.
  The issue I am having is that the license being issued is
  2008 Per User CAL license (Build-in OverUsed - temporary) and not the 2012 Per User CAL license which is the only license installed on the server. According to the RDS CAL interoperability matrix at
  social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx, I was expecting the 2012 license to be backward-compatible with 2008 client (and that
  in the absence of legacy licenses, the (only) 2012 license would be used for all clients connecting to the licensing server)
  Before I bought my license, I found this document: 
  download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-A5B04179958B/WindowsServerRDS_VLBrief.pdf 
  which says that - "newer version RDS CALs can be used with an older version of the server software" (In section FAQ, Q4), which means to me that
  the 2012 license would work as-is for the 2008 Server and gives me flexibility when upgrading to the new server version.
  How can I make this CAL work in my environment? 
  Note:
  I have already explicitly disabled
  Prevent license upgrade Group Policy setting which I assumed would fix the issue but nothing has changed.
  Then I have enabled License server security group Group Polity setting
  and added computers from my domain to RDS Endpoint Servers AD group. I have also created new AD group called
  Terminal Server Computers and added the computer accounts there, but it changes
  nothing. Reference - technet.microsoft.com/en-us/library/ee791761.aspx , technet.microsoft.com/en-us/library/cc725704.aspx and blogs.msdn.com/b/rds/archive/2009/09/17/control-the-issuance-of-rds-cals.aspx.
  I found one potential ‘workaround’ which involved manually downgrading my CAL license by calling
  Microsoft Clearinghouse. I am very reluctant do to so because, as I upgrade parts of my infrastructure to Server 2012, I’d need to then ask Microsoft to manually upgrade a part of my license back as well.
  Am I missing something? What should I do to get my 2012 CAL to be issued to 2008 R2 server

  Hi, I have tried several other possibilities.
  I change expire date for my temporary assigned license (2008 CAL overused). It can be done, by changing Active Directory user properties – msTSExpireDate. When I restart my Session Host server and logged again, my license was renewed
  for next 60 days (event ID - 4145).
  I also delete information about license for this user (clear msTSExpireDate and msTSLicenseVersion). And the license was successfully removed from License Manager. After another SH restart it gets the same – 2008 overused – license
  (event ID 4143 - license server has successfully issued …)
  I now, that changing info in AD attributes is a little trick, and this is not a real value - only a reference, but it was useful to delete or change expiration date of license. But it didn’t change type of license as I expected.
  Reference -
  http://discussions.citrix.com/topic/243320-windows-2008-licensing-questions/
  To TP:
  I have found your post with information:
  If you have a Server 2012 RD Licensing server you may install your 2012 RDS CALs on it (no downgrade necessary) and then set your Server 2008 R2 RDSH to
  use the 2012 RDL server.  The 2012 RD Licensing server will automatically issue the CALs as 2008. -
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/6046ded1-96bf-4d79-89ce-38aac2a6694e/can-we-use-windows-server-2012-rds-cal-license-in-rds-2008-r2-server?forum=winserverTS
  And it showing my situation in brief. I also found
  similar problems, but the solutions don’t meet my expectations.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/dcfb1966-89a8-4b5d-bf5a-ff03ac0b7a66/rds-cal-licenses-not-recognized?forum=winserverTS
  – “sudden all of the CALS were available”
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/f1228599-8452-4a3e-a263-061de14bfcfe/server-2012-rds-builtin-overused-cals-issue?forum=winserverTS
  – “this should go away after a while”
  Is there a way to determine this time you mentioned before? Or should I just wait patiently…

• Per user bandwidth rate limit.

                     How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

  The Cisco 5760 WLC supports better QoS than other c
  ontrollers, allowing prioritization of mission-crit
  ical
  applications:
  ●
  The Cisco 5760 WLC supports four wireless hardware
  queues and priority-based queuing compared to
  software-based queuing in existing controllers.
  ●
  The Cisco 5760 WLC follows MQC based commands, allo
  wing usage of exact commands for configuring
  QoS on different types of network devices.
  ●
  The Cisco 5760 WLC supports QoS policies to be appl
  ied in a hierarchical fashion with more granularity
  per SSID per radio, while on the current controller
  s granularity is per WLAN.
  ●
  The Cisco 5760 WLC supports approximate fair bandwi
  dth to make sure of fairness at client, SSID, and
  radio levels for Non-Real Time (NRT) traffic. There
  fore, if one user consumes excessive bandwidth, we
  can
  limit the amount of bandwidth that user receives an
  d thereby not deprive other users.

• Cisco WLC 5508 - WLAN Per-User Bandwidth Contracts

  Hi,
  I setup per-user bandwidth contracts on my guest anchor controller. The controller model is 5508 and firmware is 7.4.121.0.  No Qos settings were configured on the foreign controllers.
  The bandwidth limits for the WLAN worked correctly for a couple of weeks, then speed reduced to almost nothing. I removed the WLAN bandwidth limits and speed was back to normal again.
  Has anyone else run into this issue? Any ideas why it might have happened?
  Thanks,

  If Scott does not mind an add-on.  The 3850 also supports per client QOS.
  Page 16 - 
  http://www.cisco.com/c/dam/en/us/products/collateral/switches/catalyst-3850-series-switches/guide_c07-727066.pdf

• 802.1X and per user vlan

  hi all,
  I would like to know if i can assign one user in a vlan with 802.1X in a wireless environment ?
  if yes,Do i need a particular radius server or is this feature "basic" on ias,acs,meetinghouse funk..
  Can i have a vlan authentication policy (i.e vlan 2 no authen, vlan 3 eap-md5 )
  Can i authenticate user1 on domain1 and user2 on domain2 on the same AP with a radius ias,acs or other?.
  Thanks

  I take a stab at some of this...
  I have per user VLANS setup on my 1220 AP's and am using 2003 server IAS for the radius server. I also had it working on 2000 server.
  I have one VLAN with no authentication and others for my users that do authenticate. They are authenticating using MS PEAP and UN/PW combo.
  Here is a link on VLANS for the VXWORKS series of AP's
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html
  This one is for IOS (looks new I haven't read it yet..)
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml
  Finally another link -
  http://www.cisco.com/en/US/customer/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  I am not sure about the different user/domain combos since I only have one domain here. There are also some good posts in this forum, do a search for per user vlan, etc.
  Good Luck.
  Don

• [Forum FAQ] Troubleshoot the error "The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode"

  Symptom
  RD License server is a key component of RDS. It licenses users to access RDS servers.
  After purchase the required RDS CALs, we need to activate the RDS License server and install the purchased RDS CALs. However, during the installation or after installation, we may face errors
  about RDS License.
  In most cases, the following error may occur.
  Error:
  The Remote Desktop Session Host server is in Per User licensing mode and No Redirector Mode, but license server "Server name" does not have any installed licenses with the following
  attributes:
  Product version: Windows Server 2012
  Licensing mode: Per User
  License type: RDS CALs
  Troubleshooting
  1. Check whether the RD License Configuration is configured properly and there are no Warnings in the Event.
  2. The License Server should be part of 'RD Server License' group in Active Directory Domain Services.
  3. Check if the Licensing Mode is correct.
  - To change the Licensing Mode we can use RD Licensing diagnose, PowerShell cmdlet and Group Policy.
  Via PowerShell cmdlet:
  To change the licensing mode on RDSH/RDVH:
  $obj = get-wmiobject -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
  $obj.ChangeMode(value)
  # Value can be 2 - per Device, 4 - Per user
  Via Group Policy
  Path: Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  Use the specified RD license servers = FQDN of server name
  Set the Remote Desktop licensing mode =
  Per User
  However, if issue persists, please provide detailed information and post the question in the
  Remote Desktop Services (Terminal Services) forum.
  Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

  Hi Richard,
  You need to uninstall Remote desktop session host feature. After removing it, you will default two connections which does not need to purchase RD CALs'.
  Thanks,
  Umesh.S.K

• What is "deny mach-per-user-lookup"

  I went to console to investigate system crashes (i believe to be an openGL issue unrelated to this) and i saw a number of these:
  5/26/10 1:22:42 AM sandboxd[330] sshd(1056) deny mach-per-user-lookup
  There were 883 messages over 8.5 hours, mixed in with occasional:
  Allow sshd-keygen-wrapper connecting from 217.27.150.178:55936 to port 22 proto=6
  I traced the IP back to Kiev… in Russia. That's odd. I did a search around and found mention of people with snow leopard, 10.6.2 or 3 (which i have) reporting this but the conversations were varied…
  could someone explain 'deny mach-per-user-lookup' for me, and elaborate on the sshd attempts? I don't know if i should be concerned. I do have an RSA key-only tunnel set up with my work computer, but i had believed this was to be the most secure set up possible and these seem to be on port 22 which is common FTP anyway. OS firewall is up otherwise allowing the common connections like fire sharing and SHH, my router is set for 'inbound and outbound accept' as its security policy, but regardless, all but a couple dozen specific ports are blocked.
  Thanks for any input—

  Nmap scan report for 217.27.150.178.sitel.com.ua (217.27.150.178)
  Host is up (0.24s latency).
  Not shown: 89 closed ports
  PORT STATE SERVICE
  21/tcp open ftp
  22/tcp open ssh
  25/tcp open smtp
  80/tcp open http
  110/tcp open pop3
  135/tcp filtered msrpc
  139/tcp filtered netbios-ssn
  445/tcp filtered microsoft-ds
  1720/tcp filtered H.323/Q.931
  3128/tcp open squid-http
  3306/tcp filtered mysql
  From the scan, it appears to be some sort of server, possibly a private proxy server.
  Perhaps someone is using it to anonymously attempt connecting to your machine.
  Unless you are running a server, I say you need to beef up your security a bit. Close up
  some of those ports you have opened up to the Internet.