QoS for wireless clients

hi
We would like to give more priority for laptops vs mobile phones/tablets in our corporate SSID. Today all of them connect to same SSID.
What would be the recommended way to carry this out?
1. We mark packets coming from laptops using a COS value
2. This COS /DSCP value need to be trusted on our switches
3. Controller assigns dedicated bandwidth to the laptops
4. All other devices get lesser bandwidth                  
the general idea is to make a distinction in terms of bandwidth available to clients .. Currently we plan to install 2600 AP's in our environment to cater to about 2000 equipment .. we have a tight budget in terms of number of antennas we can buy. So we plan to install around 32 antennas for supporting 2000 equipment and hence the need for prioritisation

Well you can mark the packets on the laptops to a higher COS level, that would work since the WLC will not mark a packet higher than what the 802.1p tag.  The thing is what your trying to accomplish is a way to just give laptops more bandwidth that any other device, using one ssid.  The issue I see is that all devices have to be able to use the encryption and authentication method for that one ssid.  Also you can still oversubscribe an access point and even traffic for the laptops could affect each other.  As long as the non-laptops don't also mark their traffic up, I think you would be able to set the traffic in the appropriate queues.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Similar Messages

  • Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

    Hi,
    I have set-up with below devices :
    Wireless LAN controller 5508
    LAP 3302i
    and ACS 5.1
    since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
    which EAP method to use for wireless client authentication ? what is the best practice ?
    I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
    I have no clear picture for this certificate ?
    from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
    I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
    I need GUI based initial configuration for ACS 5.1
    This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

    Hi,
    which EAP method to use for wireless client authentication ? what is the best practice ?
    -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
    I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
    -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
    If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
    If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
    I have no clear picture for this certificate ?
    from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
    -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
    Please feel free to follow this step-by-step guide on
    PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
    http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Network printers drop for wireless clients

    I am having a serious problem with my Airport N. My Epson CF11NF (a laser all-in-one which is connected via ethernet to the Airport) is continuously disappearing for wireless clients. All the wired machines can see and print fine, but the printer becomes invisible for wireless clients. The problem is resolved by unplugging and plugging back in the Airport, but I am having to do this more than once a day, which is not acceptable.
    Has anyone experienced this problem? Any advice on what is going on? Should I return the Airport? The wireless clients are all running OSX 10.5.1. The wired clients are all running OSX 10.4. Could this be the issue?

    Others are having similar issues and symptoms, however, I've seen no solutions yet. My Airport Extreme disappears also but access to the internet is unaffected. I can also still access my iMac from my MacBook (iMac still shows up in Finder as a shared volume), however, once the AEBS drops from view I can no longer access printers on the network. (One connected to a networked PC and the other connected to the AEBS.) Both Macs are running Leopard.
    Anyway here's a link that others are using to discuss these issues. Good Luck. http://discussions.apple.com/thread.jspa?threadID=1197872

  • Wireless 3850 and Web-Auth for Wireless clients

    Hi
    I can't get the web-auth feature to work properly on the Catalyst 3850 for wireless clients.
    Internet is all tested and there is full IP connectivity.
    Issue is when I enable the webauth feature on the SSID. Incidentally when I enable the SSID to use consent it works.
    I am using local authentication for the guest users.
    When user logs onto the wireless, they get to the landing page, and are able to enter the credentials then there is a 30 second pause. The client detail says WEBAUTH_PEND and then a pop up window comes back as seen below
    Config below
    interface Vlan302
    description **** Wireless Guest ****
    ip address 10.145.224.161 255.255.255.224
    ip helper-address 10.144.214.134
    ip helper-address 172.17.2.56
    ip http server
    ip http secure server
    ip dhcp snooping
    wlan XXXXX 2 XXXXXX
    aaa-override
    accounting-list default
    client vlan 302
    ip flow monitor wireless-avc-basic input
    ip flow monitor wireless-avc-basic output
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    security dot1x authentication-list WEB_AUTH
    security ft
    security web-auth
    security web-auth authentication-list WEB_AUTH
    security web-auth parameter-map vit_web
    no shutdown
    parameter-map type webauth vit_web
    type webauth
    security web-auth parameter-map vit_web
    user-name Guest1
    creation-time 1390837878
    privilege 15
    password 7 022D0156060F1B351D
    type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
    user-name Guest2
    creation-time 1390838016
    privilege 15
    password 7 0724244143000D1145
    type network-user description Temp-Guest-User guest-user lifetime year 0 month 1 day 0 hour 0 minute 0 second 0
    aaa new-model
    aaa authentication login WEB_AUTH local
    aaa authorization network WEB_AUTH local

    Hey Greg,
    Did you also define the global webauth parameter? I think I had to do this to get my 5760 "working" or as working as these new controllers can be.
    parameter-map type webauth global
    type webauth
    virtual-ip ipv4 x.x.x.x wlc.whatever.org
    max-http-conns 50
    Also I had to enable http server in addition to secure server
    ip http server
    ip http secure-server
    Are you using a self signed cert?
    I saw windows clients take a long time to load the page when using a self signed cert.
    MAC clients dont seem to work if you use the IOS or OSX based logon. You'll need to disable the auto logon and launch a browser for the redirect. There was a bug ID around this MAC problem which was supposedly resolved in 3.3.1SE  but I still have the problem.
    -Kyle

  • Bridge does not work for wireless clients - connecting to existing network.

    Hi - I really hope somebody can help out here, after hours of trial & error, I have finally given up
    I need to connect my Airport Extreme Base Station to my existing network. I have a linksys router (192.168.15.1) connected to my modem and this linksys router acts as DHCP server too.
    I suppose I have to use "bridge mode" for that to work. But should the linksys be connected to the AEBS using the AEBS's WAN or LAN port?
    If I use "bridge mode", then wired computers to the AEBS works fine - getting an IP from the linksys etc. BUT, the wireless clients will have a self-assigned IP and not get through to the internet. It's like the AEBS will not allow wireless clients to "get through" unless AEBS itself is handing out IP addresses.
    Page 36 of this manual ( http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf ) shows the setup I want. But in the picture, it says "Ethernet WAN port" but the text says: "The Apple wireless device (in this example, a Time Capsule) uses your Ethernet network to communicate with the Internet through the Ethernet LAN port ( <--> )." I don't know which one to use, WAN or LAN - they show WAN but say LAN?
    When I set it up as "share an IP address", the AEBS status tells me "double nat" and to change from "shared IP" to "bridge mode". I do that, and everything seems fine - for the wired clients. Now the wireless clients cannot connect, Airport on the MacBook Pro just say "Connection failed" and the MacBook says "Invalid password" (translated from danish), even though I set the Airport Utlity to save the password in keyring, so it should be correct... If I disable wireless encryption, the wireless clients will connect but get a self-assigned IP, and therefor not work (cannot get online)...
    It seems the only way I can get wireless to work, is if I set AEBS up as DHCP, but then it won't be on the "same network" as the linksys (192.168.15.1), but rather on 10.0.x.x as I select. If I select 192.168.x.x within AEBS, I'm also getting some error messages, conflict/subnet thing.
    Anyway - I really hope somebody knows how to get wireless clients to get an IP address from existing ethernet when connected to the AEBS.
    Thanks!!

    I've given up and had to go back to running "Double NAT" which also reports as a "problem" within the AEBS, but I just "ignore" it so the light will always be green.
    It still ***** though, as "Double NAT" is also a reason for "Back to my Mac" not working properly, but how the ** am I supposed to avoid Double NAT when the wireless will not work in bridged mode?!

  • Can router dhcp different addresses to different vlans for wireless clients

    is it possible for the router to hand out different ip's to wireless clients on different vlans?

    Yes, the router needs to have a dhcp pool on each subnet and have an "interface Vlan x" for each vlan. It will then assign ips to clients in different vlans.
    One vlan per SSID.

  • WRT54GX2 Wireless Security Enabled DHCP blocked for wireless clients

    Hey gang,
    My subject says it all.  Yesterday  I updated my WRT54GX2 version 1's firmware to the latest and greatest.I first reset the box, and rebooted. I updated the firmware. On the first attempt I picked the wrong image file. The machine halted and told me bad image. I then found and installed the correct image. I then added an Admin password, and entered a new SSID. I left the DHCP settings at the default. I then set wireless security at WPA Personl/WPA2 with TKIP&AES.
    I found the wired client could obtain an IP address and to connect to the internet. The wireless clients could connect, but could not obtain an IP address.
    I left the wireless security settings off.
    Any suggestions?

    The wireless security settings are correct. The wireless clients "CONNECT" to the WRT54GX2. The clients stall on obtaining an IP address via DHCP. Fixing the clients with static IP addresses also does not work.
    I repeat: The wireless clients successfully connect to the WRT54GX2. The WPA/WPA2 & TKIP/AES settings are correct. The clients cannot receive a dynamic IP address.
    On Friday I will reset the box for 30+ seconds. I doubt this will have any effect. I reset it on Tuesday twice on Tuesday, and still have the problem.
    Any help appreciated.
    -WJ

  • What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

    I need to autheticate my clients connecting via wireless.
    clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
    can some one please help me with the steps.
    Thanks

    Two primary steps
    - define the trust certificates needed to verify the clients user certificates
    Users and Identity Stores > Certificate Authorities
    - change result of identity policy to select a certificate authorization profile. If have the defautl config
    Access Policies > Access Services > Default Network Access > Identity
    by default can select the "CN Username" as a result

  • SNMP OID for wireless client

    Dear Netpro Community,
    I would like to know whether the following OID talks about the number wireless clients joining the AP at which OSI layer.
    Rgrds,
    Beno

    Sry, the oid information is here:
    Object cDot11ActiveWirelessClients
    OID 1.3.6.1.4.1.9.9.273.1.1.2.1.1
    Type Gauge32
    Permission read-only
    Status current
    Units Device
    Range 0 - 2007

  • Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

    Hello all,
    I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
    The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
    I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
    Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
    Thanks a lot for your help.
    The followings screenshots show the logs appearing in the ISE :  
    Kind regards, Emeric.

    This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
    In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
    When the user logs in you then see the user ID.
    For my benefit when rule are you talking about ?
    Thank you 

  • DHCP only works for wireless clients on Time Capsule. How to fix?

    Hi All,
    I have a question concerning the DHCP server on my Time Capsule. I'm posting here because I think you network pros lurking in this forum probably have way more insightful advice than the n00bs in the Time Capsule forum
    My DHCP server on the Time Capsule only works for clients connected wirelessly to that specific access point; clients plugged directly into the network via ethernet and through other APs do not receive a DHCP assignment from the Time Capsule.
    How can I get the Time Capsule to serve DHCP addresses to EVERYONE on the network, not just clients connected via the Time Capsule?
    Thanks,
    Chris

    I don't know that TC provides that. Switch the TC over to its bridged mode (also known as an Access Point or AP), and run a DHCP Server on Mac OS X Server (fodder for this forum) or a DHCP server on another available device. Less desirable though feasible (so long as the IP address pools are coordinated and non-overlapping with other pools or static addresses), run multiple DHCP servers.

  • Cisco ISE 1.3 using 802.1x Authentication for wireless clients

    Hi,
    I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
    I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
    MACHINE AUTHENTICATION
    match
    framed
    Wireless
    AD group (machine)
    USER AUTHENTICATION
    match
    framed
    Wireless
    AD group (USER)
    was authenticated = true
    Below are steps taken to authenticate any ideas would be great.
    11001  Received RADIUS Access-Request  
      11017  RADIUS created a new session  
      15049  Evaluating Policy Group  
      15008  Evaluating Service Selection Policy  
      15048  Queried PIP  
      15048  Queried PIP  
      15048  Queried PIP  
      15006  Matched Default Rule  
      11507  Extracted EAP-Response/Identity  
      12300  Prepared EAP-Request proposing PEAP with challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
      12318  Successfully negotiated PEAP version 0  
      12800  Extracted first TLS record; TLS handshake started  
      12805  Extracted TLS ClientHello message  
      12806  Prepared TLS ServerHello message  
      12807  Prepared TLS Certificate message  
      12810  Prepared TLS ServerDone message  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12318  Successfully negotiated PEAP version 0  
      12812  Extracted TLS ClientKeyExchange message  
      12804  Extracted TLS Finished message  
      12801  Prepared TLS ChangeCipherSpec message  
      12802  Prepared TLS Finished message  
      12816  TLS handshake succeeded  
      12310  PEAP full handshake finished successfully  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      12313  PEAP inner method started  
      11521  Prepared EAP-Request/Identity for inner EAP method  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11522  Extracted EAP-Response/Identity for inner EAP method  
      11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
      15041  Evaluating Identity Policy  
      15006  Matched Default Rule  
      22072  Selected identity source sequence  
      15013  Selected Identity Source - AD1  
      24430  Authenticating user against Active Directory  
      24325  Resolving identity  
      24313  Search for matching accounts at join point  
      24315  Single matching account found in domain  
      24323  Identity resolution detected single matching account  
      24343  RPC Logon request succeeded  
      24402  User authentication against Active Directory succeeded  
      22037  Authentication Passed  
      11824  EAP-MSCHAP authentication attempt passed  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
      11814  Inner EAP-MSCHAP authentication succeeded  
      11519  Prepared EAP-Success for inner EAP method  
      12314  PEAP inner method finished successfully  
      12305  Prepared EAP-Request with another PEAP challenge  
      11006  Returned RADIUS Access-Challenge  
      11001  Received RADIUS Access-Request  
      11018  RADIUS is re-using an existing session  
      12304  Extracted EAP-Response containing PEAP challenge-response  
      24423  ISE has not been able to confirm previous successful machine authentication  
      15036  Evaluating Authorization Policy  
      15048  Queried PIP  
      15048  Queried PIP  
      24432  Looking up user in Active Directory - xxx\zzz Support  
      24355  LDAP fetch succeeded  
      24416  User's Groups retrieval from Active Directory succeeded  
      15048  Queried PIP  
      15048  Queried PIP  
      15004  Matched rule - Default  
      15016  Selected Authorization Profile - DenyAccess  
      15039  Rejected per authorization profile  
      12306  PEAP authentication succeeded  
      11503  Prepared EAP-Success  
      11003  Returned RADIUS Access-Reject  
      5434  Endpoint conducted several failed authentications of the same scenario  

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • Bandwidth Management for Wireless Clients

    We are looking at putting in a solution at a hotel for Free Guest WiFI
    The solution would cover 4 floors and about 120 rooms and some open areas .
    In short the hardware would look as follows
    2500 controller
    1142LAP
    2960 PoE switch
    878 Adsl router for internet connectivity (20Mbps/1Mbps internet ADSL feed)
    One of the concerns raised by the client is that they would like to make sure that no single user could eat up too much bandwidth creating problems for the rest of the users .
    Can the above KIT or something similar achieve this objective? As far as I can think of we would require a Proxy server .
    Thank you

    Hi Scott,
    Thank you for your response.
    It would be better for users to not have to log on against a web interface. As this is a hotel they would not want to have the admin effort of creating/enabling/disabling users especially since this will be free.
    Instead what would suit their needs is a sort of a protection mechanism against "crazy big" downloads . Ideally without the need of a 3rd party that would require them to buy a server as well .
    Thanks
    Michalis

  • Does LAN leave more signal for wireless clients?

    This may seem like a silly question, but...
    My main computer is next to the extreme base station. If I run an LAN to it, will it essentially leave more signal for the 2 iMacs upstairs to access wirelessly?

    Actually the question is far from silly...
    And you are right, while the Extreme can handle a large number of computers simultaneously, there IS a limit on bandwidth. So if the two upstairs iMacs were busy copying some files between each other, and you started downloading something from the internet on your main computer, it is possible that would cause the copying between the iMacs to slow down. But if the main computer was connected via the LAN port, the iMacs would be unaffected (assuming the Extreme can handle all the data on its internal circuitry at those rates).
    I think the real question is how likely is the above scenario? If a computer is not actively using the wireless (actually sending or receiving data) then the bandwidth is preserved. It might just boil down to which is most convenient...
    MacBook Pro   Mac OS X (10.4.8)  

  • AX Setup tips for wireless clients?

    This is driving me buggy. I have successfully use AX with my iBook and now my Macbook with no problems. But, whenever any other client wants to use my internet connection via AX, it indicates "connected to internet..." but will not load web pages.
    I have checked "distribute IP addresses" in AdminUt, but there has to be some other setting I'm missing. Anyone??

    This is driving me buggy. I have successfully use AX with my iBook and now my Macbook with no problems. But, whenever any other client wants to use my internet connection via AX, it indicates "connected to internet..." but will not load web pages.
    I have checked "distribute IP addresses" in AdminUt, but there has to be some other setting I'm missing. Anyone??

Maybe you are looking for

  • "DBIF_RSQL_SQL_ERROR" CX_SY_OPEN_SQL_DBC   --- Error in BW

    Hi All, Short dump is occuring while trying to activate the data in the ods. The ods consists of 5 million records. I have gone through the short dump analysis. The error is showing that the file system is full. Database error text........: "SQL0968C

  • File System Task - using a wildcard in variable

    Hi,When using the "delete file" operation in the file system task I get an error stating that I have an incorrect path when using the wildcard symbol.  Is there a way around this or do I have to spell out the whole name for each file in the directior

  • Iphone 4 will not sync with itunes on Windows 7 64 bit

    My iphone 4 will not sync with itunes on Windows 7 64 bit. My computer recognizes the iphone but Itunes does not. Any suggestions?

  • Table Selection Listener

    Hi, I wold like to know if there is any way that I can invoke #{bindings.myVO.collectionModel.makeCurrent} from the backing bean. Thanks. Regards, K.Hein

  • How to copy a PLD in one database to another.

    Hi, How can we copy a PLD in one database to the other without using Copy Express. I tried openin up the PLD in the Test DB and copying it over to the Live DB, using Edit copy and Paste, but it doesn't work.... Is there any other way it can be done?