Radius Attributes Supported by WLC? Guest bandwidth limiting

Hello all..
I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
I've never tried this through RADIUS though.
Regards,
Richard

Similar Messages

  • Filter RADIUS Attributes transmitted by WLC?

    Afternoon all,
    I've got an 8510 on the latest 7.6.120.0 software and I have a standard WPA2/802.1x Wireless LAN.  When Users authenticate we send their traffic off to a RADIUS Server, but when we do, the WLC includes all sorts of superfluous RADIUS attributes in the request (various things like default VLAN ID and all sorts of Cisco Airespace bits)
    The RADIUS Server we're using can't filter these attributes out, so I'd like to find a way of having the WLC not send them in the first place...  Any suggestions?
    Cheers,
    Richard

    Hi Richard,
    As far as I know you cannot do anything on WLC to stop this. 
    Did you speak to TAC and ask about this ? Not sure any hidden commands to do this though.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • WLC Radius Attribute support

    Hi,
    WLC is running the 4.0.217.203 version. I managed to find Document ID: 96103 but it did not mention the supported WLC version.
    Do I need to upgrade the WLC ?
    Regards,
    Ron

    Exactly...here is the list of attributes sent in the access-request from the wlc -
    http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129
    The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.
    If you are up to speed on rest api's here is some reference material on this:
    http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826
    You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Simultaneous Radius & TACACS+ Support on WLC

    I currently have my controller configured in my Cisco Secure ACS (ver 3.3) as a Radius NAS.
    This is for the wireless clients authenticate using PEAP.
    Now I would like to setup my controller to use TACACS+ for management. I see where to configure it on the controller which looks straight forward.
    However, I am not sure what to do on the ACS. If a controller is already configured for Radius how can I configure it to also support TACACS+? I don't see an option to have it support both. I can't add the same controller in twice either.
    Any suggestions/recommendations are appreciated.
    I'm wondering if my only option is to setup management using Radius too.

    Thank you. That worked. I created one group called controllers-tacacs and listed each of my controllers and selected TACACS+ for authentication type.
    However, I still can't get the controller to use TACACS+ for management. I added in the ACS information using port 49 under the security->tacacs-> authentication menu option. It does not have the option to pick network user or management like the radius authentication menu does. So I just enter in all the valid data shared secret, port, enabled, etc. I used the same shared secret as the controller-tacacs group I created on the ACS.
    However, the controller does not use tacacs+ for management logins. I still have to use the local mgmt users account.
    Anyone have any ideas.

  • What attributes are shared between a Radius Server and a WLC?

    I have a customer who is trying to setup a Radius server to authenticate Management users for the controller,
    she is using a Microsoft NPS R2 server. All good at this point.
    She needs to know what attributes are shared between the server and the WLC to complete the authentication
    because she is being successfully authenticated, but still unable to access the WLC.
    Someone knows what those attributes are?
    The only information at the moment that I found, was on a document that said that different management
    users can receive different Vendor-specific Attributes. That means that the returned attributes to the WLC
    will depend of what radius server model or platform you are using.

    Robin,
    For using Microsoft radius to authenticate management users, you can reference this document, which shows you the steps involved.
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/91392-airespace-vsa-msias-config.html
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • Wireless Guest Access through 4404, bandwidth limiting.

    We are currently running a Guest SSID on our network and pumping it out through a DSL line and it's working great. However, as we've expanded our LWAPP conversion and offering the Guest SSID to more area's, my DSL line has become very saturated and we're not in area that can get a bigger pipe. IS there a radius attribute that I can use through ACS that the 4404 controllers will recognize to limit the users bandwidth? In the past when using an opensource solution for guest access (ChiliServ and FreeRadius) I was able to use the WiSPr attributes:
    WISPr-Bandwidth-Max-Down
    WISPr-Bandwidth-Max-Up
    and it worked pretty well. What does one do in this case? I know I can pass Airespace attributes with ACS, but I don't see anything that will minimize bandwidth unless I'm just not understanding the QoS tagging.

    I am using webauth, but where does the role information go into the radius server, specifically ACS? In the document it states how to install the airspace vsa's. In ACS 4.2 I already have the airspace vsa's available i.e. airspace-qos-level. Is this the attribute that is needed to send the Role inforamtion? If not, can you please provide this attribute? That's all I'm looking for is as to what attribute is needed by the controller to receive the role information. from a per-user level or whatever. I do have the vsa's working since my original post and having upgraded the controller software (before it would stop sending traffic) so I can now pass the airspace-qos-level if this is the right attribute, but the most important thing about this attribute is that I only have Bronze to Uranium listed in ACS. If this is the attribute to send role information? How do I add more to this list as it is a drop down box not a text box where I can put in my own information.

  • ACS 5.5 Radius Attribute not listed in Radius Directory

                       Hello Community,
    iam on the evaluation on Cisco ACS 5.5, and iam trying some scenarios for my company.
    I have to authenticate a ip phone . here i need one VLan tagged and one vlan untagged.
    In the authorization profile u can add the Radius Attributes, we got hp switches and i need the attribute  with the ID-56, but this ID ist not listed in the Authorization Profiles--> Radius Attributes-->select Part.
    But it is listed under system-administration->Configuration-->dictionaries-->Protocols->Radius--> Radius IETF
    come somebody tell me how i can selct this Attributes under Authorization Profiles--> Radius Attributes-->select Part. ??
    Thanks a lot
    regards

    Hi
    As you are using HP switches, certain advanced use cases, such as those that involve posture assessment, profiling, and web authentication, are not consistently available with non-Cisco devices or may provide limited functionality, and are therefore not supported with non-Cisco devices.
    For more information regarding Authorization profile configuration, please go through the following link:
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/pol_elem.html

  • WLC 4404 bandwidth management

    Hi ...
    I have a WLC 4404 installed and we would like to manage the bandwidth per SSID.
    Today we have configured many SSID because our campus has a lot of wireless users and any SSID has only one class C subnet (/24).
    We would like to configure each SSID with more subnets.   is this possible ?
    Additionally we need to restrict the bandwidth per SSID.  is this possible ?
    We have some SSID for less important users and we would like to assign the bandwidth per SSID.
    Thanks for your help.

    Yes with the WLC you can go in and create bandwidth limitations, that are either linked to a user profile, or you can link them to a QoS Profile.
    If you link to the QoS Profile, say Bronze, then all you need to do is set the Guest WLAN to be in the Bronze Profile in QoS.  If you want to allow certain users to get more than "x" bandwidth, you would do it to a user profile.
       ******Either way you do this, it only rate limits from the WLC down. ******  It is still possible to saturate a link from the edge to the WLC.  So you may want to do some traffic shaping at the edge.\
         For the multiple subnet questions, yes you could do that as well.. You'd want to create the interfaces for the new subnets, then use AP groups to link the SSID to a different interface, all based on the location of the AP
    Cheers,
    Steve
    If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

  • Cisco 2960-X & ISE accounting- username Radius attribute missing

    Hi,
    I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
    - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
    - Authentication protocol : wired  MAB 
    - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
    the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
    while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
    The same configuration is working on 3750 switch  with no issue .
    Here is my Switch config:
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius 
    aaa authorization auth-proxy default group radius 
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting update periodic 5
    username admin password 
    username radius-test password 
    aaa server radius dynamic-author
     client 172.16.2.20 server-key 7 04490A0206345F450C00
     client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
    radius server ISE-RADIUS-1
     address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 111B18011E0718070133
    radius server ISE-RADIUS-2
     address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
     automate-tester username radius-test idle-time 15
     key 7 0214055F02131C2A4957
    radius-server attribute 6 on-for-login-auth
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server attribute 31 mac format ietf upper-case
    radius-server attribute 31 send nas-port-detail
    radius-server dead-criteria time 5 tries 3
    radius-server vsa send accounting
    radius-server vsa send authentication
    any help  !!!

    Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
    as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

  • What is the lowest ISE version supported with WLC 7.3.112.0

    Dears
    Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
    Please need your feedback.
    Regards,

    the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
    Wireless LAN Controller (WLC) 2500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Wireless LAN Controller (WLC) 5500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Wireless LAN Controller (WLC) 7500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    No
    Yes
    Wireless LAN Controller (WLC) 8500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    No
    Yes
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
    ISE 1.1 won't support wlc 7.3 :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
    Wireless LAN Controller (WLC) 2100, 4400
     7.0.116.0
     No6
     Yes
     No
     Yes
     Yes
     Yes
     Yes
     No
     No
     Wireless LAN Controller (WLC) 2500, 5500
     7.2.103.0
     No6
     Yes
     Yes
     Yes
     Yes
     Yes
     Yes
     Yes
     No
     WLC 7500 Series
     7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
     Yes6
     Yes
     No
     Yes (local only)
     No
     Yes
     No
     No
     No

  • WLC Guest portal - External DNS issue

    I have an interesting behavior.  When my guest users attach to the guest network, I want them to use some external DNS source and not my organizations DNS servers.  So, I set the dhcp scope options to point to other DNS Servers.  When I do, the users don't seem to be redirected to the WLC guest portal, they get nothing and because of that, they cannot get to the Internet.
    I am not sure why this is happening.  The re-direction URL is https://1.1.1.1/login.html?redirect=www.google.com?/ocid=iehp
    I don't understand why pointing a guest client to an external DNS servers would cause the guest login page not to come up.

    The issue is likely that you are attempting to redirect an HTTPS page. See this link for more information:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc7
    You didn't mention your code rev, but it seems that 8.0 is able to redirect HTTPS for guest portal.

  • [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

    Hi,
    I got many Cisco AP which are linked to 2 Cisco WLC.
    On each WLC, I configured a primary and a secondary RADIUS Server.
    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
    Primary and secondary ACS configurations are synchronized.
    There are no problem between primary WLC and Cisco ACS (primary and secondary).
    When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
    Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
    Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
    The two Cisco ACS are synchronized so I should have same error on them...
    Why does primary ACS generate this error?
    Thanks for your help,
    Patrick

    Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
    *Please rate helpful posts*
    Yes. That is a good point.
    With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
    The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
    Rating useful replies is more useful than saying "Thank you"

  • Apply QoS profile using RADIUS attributes

    Hi all,
    Anyone delved into the use of RADIUS attributes to apply QoS values (DSCP/802.1p) to wireless users via a WLC?
    With the emergence of ISE and the concept of a shared SSID for several user types I may want to apply QoS profiles by user rather than SSID.
    Do you need to apply the maximum value to the SSID for the attribute-derived value to work?
    Can non-WMM client traffic be marked using this approach?
    Plenty to think about here...
    Any discussion welcome!
    Cheers
    Rob

    Yo can apply QoS RADIUS override.
    http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
    Yes it would be best to apply the wlan max qos value to the level that you intend to use with the radius override. for example if you want to apply platinum qos for voice clients on the ssid, i would map the wlan to platinum qos.
    i am not sure on the next question. I think u can assign a DSCP/802.1p to a non WMM clients but I dont think the non wmm clients will benefit from it as they will not tag their traffic and hence the AP and subsequently the wired network will treat it as best effort (untagged).
    Thanks,

  • 2950 or 2060 bandwidth limiting egress and ingress per port

    I am providing an MTU bandwidth and needing a switch that I can set bandwidth limits for each customer. Each customer will have their own port on the switch. Will the Enhanced image 2950 or 2960 limit on egress as well?

    Neither switch supports egress policers. Ingress policers can be configured on the 2960 & the 2950 as long as you have the EI-capable hardware. This is the same for the newer switches - 2960, 2970, 3560 & 3750. The 3550 does allowed egress policers but this is EOS now I think?
    HTH
    Andy

  • Radius Attributes for WAP321 AP

    Hi
    Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
    DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
            Service-Type := Login,
            Fall-Through := No
    But it doesn't work. Have I forgotten some attributes?
    thx for any help
    Matthias

    Hi,
    Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
    Regards,
    Phanikrishna

Maybe you are looking for

  • Problem in SQL Query

    Hi Guru Please help me to make a SQL query to retrieve appropriate data.In my database table has columns like Reg_no, Order_no. Please find out those records where Order_no same but different Reg_no.But dont show those records where same order_no has

  • Error in Tax procedure TAXINJ

    Dear Friends, During creating of tax procedure TAXINJ i am getting error in condition types. The error is Condition type JM01(IN: A/P BED deductib) not defined, please tell me where can i create these condition types i.e. JM01, JA01, JS01 etc... If p

  • Cannot compile source file with Ctrl-F7 in VS 2008

    I have added an existing .cpp file to my project.  When I want to compile only one file, I usually press Ctrl-F7, but that does not work on this file (it works on some other source files).  When I pull down the Build menu, the Compile option is missi

  • Iso 7 update has lost my notes

    i have recently updated my iphone 4s to the iso 7 and have lost my notes ....how do i get this back pls help...

  • Can I connect more then one cDAQ-9188 in the same network?

    Hi, I have one question for you. Can I connect more then one cDAQ-9188 to moxa EDS-G205-T for querying simultaneously in the same PC? thanks in advance for any response.