WLC user rate limit on guest ssid anchor controller

Hi,
I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Thanks guys!           
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version
7.0.230.0

Amjad,
Thank you for taking the time to respond as well as the document link.
It was pretty clear on the steps and what it would impact.
Two things that push me for a different solution (assuming their is one).
Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
#1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
The idea is to limit WAN utilization.
#2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
***One last question about this and any other changes***
Will any change I make be on the "Foreign, Anchor" or both Controllers?

Similar Messages

  • AP Groups - Guest Access - Anchor Controller

    Need clarification - I think it does work
    Does the AP Group feature work with the anchor controller guest access feature
    SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
    ie
    Guests in Building 1
    SSID guest VLAN 10
    Guests in Building 2
    SSID guest VLAN 11
    Mark

    Hi,
    As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
    Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
    Kind regards
    Johan

  • Rate limit guest ssid 5500 foreign to 2504 anchor

    Hi
    We have a need to limit bandwidth on guest ssid that is tunnelled to anchor controller.  The 2504 doesn't have rate limiting options but the 5500 does.  If we enabled the rate limit on the SSID details on the foreign would it work (seeing as though the anchor can't have same settings).  I would have thought that the access points terminate on the foreign therefore the rate limit would apply there.
    Would this work or do I need another 5500 as the anchor so that rate limits can match on the SSID?

    Thanks.  It would be nice if Cisco documentation actually clarified this as all guest anchor docs seem not to mention having to have both controllers supporting QoS profiles.

  • Rate-limit for some MAC on aironet 1231

    Hello!
    I need to set rate-limit for some mac addresses on access point aironet 1231.Is it possible?
    If no, what ios or devices can do it?
    Thanks.

    No there is no option for rate-limit in Aironet but in controller, Rate-limiting is applicable to all traffic destined to the CPU from either direction (wireless or wired). Cisco recommends that you always run the controller with the default config advanced rate enable command in effect in order to rate-limit traffic to the controller and protect against denial-of-service (DoS) attacks. You can use the config advanced rate disable command to stop rate-limiting of Internet Control Message Protocol (ICMP) echo responses for testing purposes.

  • WLC 5508 and Anchor/GuestNet rate limit traffic?

    Running WLCs 5508s 7.0.116.0 with GuestNet and Anchor setup, how can I limit the bandwidth on the GuestNet SSDI to 2 Mbps, etc?
    The DMZ WLC (Anchor) runs thru a ASA 5508 7x, can I rate limit traffic via ASA?

    That's really a matter of preference.  This document describes things to keep in mind when altering these QoS profile configurations, FYI.
    http://www.cisco.com/en/US/partner/docs/wireless/controller/7.0MR1/configuration/guide/cg_controller_setting.html#wp1254532
    It really depends on how many guests, what type of traffic, etc, to make a judgement call as to where you should set these.  I'm sorry but I don't have any examples from existing configurations, but hopefully the document explains how to best alter these settings.

  • Anchoring multiple Guest SSIDs to the same WLC

    Hi All,
    I've currently got a typical 'anchored' Guest WLAN solution where several WLCs tunnel guest traffic back to an isolated WLC for WebAuth - this all works fine using a mix of 5508 / 4400, all on v7.0.98.0 code.
    The question is, can I add a second Guest SSID to the estate and anchor it back to the same Guest Anchor WLC that I'm already using?
    I can't find anything to say it won't work and have found this that says it should, but none of this is very concrete...  Does anybody know of any better references and/or have you done this in the wild?
    https://supportforums.cisco.com/message/1276785
    Cheers,
    Richard

    Hi,
    yes it's totally ok.
    On the foreign, just create a second WLAN and anchor it to the other WLC. On the anchor, create the same second WLAN that you anchor to itself ...
    Nothing speciali in order to configure it.
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • 3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

    Hi,
    I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
    (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
    GUEST1: 10.9.65.0/24 – VLAN 11
    GUEST2: 10.9.66.0/24 – VLAN 12
    GUEST3: 10.9.67.0/24 – VLAN 13
    Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
    The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
    The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
    Interface vlan 11 – 10.9.65.1
    Interface vlan 12 – 10.9.66.1
    Interface vlan 13 – 10.9.67.1
    wgh-anchorwlc5760-primary#show ip interface brief
    Interface              IP-Address      OK? Method Status                Protocol
    Vlan1                  10.8.252.1      YES NVRAM  up                    up
    Vlan11                 10.9.65.1       YES manual up                    up
    Vlan12                 10.9.66.1       YES manual up                    up
    Vlan13                 10.9.67.1       YES manual up                    up
    GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down
    Te1/0/1                unassigned      YES unset  up                    up
    Te1/0/2                10.8.253.1      YES NVRAM  up                    up
    Capwap0                unassigned      YES unset  up                    up
    If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
    If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
    If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
    Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
    anchorwlc5760-primary#show wireless client summary
    Number of Local Clients : 3
    MAC Address    AP Name                          WLAN State              Protocol
    04f7.e482.b21c N/A                              2    IPLEARN            Mobile
    bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
    a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
    However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
    I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
    My question is: Why clients are not able to ping their default gateway?
    I hope it makes sense.
    I appreciate any thoughts and help. Thanks in advance.
    Joana.

    Hi,
    I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
    (INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
    The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
    I hope it helps.
    Joana.

  • Per user bandwidth rate limit.

                       How to configure per user bandwidth rate limit for wireless guest client, authentication server is ISE 1.2 & wireless controller is 5760.

    The Cisco 5760 WLC supports better QoS than other c
    ontrollers, allowing prioritization of mission-crit
    ical
    applications:

    The Cisco 5760 WLC supports four wireless hardware
    queues and priority-based queuing compared to
    software-based queuing in existing controllers.

    The Cisco 5760 WLC follows MQC based commands, allo
    wing usage of exact commands for configuring
    QoS on different types of network devices.

    The Cisco 5760 WLC supports QoS policies to be appl
    ied in a hierarchical fashion with more granularity
    per SSID per radio, while on the current controller
    s granularity is per WLAN.

    The Cisco 5760 WLC supports approximate fair bandwi
    dth to make sure of fairness at client, SSID, and
    radio levels for Non-Real Time (NRT) traffic. There
    fore, if one user consumes excessive bandwidth, we
    can
    limit the amount of bandwidth that user receives an
    d thereby not deprive other users.

  • Guest ssid with anchor controller and Web policy

    We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

    Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

  • Using ISE for guest access together with anchor controller WLC in DMZ

    Hi there,
    I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
    To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
    As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
    Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
    Thx
    Frank

    So i ran into a similar scenario on a recent deployment:
    We had the following:
    WLC-A on private network (Inside)
    ISE Servers ISE01 and ISE02 (Inside)
    WLC-B Anchor in DMZ for Guest traffic (DMZ)
    ISE Server 3 (DMZ)
    ISE01 and ISE02 are used for 802.1X for the private network WLAN.
    Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
    The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
    So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
    In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

  • Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

    Hi Experts ,
    Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
    how about internet traffic for Guest SSID , which one will be recommanded :
    1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
    2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
    Thanks

    Hi George ,
    Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
    how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
    Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

  • User based rate limit

    Hi,
    Iam looking for a way to Rate Limit - Vlan interfaces,
    Somting like this .. or do I need to change the service-policy to rate-limit for it to work
    Interface Vlan2
    Description Customer-A
    service-policy input police-customerA-traffic
    service-policy output police-customerA-traffic
    ip address 10.10.10.1 255.255.255.252
    Interface Vlan3
    Description Customer-B
    service-policy input police-customerB-traffic
    service-policy output police-customerB-traffic
    ip address 10.10.11.1 255.255.255.252
    Interface Vlan4
    Description Customer-C
    service-policy input police-customerC-traffic
    service-policy output police-customerC-traffic
    ip address 10.10.12.1 255.255.255.252
    Interface GigabitEthernet3/1
    Description Trunk - Customer-A - Customer-C
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2,4
    switchport mode trunk
    Interface GigabitEthernet3/1
    Description Trunk - Customer-B
    switchport
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 3
    switchport mode trunk
    Is that posible ??, or do i need to make user based rate limit based on Source / destination adresses, and move the service policy to the physical interface ??
    Hardware in this case Cisco 7609 running MPLS
    Thanks in advance.
    /Peter

    Can you explain your network topology a little?. This would help me to understand your network setup and help you in this issue accordingly.

  • Web redirecting issue when users reconnect guest ssid

    We are facing new issue on our controller for Guest SSID. This SSID used for Guest users and it is web base redirected to Aruba CPPM. First time web page redirects to controller virtual IP address and then Aruba CCPM.
    The scenario is as below
    - The user fills the form and gets redirected to a page where there is a login button which is grayed out till the sponsor approves the mail.
    -Once the sponsorer approves the mail, the login is highlighted and user connects to internet. 
    -Issue occurs when the user disconnects and connects to the SSID and tries to login again. There the user is redirected to controller management IP not on virtual IP.
    Controller Make Model:-5508
    IOS Version:- 7.5.102.0

    Well... you should upgrade to v7.6.110.0 as that code is deferred.  I don't know how you have your WLAN setup, is it use open and your using a pre-auth ACL?  Have you also posted in the AirHeads forum for suggestion?
    Post your show wlan <wlan ID>

  • RADIUS Bandwidth limit on guest WLAN

    Hi Everyone,
    I'm running a WLAN scenario which includes a WLC 5508 (7.0) and a bunch of CAPWAP access points. I just deployed a guest SSID that implements a RADIUS server (freeRadius) for authentication and accounting the guest users and everything works fine. However I need to limit the bandwidth on a per-user basis having different BW allocated on the users.
    In other words:
    SSID: "Guest-SSID" with web authentication
    Users (download/upload bandwidth limit in kbps): user1 (512/512), user2 (1024/1024), user3 (512/2048)
    When user1 connects, he will be able to download/upload at a 512 Kbps data rate, same as user2 with a d/u 1024 Kbps data rate. And user3 will be able to download at 512 Kbps and upload at 2048 Kbps. The 3 users will be connected on the same SSID: "Guest-SSID".
    I've been searching and found that the WLC honors some Airespace attributes that may do the magic, however they are not documented anywhere else but the WLC Configuration Guide. I have modified the freeradius Airespace dictionary but when authenticating, when the RADIUS sends the accept message incluiding the attributes, the WLC shows attribute is considered as unknown, even though the conf. guide shows they must be supported.
    I guess it may be caused by a wrong attribute name. Is there something else missing?
    This is the WLC AAA debug detail:
    (Cisco Controller) >*aaaQueueReader: Mar 19 18:35:08.705: AuthenticationRequest: 0x30b56248
    *aaaQueueReader: Mar 19 18:35:08.705:   Callback.....................................0x10770a64
    *aaaQueueReader: Mar 19 18:35:08.706:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 19 18:35:08.706:   proxyState...................................F4:09:D8:20:11:2F-00:00
    *aaaQueueReader: Mar 19 18:35:08.706:   Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 19 18:35:08.708: AuthorizationResponse: 0x13e25bb0
    *radiusTransportThread: Mar 19 18:35:08.708:    structureSize................................216
    *radiusTransportThread: Mar 19 18:35:08.708:    resultCode...................................0
    *radiusTransportThread: Mar 19 18:35:08.708:    protocolUsed.................................0x00000001
    *radiusTransportThread: Mar 19 18:35:08.708:    proxyState...................................F4:09:D8:20:11:2F-00:00
    *radiusTransportThread: Mar 19 18:35:08.708:    Packet contains 9 AVPs:
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[01] Unknown Airespace / Attribute 7..........0x00000100 (256) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[02] Unknown Airespace / Attribute 8..........0x00000100 (256) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[03] Unknown Airespace / Attribute 9..........0x00000180 (384) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[04] Unknown Airespace / Attribute 10.........0x00000180 (384) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[05] Unknown Airespace / Attribute 11.........GRN-Test (8 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[06] Unknown Airespace / Attribute 13.........0x00000100 (256) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[07] Unknown Airespace / Attribute 14.........0x00000100 (256) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[08] Unknown Airespace / Attribute 15.........0x00000180 (384) (4 bytes)
    *radiusTransportThread: Mar 19 18:35:08.708:        AVP[09] Unknown Airespace / Attribute 16.........0x00000180 (384) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718: AccountingMessage Accounting Start: 0x30b56248
    *aaaQueueReader: Mar 19 18:35:08.718:   Packet contains 14 AVPs:
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[01] User-Name................................0x6173 (24947) (2 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[02] Nas-Port.................................0x0000001d (29) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[03] Nas-Ip-Address...........................0xc0a89605 (-1062693371) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[04] Framed-IP-Address........................0xc0a8967b (-1062693253) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[05] NAS-Identifier...........................WLC-CCIE (8 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[06] Airespace / WLAN-Identifier..............0x00000006 (6) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[07] Acct-Session-Id..........................550b5d2c/f4:09:d8:20:11:2f/2 (28 bytes)
    *aaaQueueReader: Mar 19 18:35:08.718:       AVP[08] Acct-Authentic...........................0x00000001 (1) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[09] Tunnel-Type..............................0x0000000d (13) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[10] Tunnel-Medium-Type.......................0x00000006 (6) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[11] Tunnel-Group-Id..........................150 (3 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[12] Acct-Status-Type.........................0x00000001 (1) (4 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[13] Calling-Station-Id.......................192.168.150.123 (15 bytes)
    *aaaQueueReader: Mar 19 18:35:08.719:       AVP[14] Called-Station-Id........................192.168.150.5 (13 bytes)
    My Airespace dictionary:
    VENDOR          Airespace                       14179
    BEGIN-VENDOR    Airespace
    ATTRIBUTE       Airespace-Wlan-Id                       1       integer
    ATTRIBUTE       Airespace-QOS-Level                     2       integer
    ATTRIBUTE       Airespace-DSCP                          3       integer
    ATTRIBUTE       Airespace-8021p-Tag                     4       integer
    ATTRIBUTE       Airespace-Interface-Name                5       string
    ATTRIBUTE       Airespace-ACL-Name                      6       string
    ATTRIBUTE       Airespace-Data-Bandwidth-Average-Contract               7       integer
    ATTRIBUTE       Airespace-Real-Time-Bandwidth-Average-Contract          8       integer
    ATTRIBUTE       Airespace-Data-Bandwidth-Burst-Contract                 9       integer
    ATTRIBUTE       Airespace-Real-Time-Bandwidth-Burst-Contract            10      integer
    ATTRIBUTE       Airespace-Guest-Role-Name                               11      string
    ATTRIBUTE       Airespaces-Data-Bandwidth-Average-Contract-Upstream     13      integer
    ATTRIBUTE       Airespace-Real-Time-Bandwidth-Average-Contract-Upstream 14      integer
    ATTRIBUTE       Airespace-Data-Bandwidth-Burst-Contract-Upstream        15      integer
    ATTRIBUTE       Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream   16      integer
    VALUE   Airespace-QOS-Level             Bronze                  3
    VALUE   Airespace-QOS-Level             Silver                  0
    VALUE   Airespace-QOS-Level             Gold                    1
    VALUE   Airespace-QOS-Level             Platinum                2
    END-VENDOR Airespace
    This is the configuration guide I'm using:
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/configuration/guide/wlc_cg70MR1/cg_security_sol.html#pgfId-1457964
    Table 6-5.
    Any help will be really apreciated!
    Regards!
    Jonathan S.

    If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication for the WLAN on which web authentication is performed rather than adding a guest user to the local user database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a “guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the name returned from the RADIUS server is found configured on the controller, the bandwidth associated to that role is enforced for the guest user after authentication completes successfully.

  • Upstream traffic rate limit

    Hi all,
    Upstream traffic rate limit is not supported by WLC . It will be done by AP.
    We have setup of Auto anchor for both corporate and guest(but authentication mechanism is diffrent) . They wont access any internal resouce .Only interner traffic is permitted.
    So can we limit the internet traffic for guest users .? If we limiting the upstream traffic at the AP level what would be the concerns we may face?
    Kindly help on this.
    Thanks,
    Regards,
    Vijay

    Hello Vijay,
    As per your query i can suggest you the following solution-
    Please refer table 1 of the given link-
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3900.shtml
    Hope this will help you.

Maybe you are looking for

  • PLEASE HELP! SLOW SPEED FOR 5 WEEKS!

    Hey all, i've come here as a last resort as im sick of my slow infinity speed and sick to death with bt customer service which does not exist! Since before christmas my bt infinity package 1 38down/10up has been playing up after 12 midnight! usually

  • Idoc monitoring using WE06

    Hi all, I want to do Idoc monitoring using the tool Active Idoc Monitoring(Programm: RSEIDOCA;Transaction : WE06). So when ever something goes wrong in an Idoc,depending on the idoc type ,I want to inform the concerned person by email using SAP mail(

  • Assign condition type for payment terms

    When i creating a sales order, when the payment is COD, then it will trigger one of condition price mandatory, it I choose other payment terms, the trigger will be ignore. I would like to know how to set this checking, since i want to remove it. Than

  • Print preview and scaling

    On an iMac I'm working on, when printing an email, Print Preview/Copies & Pages, the scaling is set to 50%. You can change it 100% and it prints, but defaults back to 50% the next time you print. I've looked everywhere I know for a scale preference,

  • BTFON on my mobile - is it an Android Phone?

    I can get the internet on my Sony Ericsson W395 but I don't think it is an android phone. So, can I use the BTFON wi-fi service on my mobile somehow and how do I set this up?