Wireless Guest Access through 4404, bandwidth limiting.

Unanswered Question
Apr 30th, 2009

We are currently running a Guest SSID on our network and pumping it out through a DSL line and it's working great. However, as we've expanded our LWAPP conversion and offering the Guest SSID to more area's, my DSL line has become very saturated and we're not in area that can get a bigger pipe. IS there a radius attribute that I can use through ACS that the 4404 controllers will recognize to limit the users bandwidth? In the past when using an opensource solution for guest access (ChiliServ and FreeRadius) I was able to use the WiSPr attributes:

WISPr-Bandwidth-Max-Down

WISPr-Bandwidth-Max-Up

and it worked pretty well. What does one do in this case? I know I can pass Airespace attributes with ACS, but I don't see anything that will minimize bandwidth unless I'm just not understanding the QoS tagging.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
dennischolmes Wed, 05/06/2009 - 03:53

We have used a very inexpensive box from a third party vendor called a NetEqualizer. This box also provides CALEA reporting to the federal government and fulfills your CALEA hardware requirements. It is extremely easy to use and costs less than the server box you would run free radius on.

http://netequalizer.com/

jicr Mon, 06/22/2009 - 07:45

Return the airespace attribute from ACS is one option another one is craete guest user in local netuser DB and assign the guest role. That guest role should be already excist in controller with preferd bandwidth settings. I suggest you this as the solution than returning from ACS.

raun.williams Thu, 06/25/2009 - 04:16

Is there away to select this role and use the ACS? I prefer to continue to use our ACS as our central point of all authentication instead of spreading it around.

jicr Thu, 06/25/2009 - 04:24

you can return it from ACS using the the airespace attributes. Enable "aaa overide" in the wlan will do.

Which is your controller image based on that i can suggest you which will be better solution for you.

raun.williams Thu, 06/25/2009 - 05:01

We've just moved to 5.2.178.0. So if I'm understanding you correctly, I can pass the Guest Role via ACS air-space attributes? Which attribute would I use for this? I know on the Airspace-QoS-Level I can select Bronze to Uranium but other then that I'm not sure.

Thank you for your help.

jicr Thu, 06/25/2009 - 05:29

using ACS for guest role is not straight forward. You may need to add it using a dictionary file and import it using some utility.

That is the reason i suggested you local DB for the guest role. Another radius server which support guest role retrn to controller is SBR(third party) which has this support be default. Hope this will help you.

In between i dont find any security threat in configuring it in local DB and map to guest role.

jicr Fri, 06/26/2009 - 09:19

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml#tc6

This document will help you to configure that. Hope this will solve your issue and let me know how it goes

Pls Note: We can send the role information from a radius server also on a per-user basis forusers using web authentication only. This role information cannot be used for 802.1x

authentication of the clients.

raun.williams Fri, 06/26/2009 - 17:30

Thank you so much for the information. I do have another question however. I have these options and have been using them. However, I'm guessing that I can insert the role into the airspace-qos-level and have it as a selectable option instead of the default bronze through uranium that i do currently?

jicr Sat, 06/27/2009 - 22:04

As i mentioned these roles can be used only for guest users. For normall 802.1x u cant use them.

I hope i answered your question

raun.williams Mon, 06/29/2009 - 04:22

I am using webauth, but where does the role information go into the radius server, specifically ACS? In the document it states how to install the airspace vsa's. In ACS 4.2 I already have the airspace vsa's available i.e. airspace-qos-level. Is this the attribute that is needed to send the Role inforamtion? If not, can you please provide this attribute? That's all I'm looking for is as to what attribute is needed by the controller to receive the role information. from a per-user level or whatever. I do have the vsa's working since my original post and having upgraded the controller software (before it would stop sending traffic) so I can now pass the airspace-qos-level if this is the right attribute, but the most important thing about this attribute is that I only have Bronze to Uranium listed in ACS. If this is the attribute to send role information? How do I add more to this list as it is a drop down box not a text box where I can put in my own information.

jicr Mon, 06/29/2009 - 04:34

The attribute name should be "Aire-role-Name". This attribute can return the guest role name to controller and controller will map the corresponding role defined in DB.

raun.williams Mon, 06/29/2009 - 04:38

Thank you. NOW, how do insert this attribute into ACS 4.2 which already has airspace vsa's installed

[026/14179/002] Aire-QoS-Level

[026/14179/003] Aire-DSCP

[026/14179/004] Aire-802.1P-Tag

[026/14179/005] Aire-Interface-Name

[026/14179/006] Aire-Acl-Name

These are the ones I have available. since Airespace is already built into this version ACS how do I go about adding an attribute to it?

raun.williams Mon, 06/29/2009 - 04:42

Ahh, see that screen shot is exactly what I'm looking for. I just don't know how to get that attribute available. I know the document you gave me showed teh example of installing the airspace vsa, but like I mentioned I already have several just not hat specific one that came pre-built in ACS 4.2? Can I add a single attribute to the list somehow?

jicr Mon, 06/29/2009 - 05:51

Please follow the document i provided earlier to add this attribute.

Thanks,

Jibin

raun.williams Mon, 06/29/2009 - 08:07

The document you referenced is not the same document that is shown in your screen capture. Please send me a link to the document that you captured from.

jicr Mon, 06/29/2009 - 08:15

Sorry i cant send you that document due to some reasons. Please follow the document i already provided and add the attributes. It will work.

raun.williams Mon, 06/29/2009 - 08:52

Thank, I shall do my best. I notice that aire-role-name is attribute 11 for airespace attributes, what other attributes are available?

raun.williams Wed, 07/01/2009 - 05:04

Hello All.

I was concerned about following the document provided and overwriting and potentially messing up my current airespace VSA's so I contacted TAC for extra help. The engineer stated they considered this a bug (CSCsy03746)and sent me a script to add extra attributes for airespace. I've attached a screen shot of those available. I'd highly recommend that anyone interested to contact TAC as this script is only available through them.

Attachment: 
wackerk24 Thu, 09/09/2010 - 11:51

Is this patch going to be made publicly available for ACS 4.2 or do I still need to contact TAC? Also with ACS 5.1 the additional attributes shown in the above screen shot are still missing is there a patch available for ACS5.1 to get the additional attributes? TIA

Actions

This Discussion

 

 

Trending Topics - Security & Network