cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3860
Views
4
Helpful
22
Replies

Wireless Guest Access through 4404, bandwidth limiting.

raun.williams
Level 3
Level 3

We are currently running a Guest SSID on our network and pumping it out through a DSL line and it's working great. However, as we've expanded our LWAPP conversion and offering the Guest SSID to more area's, my DSL line has become very saturated and we're not in area that can get a bigger pipe. IS there a radius attribute that I can use through ACS that the 4404 controllers will recognize to limit the users bandwidth? In the past when using an opensource solution for guest access (ChiliServ and FreeRadius) I was able to use the WiSPr attributes:

WISPr-Bandwidth-Max-Down

WISPr-Bandwidth-Max-Up

and it worked pretty well. What does one do in this case? I know I can pass Airespace attributes with ACS, but I don't see anything that will minimize bandwidth unless I'm just not understanding the QoS tagging.

22 Replies 22

dennischolmes
Level 7
Level 7

We have used a very inexpensive box from a third party vendor called a NetEqualizer. This box also provides CALEA reporting to the federal government and fulfills your CALEA hardware requirements. It is extremely easy to use and costs less than the server box you would run free radius on.

http://netequalizer.com/

jicr
Level 1
Level 1

Return the airespace attribute from ACS is one option another one is craete guest user in local netuser DB and assign the guest role. That guest role should be already excist in controller with preferd bandwidth settings. I suggest you this as the solution than returning from ACS.

Is there away to select this role and use the ACS? I prefer to continue to use our ACS as our central point of all authentication instead of spreading it around.

you can return it from ACS using the the airespace attributes. Enable "aaa overide" in the wlan will do.

Which is your controller image based on that i can suggest you which will be better solution for you.

We've just moved to 5.2.178.0. So if I'm understanding you correctly, I can pass the Guest Role via ACS air-space attributes? Which attribute would I use for this? I know on the Airspace-QoS-Level I can select Bronze to Uranium but other then that I'm not sure.

Thank you for your help.

using ACS for guest role is not straight forward. You may need to add it using a dictionary file and import it using some utility.

That is the reason i suggested you local DB for the guest role. Another radius server which support guest role retrn to controller is SBR(third party) which has this support be default. Hope this will help you.

In between i dont find any security threat in configuring it in local DB and map to guest role.

SBR= Steel Belted RADIUS from Funk/Juniper.

Is there a configuration document you can hook me up with?

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml#tc6

This document will help you to configure that. Hope this will solve your issue and let me know how it goes

Pls Note: We can send the role information from a radius server also on a per-user basis forusers using web authentication only. This role information cannot be used for 802.1x

authentication of the clients.

Thank you so much for the information. I do have another question however. I have these options and have been using them. However, I'm guessing that I can insert the role into the airspace-qos-level and have it as a selectable option instead of the default bronze through uranium that i do currently?

As i mentioned these roles can be used only for guest users. For normall 802.1x u cant use them.

I hope i answered your question

I am using webauth, but where does the role information go into the radius server, specifically ACS? In the document it states how to install the airspace vsa's. In ACS 4.2 I already have the airspace vsa's available i.e. airspace-qos-level. Is this the attribute that is needed to send the Role inforamtion? If not, can you please provide this attribute? That's all I'm looking for is as to what attribute is needed by the controller to receive the role information. from a per-user level or whatever. I do have the vsa's working since my original post and having upgraded the controller software (before it would stop sending traffic) so I can now pass the airspace-qos-level if this is the right attribute, but the most important thing about this attribute is that I only have Bronze to Uranium listed in ACS. If this is the attribute to send role information? How do I add more to this list as it is a drop down box not a text box where I can put in my own information.

The attribute name should be "Aire-role-Name". This attribute can return the guest role name to controller and controller will map the corresponding role defined in DB.

I have attached a screen shot

This will help you i think

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: