aaa Autherization and Bandwidth restiction

Unanswered Question
Aug 13th, 2006
User Badges:

Hi,


How can I configure aaa autherization in the router and restrict the bandwidth (upstream and downstream) for users based in the service type subscribtion packages. I am using RADIUS for the AAA.


regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Mon, 08/14/2006 - 00:56
User Badges:
  • Red, 2250 points or more

Hi


I remember applying the cap/port speed for the dial up (PSTN/ISDN) users based on the user ids.

The same set in the RADIUS attributes comes in force once they get logged in and authenticated in the SP network.


regds


ilya.varlashkin Mon, 08/14/2006 - 10:22
User Badges:
  • Silver, 250 points or more

One possible solution is to apply service-policy (using Cisco AV-Pair) and that policy has nothing more than just either policer or traffic shaping in class-default. This would work for traffic outgoing towards user. For incoming traffic you can only do policing. You need to enable PPP multilink (even if you have only one connection) in order to apply service-policy.


This is generic solution and can work in many environments. Depending on what kind of connections you're talking about and what is your degree of control over intermediate network between your access server and the customer, there might be some better alternatives (like setting PVC PCR value).

aalhousani Mon, 08/14/2006 - 13:10
User Badges:

Thanks,


Did you have any doc. or url link explaining service-policy (using Cisco AV-Pair.


regarding setting PVCs, the issue is that all my WAN interfaces is POS.

ilya.varlashkin Mon, 08/14/2006 - 13:29
User Badges:
  • Silver, 250 points or more

You mean that each individual user is connected via individual POS interface?


I haven't tried yet to clone from Virtual-Template for users connecting via POS (that's what you'll need), but that doesn't sound good at such speeds - all the hardware switching will be effectively degraded by using those software interfaces. I'd apply 'rate-limit' directly on POS interface in such case if you don't require QoS. If you require also QoS, then apply service policy but again directly to the interface.


Here is example of simplest policy:


policy-map subscriber-10Mbps-avg

class class-default

police 10000000


Apply directly to interface as:


interface POS1/0

service-policy input subscriber-10Mbps-avg

service-policy output subscriber-10Mbps-avg


If you still decide to go radius way, then here is an example of user profile:


testuser User-Password = "blahblah"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address = 192.168.128.2,

Framed-IP-Netmask = 255.255.255.252,

cisco-avpair="lcp:interface-config=ip address 192.168.128.1 255.255.255.252\nservice-policy input subscriber-10Mbps-avg\nservice-policy output subscriber-10Mbps-avg"


(Notice '\n')

You can find more information in following documents:


QoS configuration guide

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hqos_c/index.htm


QoS command reference

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hqos_r/index.htm


Hope this helps.

Actions

This Discussion