Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

aaa Autherization and Bandwidth restiction


How can I configure aaa autherization in the router and restrict the bandwidth (upstream and downstream) for users based in the service type subscribtion packages. I am using RADIUS for the AAA.



Re: aaa Autherization and Bandwidth restiction


I remember applying the cap/port speed for the dial up (PSTN/ISDN) users based on the user ids.

The same set in the RADIUS attributes comes in force once they get logged in and authenticated in the SP network.


Re: aaa Autherization and Bandwidth restiction

One possible solution is to apply service-policy (using Cisco AV-Pair) and that policy has nothing more than just either policer or traffic shaping in class-default. This would work for traffic outgoing towards user. For incoming traffic you can only do policing. You need to enable PPP multilink (even if you have only one connection) in order to apply service-policy.

This is generic solution and can work in many environments. Depending on what kind of connections you're talking about and what is your degree of control over intermediate network between your access server and the customer, there might be some better alternatives (like setting PVC PCR value).

New Member

Re: aaa Autherization and Bandwidth restiction


Did you have any doc. or url link explaining service-policy (using Cisco AV-Pair.

regarding setting PVCs, the issue is that all my WAN interfaces is POS.

Re: aaa Autherization and Bandwidth restiction

You mean that each individual user is connected via individual POS interface?

I haven't tried yet to clone from Virtual-Template for users connecting via POS (that's what you'll need), but that doesn't sound good at such speeds - all the hardware switching will be effectively degraded by using those software interfaces. I'd apply 'rate-limit' directly on POS interface in such case if you don't require QoS. If you require also QoS, then apply service policy but again directly to the interface.

Here is example of simplest policy:

policy-map subscriber-10Mbps-avg

class class-default

police 10000000

Apply directly to interface as:

interface POS1/0

service-policy input subscriber-10Mbps-avg

service-policy output subscriber-10Mbps-avg

If you still decide to go radius way, then here is an example of user profile:

testuser User-Password = "blahblah"

Service-Type = Framed-User,

Framed-Protocol = PPP,

Framed-IP-Address =,

Framed-IP-Netmask =,

cisco-avpair="lcp:interface-config=ip address\nservice-policy input subscriber-10Mbps-avg\nservice-policy output subscriber-10Mbps-avg"

(Notice '\n')

You can find more information in following documents:

QoS configuration guide

QoS command reference

Hope this helps.

CreatePlease to create content