https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460493#M569530 Hi,<BR /><BR />These attributes work for WLC but not sure about IOS. Try them from<BR />authorization results &gt; advanced attributes &gt; radius. You can verify them<BR />using show session interface x/x details and see what has been passed from<BR />server policies.<BR /><BR />Aire-Real-Time-Bandwidth-Average-UpStream-Contract<BR />Aire-Data-Bandwidth-Average-DownStream-Contract<BR />Aire-Data-Bandwidth-Burst-UpStream-Contract<BR />Aire-Real-Time-Bandwidth-Burst-DownStream-Contract<BR />Aire-Real-Time-Bandwidth-Average-DownStream-Contract<BR />Aire-Real-Time-Bandwidth-Burst-UpStream-Contract<BR />Aire-Data-Bandwidth-Average-UpStream-Contract<BR />Aire-Data-Bandwidth-Burst-DownStream-Contract<BR /><BR />**** please remember to rate useful posts<BR /><BR /> Mon, 06 Sep 2021 15:46:06 GMT Mohammed al Baqari 2021-09-06T15:46:06Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460485#M569529 <P>Hi,</P><P>ISE 2.7 with Catalyst 9300. I want to apply policy-map on an interface as a result of authorization. The goal is to limit the speed for the connected device to 15/15M.</P><P>Is it possible? What av-pair to use?</P><P>thank you</P> Mon, 06 Sep 2021 15:30:01 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460485#M569529 peter.matuska1 2021-09-06T15:30:01Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460493#M569530 Hi,<BR /><BR />These attributes work for WLC but not sure about IOS. Try them from<BR />authorization results &gt; advanced attributes &gt; radius. You can verify them<BR />using show session interface x/x details and see what has been passed from<BR />server policies.<BR /><BR />Aire-Real-Time-Bandwidth-Average-UpStream-Contract<BR />Aire-Data-Bandwidth-Average-DownStream-Contract<BR />Aire-Data-Bandwidth-Burst-UpStream-Contract<BR />Aire-Real-Time-Bandwidth-Burst-DownStream-Contract<BR />Aire-Real-Time-Bandwidth-Average-DownStream-Contract<BR />Aire-Real-Time-Bandwidth-Burst-UpStream-Contract<BR />Aire-Data-Bandwidth-Average-UpStream-Contract<BR />Aire-Data-Bandwidth-Burst-DownStream-Contract<BR /><BR />**** please remember to rate useful posts<BR /><BR /> Mon, 06 Sep 2021 15:46:06 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460493#M569530 Mohammed al Baqari 2021-09-06T15:46:06Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460521#M569531 <P>thank you, but didn't work.</P> Mon, 06 Sep 2021 17:39:17 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460521#M569531 peter.matuska1 2021-09-06T17:39:17Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460534#M569532 I did some research and seems its possible on routers with ISG enabled<BR />(usually service providers enviroments).<BR /><BR />See below doc<BR /><BR /><A href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-radius-pol.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-radius-pol.html</A><BR /><BR />***** please remember to rate useful posts<BR /> Mon, 06 Sep 2021 18:08:06 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460534#M569532 Mohammed al Baqari 2021-09-06T18:08:06Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460640#M569546 <P>You might try this approach. I have not tested the traffic policing, but I have confirmed that the policy-map is applied in my lab.</P> <P>Create an empty class-map (e.g. CLASS_POLICE) and a policy-map (e.g. POLICY_POLICE) on the switch as per <A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/16-6/configuration_guide/qos/b_166_qos_9400_cg/b_166_qos_9400_cg_chapter_01.html" target="_blank" rel="noopener">this guide</A>.</P> <P>Create a new template (e.g. NAC_Police) on the switch with the same configuration as your NAC template (e.g. DefaultWiredDot1xOpenAuth) but with the added configuration of your Policing policy (service-policy input POLICY_POLICE).</P> <P>In your ISE AuthZ Profile, enable the Common Task for 'Interface Template' and specify your new template name (NAC_Police).</P> <P>Upon authZ, you should see the Interface Template applied to the session:</P> <PRE>sw1#show access-sess interf gig0/x det Interface: GigabitEthernet0/x &lt;snip&gt; Current Policy: PMAP_DefaultWiredDot1xOpenAuth_1X_MAB Server Policies: &lt;snip&gt; <STRONG>Interface Template: NAC_Police</STRONG> ACS ACL: xACSACLx-IP-MM-DACL-AD-User-609cc325</PRE> <P>You should also see the service-policy applied in the derived-config:</P> <PRE>sw1#show derived-config int gig0/x Building configuration... Derived configuration : 507 bytes ! interface GigabitEthernet0/x &lt;snip&gt; service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB service-policy input POLICY_POLICE end</PRE> Tue, 07 Sep 2021 00:30:37 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4460640#M569546 Greg Gibbs 2021-09-07T00:30:37Z https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4461540#M569589 <P>thank you. this worked.</P> Wed, 08 Sep 2021 07:34:05 GMT https://community.cisco.com/t5/network-access-control/ise-per-user-policy-map/m-p/4461540#M569589 peter.matuska1 2021-09-08T07:34:05Z