cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1648
Views
0
Helpful
2
Replies

Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

mogli
Level 1
Level 1

hi,

is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?

in detail, we would like to assign this policy

    policy-map SET_EF
     class class-default
       set dscp ef


to an interface. All traffic should be marked with a defined DSCP value.

This works find when doing it statically with

    interface FastEthernet2/1
         service-policy input SET_EF

but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.

we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)


unfortunately this seems to not work on Catalyst 45k and 37k.

In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.

it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)

    4503-E#sh aaa attributes
   
    AAA ATTRIBUTE LIST:
        Type=1     Name=disc-cause-ext                 Format=Enum
        Type=2     Name=Acct-Status-Type               Format=Enum

    <snip>

        Type=345   Name=sub-policy-In                  Format=String
        Type=346   Name=sub-qos-policy-in              Format=String
        Type=347   Name=sub-policy-Out                 Format=String
        Type=348   Name=sub-qos-policy-out             Format=String

any input is welcome :-))


best reagrds

2 Replies 2

mogli
Level 1
Level 1

additionally to this discussion, i've just opened a service request with TAC.

unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

NicolasDemonty
Level 1
Level 1

Hi Mogli,

 

I would also like to provide dynamic QoS feature via Radius. In my case I would like to trust or not the port depending on the authentication.

 

Did you get any feedback or succeeded to achieve ?

 

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: