Solved: Best practices and limitations on ISE Guest Access Bandwidth Management ?

damode · ‎01-15-2020

I will be having a discussion with a client on ISE Guest Access Bandwidth Management, particularly limiting client bandwidth per user. I have no experience on this.

Hence, I'd appreciate if you could please advise on

Requirements. For e.g ISE version, WLC version and so on
Any limitations or drawbacks using ISE
Best practices etc

Thanks in advance!

Muhammad Awais Khan · ‎01-15-2020

Hi,

To limit guest bandwidth while having ISE and WLC in your environment, you can configure ISE to pass QOS attributes to WLC. Following are the attributes that need to define in authorization profile in ISE which will pass to the WLC

Current ISE Suggested version = 2.6.0

depend on the numbe rof users, you will choose required WLC

For WLC 5520, suggested software Release = 8.5.151.0 ED

Advance Attributes for Authorization Profile which you can create and assign to authorization policy mapped to Guest SSID:

Aire-Real-Time-Bandwidth-Average-UpStream-Contract = x
Aire-Data-Bandwidth-Average-DownStream-Contract = x
Aire-Data-Bandwidth-Burst-UpStream-Contract = x
Aire-Real-Time-Bandwidth-Burst-DownStream-Contract = x
Aire-Real-Time-Bandwidth-Average-DownStream-Contract = x
Aire-Real-Time-Bandwidth-Burst-UpStream-Contract = x
Aire-Data-Bandwidth-Average-UpStream-Contract = x
Aire-Data-Bandwidth-Burst-DownStream-Contract = x

View solution in original post

Muhammad Awais Khan · ‎01-15-2020

Hi,

To limit guest bandwidth while having ISE and WLC in your environment, you can configure ISE to pass QOS attributes to WLC. Following are the attributes that need to define in authorization profile in ISE which will pass to the WLC

Current ISE Suggested version = 2.6.0

depend on the numbe rof users, you will choose required WLC

For WLC 5520, suggested software Release = 8.5.151.0 ED

Advance Attributes for Authorization Profile which you can create and assign to authorization policy mapped to Guest SSID:

Aire-Real-Time-Bandwidth-Average-UpStream-Contract = x
Aire-Data-Bandwidth-Average-DownStream-Contract = x
Aire-Data-Bandwidth-Burst-UpStream-Contract = x
Aire-Real-Time-Bandwidth-Burst-DownStream-Contract = x
Aire-Real-Time-Bandwidth-Average-DownStream-Contract = x
Aire-Real-Time-Bandwidth-Burst-UpStream-Contract = x
Aire-Data-Bandwidth-Average-UpStream-Contract = x
Aire-Data-Bandwidth-Burst-DownStream-Contract = x

damode · ‎01-15-2020

Hi Muhammad,

Thanks for your prompt reply.

Regarding the value "x", what unit symbol is this required ?
For e.g, MB, Bytes etc

Also are there any limitations of using ISE for this ?

Muhammad Awais Khan · ‎01-15-2020

It is in Kbps.

Regarding limitations, can you update which WLC platform you will use for this deployment ? we can then further re-confirm that all these parameters will be supported on that WLC .

damode · ‎01-22-2020

No worries. Thanks!

damode · ‎02-13-2020

Does WLC requires any separate configuration as well in relation to this ?

Muhammad Awais Khan · ‎02-13-2020

you have to add ISE as radius server in AAA settings once you are configuring security settings for SSID and authentication and authorization atleast. I believe it will be enough to allow WLC to accept parameters received from ISE

damode · ‎02-24-2020

Hi Muhammad, could you please advise how this policy would exactly look like in a ISE wireless guest access AuthP or AuthZ policy ?

Replying to your previous qn, the WLC model is AIR-CT3504 and version 8.10.112.0.