cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1504
Views
1
Helpful
7
Replies
Marc Aemmer
Beginner

Cisco ISE Guest-Role Attribute not working

Hi there,

In our authorization profile for guest users, we configured the Airespace Radius Attirbute "Airespace:Airespace-Guest-Role-Name" with a value of "medium". On our WLC we have a QoS Role named "medium" with the appropiate data rates.

In the results pane of the ISE Live Log I can see that the attribute was sent correctly. But the data rates configured in the QoS Role are not assigned to the client on the WLC.

Any ideas?

regards,

Marc

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

Table 5 in RADIUS Authentication Attributes Sent by the Controller in WLC Configuration Guide, 8.3 says,

Guest-Role-Name

Note    

Guest-Role-Name is honored only on L3 security web authentication with AAA over-ride enabled on the Cisco WLC.

For non-LWA use case, please use the other attributes, as Paul suggested:

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

Airespaces-Data-Bandwidth-Average-Contract-Upstream

Airespace-Real-Time-Bandwidth-Average-Contract-Upstream

Airespace-Data-Bandwidth-Burst-Contract-Upstream

Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream

View solution in original post

7 REPLIES 7
paul
Advocate

Why not have ISE just set the data rates?

Capture.JPG

I think the guest role is something that would need to be set or specified on the WLC side of things , it's not synonymous with the ise guest portal or flows it doesn't have any correlation

Please reach out to wireless team and consult with its documentation on how it is used

Hi Paul,

Thanks for the information.

By the way, if that is enforced in AuthZ Profile in ISE, does that settings applied to per user (per client) or a group of users sharing that amount of bandwidth rate (a group of users sharing the same AuthZ profile for example) ?

Thanks

Andryan VT

The settings should be applied per user.  The quality of service screen shot I posted was from the client detail on the WLC.

hslai
Cisco Employee

Table 5 in RADIUS Authentication Attributes Sent by the Controller in WLC Configuration Guide, 8.3 says,

Guest-Role-Name

Note    

Guest-Role-Name is honored only on L3 security web authentication with AAA over-ride enabled on the Cisco WLC.

For non-LWA use case, please use the other attributes, as Paul suggested:

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

Airespaces-Data-Bandwidth-Average-Contract-Upstream

Airespace-Real-Time-Bandwidth-Average-Contract-Upstream

Airespace-Data-Bandwidth-Burst-Contract-Upstream

Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream

Did you end up using the solution posted here instead of the Guest-role attribute? we have the same issue but we're using WLC 2504 and we're not able to input a late limit because our WLC doesn't support it.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube