Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2272
Views
1
Helpful
7
Replies

Cisco ISE Guest-Role Attribute not working

Go to solution
Marc Aemmer
Level 1
Level 1

‎09-15-2017 03:08 AM

Hi there,

In our authorization profile for guest users, we configured the Airespace Radius Attirbute "Airespace:Airespace-Guest-Role-Name" with a value of "medium". On our WLC we have a QoS Role named "medium" with the appropiate data rates.

In the results pane of the ISE Live Log I can see that the attribute was sent correctly. But the data rates configured in the QoS Role are not assigned to the client on the WLC.

Any ideas?

regards,

Marc

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-15-2017 10:43 PM

Table 5 in RADIUS Authentication Attributes Sent by the Controller in WLC Configuration Guide, 8.3 says,

Guest-Role-Name

Note    

Guest-Role-Name is honored only on L3 security web authentication with AAA over-ride enabled on the Cisco WLC.

For non-LWA use case, please use the other attributes, as Paul suggested:

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

Airespaces-Data-Bandwidth-Average-Contract-Upstream

Airespace-Real-Time-Bandwidth-Average-Contract-Upstream

Airespace-Data-Bandwidth-Burst-Contract-Upstream

Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream

View solution in original post

0 Helpful
7 Replies 7

Go to solution
paul
Level 10
Level 10

‎09-15-2017 02:17 PM

Why not have ISE just set the data rates?

Capture.JPG

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎09-15-2017 02:47 PM

I think the guest role is something that would need to be set or specified on the WLC side of things , it's not synonymous with the ise guest portal or flows it doesn't have any correlation

Please reach out to wireless team and consult with its documentation on how it is used

0 Helpful

Go to solution
Andryan Viryadi Tanamir
Level 1
Level 1
In response to paul

‎03-22-2018 01:59 AM

Hi Paul,

Thanks for the information.

By the way, if that is enforced in AuthZ Profile in ISE, does that settings applied to per user (per client) or a group of users sharing that amount of bandwidth rate (a group of users sharing the same AuthZ profile for example) ?

Thanks

Andryan VT

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Andryan Viryadi Tanamir

‎03-22-2018 04:30 AM

The settings should be applied per user.  The quality of service screen shot I posted was from the client detail on the WLC.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-15-2017 10:43 PM

Table 5 in RADIUS Authentication Attributes Sent by the Controller in WLC Configuration Guide, 8.3 says,

Guest-Role-Name

Note    

Guest-Role-Name is honored only on L3 security web authentication with AAA over-ride enabled on the Cisco WLC.

For non-LWA use case, please use the other attributes, as Paul suggested:

Airespace-Data-Bandwidth-Average-Contract

Airespace-Real-Time-Bandwidth-Average-Contract

Airespace-Data-Bandwidth-Burst-Contract

Airespace-Real-Time-Bandwidth-Burst-Contract

Airespaces-Data-Bandwidth-Average-Contract-Upstream

Airespace-Real-Time-Bandwidth-Average-Contract-Upstream

Airespace-Data-Bandwidth-Burst-Contract-Upstream

Airespace-Real-Time-Bandwidth-Burst-Contract-Upstream

0 Helpful

Go to solution
Richard Imus
Level 1
Level 1
In response to hslai

‎08-17-2018 09:15 AM

Did you end up using the solution posted here instead of the Guest-role attribute? we have the same issue but we're using WLC 2504 and we're not able to input a late limit because our WLC doesn't support it.

0 Helpful
Customers Also Viewed These Support Documents