Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1217
Views
0
Helpful
5
Replies

How to add an attribute in the authentication phase?

Go to solution
Jaime Salcedo
Cisco Employee
Cisco Employee

‎06-24-2016 07:02 AM

I am trying to limit traffic profiles to users via radius.

I have found that in the documentation:

Configuring Controller Settings - Configuring Quality of Service  [Cisco 5500 Series Wireless Controllers] - Cisco Syste…

If you choose to create an entry on the RADIUS server for a guest user and enable RADIUS authentication
for the WLAN on which web authentication is performed rather than adding a guest user to the local user
database from the controller, you need to assign the QoS role on the RADIUS server itself. To do so, a
“guest-role” Airespace attribute needs to be added on the RADIUS server with a datatype of “string” and
a return value of “11.” This attribute is sent to the controller when authentication occurs. If a role with the
name returned from the RADIUS server is found configured on the controller, the bandwidth associated
to that role is enforced for the guest user after authentication completes successfully.”

It says that this is send in the authentication phase but I am not able to see in ISE how to do it in the authentication phase only I am able to send it in the authorization phase.

Is it possible to do that in ISE 2.0?

In case of yes. How is that done?

I am using internal users in ISE.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-27-2016 06:41 AM

The easiest way to rate limit guests is to use BDRL (Bidirectional Rate Limiting).

In AuthZ policy return the attributes shown on the screenshot below. The values are in kbits/secimage001.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-24-2016 08:50 AM

I believe it refers to the Local Web Authentication (LWA) rather than the Central Web Authentication (CWA).

In LWA, the WLC may authenticate a webauth user against an ISE PSN and the ISE PSN would evaluate both the authentication and authorization policies in the process. See External User Authentication (RADIUS) for more info. Thus, it's done by adding such attribute in the matched ISE authorization profile.

As to how this guest-role Airespace attribute works, please consult with our wireless support and/or product teams.

0 Helpful

Go to solution
Jaime Salcedo
Cisco Employee
Cisco Employee
In response to hslai

‎06-27-2016 01:17 AM

Hi,

I am not talking here about any web authentication.

I am talking about PEAP with an user and password. For the explanation seems is in the first phase of the peap before the 4-way where this guess user information has to go from ISE to WLC.

cheers

0 Helpful

Go to solution
Jaime Salcedo
Cisco Employee
Cisco Employee
In response to Jaime Salcedo

‎06-27-2016 01:24 AM

Problem I am geting is that I am receiving that message from WLC:

Unknown Airespace / Attribute 11”  when using Airespace-Guest-Role-Name” (atributo ID 11) 

Cheers


0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Jaime Salcedo

‎06-27-2016 03:41 AM

Please consult the wireless support teams for that. It may or may not be supported in the recent AireOS releases.

Even with PEAP, ISE will evaluate both authentication and authorization policies and returns with the matched authorization profiles.

0 Helpful

Go to solution
vibobrov
Cisco Employee
Cisco Employee

‎06-27-2016 06:41 AM

The easiest way to rate limit guests is to use BDRL (Bidirectional Rate Limiting).

In AuthZ policy return the attributes shown on the screenshot below. The values are in kbits/secimage001.png

0 Helpful
Customers Also Viewed These Support Documents