Solved: Re: How to limit bandwidth for Wired Clients on a per user or Group ba

Ferdaush · ‎10-12-2022

Hi Experts,

we know that Cisco ISE is a security policy management platform that provides secure access to network resources, can we do bandwidth control by Cisco ISE policy for Wired clients (802.1x Clients) on a per user or gruop basis?

Ferdaush · ‎10-13-2022

Thanks, I am looking for the QoS configuration example or solution for the Cisco Catalyst 9300 Series Switches and ISE Authorization profile idea. I did applied worksome but not as expected output gotten. I used AuthZ profile for Cisco:cisco-data-rate Radius advance attributies.

View solution in original post

Ferdaush · ‎10-26-2022

I am getting some idea from below materials but still working on it.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://www.wiresandwi.fi/blog/solid-config-cisco-ibns-2-0-802-1x-mab-switch-configuration-ios-xe

View solution in original post

balaji.bandi · ‎10-13-2022

may be you need to manually configure on the switches?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ferdaush · ‎10-13-2022

Thanks a lot for your comment but I think there should be way bind policy with Switch like Cisco WLC. If you have any idea

balaji.bandi · ‎10-13-2022

Wiress is different compare to Wired network.

You can use QoS policies as suggested.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-13-2022

@Ferdaush You can authorise the users by AD user or group membership and then dynamically send the specific RADIUS attributes. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/15-mt/sec-usr-radatt-15-mt-book/sec-rad-att-AAA-per-VC.html

balaji.bandi · ‎10-13-2022

Just to clarity is this works on Ethernet port ? (never tested) - but keen to know.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ferdaush · ‎10-13-2022

Yes, Ethernet port.

Ferdaush · ‎10-13-2022

I idea is use Cisco ISE instead of Packetshaper system in some cases. May be control network bandwidth by user or AD group basis. Thanks @balaji.bandi and @Rob Ingram for your response.

Rob Ingram · ‎10-13-2022

@Ferdaush another option you could apply the QoS configuration (and other settings) in an interface template. Then from ISE use the authorisation profile to define the interface template and assign this on a per AD group basis.

Ferdaush · ‎10-13-2022

Thanks, I am looking for the QoS configuration example or solution for the Cisco Catalyst 9300 Series Switches and ISE Authorization profile idea. I did applied worksome but not as expected output gotten. I used AuthZ profile for Cisco:cisco-data-rate Radius advance attributies.

Ferdaush · ‎10-16-2022

Could you please share "QoS configuration (and other settings) in an interface template" if you have any @Rob Ingram

Ferdaush · ‎10-26-2022

I am getting some idea from below materials but still working on it.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

https://www.wiresandwi.fi/blog/solid-config-cisco-ibns-2-0-802-1x-mab-switch-configuration-ios-xe

Ferdaush · ‎10-26-2022

One More document found as below link:

https://community.cisco.com/t5/security-knowledge-base/neat-with-interface-template/ta-p/3642967

How to limit bandwidth for Wired Clients on a per user or Group basis?