Thanks Seb For your reply,

One thing for me not clear, if our router is an another device rather than ISE, how it can do Accounting services? first of all I want to know which accounting information about a guest user is available helping with ISE?

for example if i want to define qouta for our users or shaping bandwidth for them, can ISE do it?

and If ISE can't help for it, how can it be done?

BR,

Morteza.

Hi Morteza,

ISE will store your accouting information, the WLC will send RADIUS session start and stop details. It can be configueed to send interim updates too. When you create your new WLAN on the WLC, under the WLAN configuration there will be a tab Securty -> AAA Servers -> here you will specfiy the IP address of the ISE PSN (cluster) which will be used for both authentication and accounting.

Regarding shaping bandwidth, you could configure this per VLAN on the router which is connected to each of the WLC interfaces used by the WLAN. ISE could then instruct the WLC which interface to drop the user into (depending on AD group for example).  Look up 'Allow AAA Override' for the WLC.

As for user quotas that is not something ISE supports.

cheers,

Seb.

Thanks again Seb,

Can you explain how can I do shaping per Vlan.

I thought by defining a WLAN in WLC is like you define an interface Vlan on it and according to whether user connect to that WLAN (SSID), they put in the corrosponding Vlan and you know if there is shaping for that Vlan on a router, actually connected users will shape. have I thought correct?

As I've thought from your solution, you recommand ISE drop the user in a different Vlan rather than the Vlan cofigured for that Wlan. Yes?

You know, for me the best is to define bandwidth shaping per user, can WLC help me for that? I've searched a lot for this, but sofar I've not found any solution for this?

do you have any experience for doing qouta per user with any other application? this is critical for me.

BR,

Morteza.

Hello again,

Having thought about the WLC config, the WLAN profile should specify the default interface/ interface group authorized users should be dropped into. Any other VLANs you want to user for override just need to be listed under 'controller interfaces' and not part of the WLAN 'interface group'.

I assume you are using Active Directory as your user database? If so, create user groups to represent the the class of access, 'wlanGOLD' for 100% bandwidth, 'wlanSILVER' for 50%, etc and assign your users to these groups as required. During the authorization step on ISE it will lookup the AD wlanXXX group the user belongs to and send the appropriate RADIUS Tunnel-Private-Group-ID to the WLC therefore putting the user in the correct VLAN.

You then configure QoS on the VLANs routed on the router. See:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_classn/configuration/15-s/qos-classn-15-s-book/qos-classn-vlan.html#GUID-BB643D37-5238-47A4-8504-F9C14E676CF8

I assume you have a Cisco router on hand to accomplish this?

As for user quotas, that is not something I have experience of.

cheers,

Seb.

Morteza,

You can accomplish per user bandwidth contracts.  First, you can set a "baseline" bandwidth contract on the WLAN QoS tab:

Make sure you have AAA Override configured on the Advanced tab.

Then, in ISE, you can create bandwidth contracts that offer more or less bandwidth based on authorization profile.  That part of the authz profile would look something like this:

I would recommend not setting this for every authz profile.  I would set a standard amount on the WLAN tab and only do this for use cases that need more bandwidth.  If this is for use on a guest network, but you allow contractors to also login via the guest network, you might set the baseline bandwidth on the WLAN itself then override that with the contractor authz profile attributes.

Tim

Thanks Tim,

But one qoustion, rather than passing these four attributes, Is this practical to pass only the QoS types(bronze, Silver, Gold) ? and then defining these parameters on the QoS types in WLC ?

Another qoustion is, I've installed a vWLC 8.0.120 on a HP server, I want to know it can be responsible for 100 or more guest users simultanously? you know, is it solely related to the server hardware?

Tim,

Thanks for your response,

I'll test it and I'll inform you the resultance, but one thing for me not clear yet, how much hardware resources does it need for 100 or more simultanously guest users?

Now I'm using vWLC 8.0.120 in flexconnect mode. I want to know what's defferent between local switching and flexconnect? is this scenrio practical with vWLC in    flexconnect mode?

And last question is, do you have any experience for defining specific qouto for users helping ISE or any other application?

BR,

Morteza.

Morteza,

If you are running the vWLC and your guest WLAN is set for local switching, you don't need to worry about a small number of clients like 100 as far as the vWLC goes.  The guest traffic is being switched locally, so the data plane burden is not on the vWLC - just the control plane.  The data sheet for the vWLC that talks about how many clients and APs are supported can be found here:

http://www.cisco.com/c/en/us/products/collateral/wireless/virtual-wireless-controller/data_sheet_c78-714543.html

You have two primary modes  for your APs: Local mode and FlexConnect mode.  With the vWLC, you're looking at FlexConnect mode.  You can configure your WLAN to have the data plan centrally switched or locally switched.  If you have an anchor WLC in a DMZ, you probably want guest traffic to be anchored from your vWLC to that DMZ WLC and therefore centrally switched.  But, if you don't have that setup, you'll want to locally switch your traffic where the data plane is handled directly by the switch the AP is connected to. 

I'm not sure I understand your last question, can you restate it?

Tim

Thanks a lot Tim,

With vWLC only AP in FC mode works for me, and changing to Local mode make the AP invisible in vWLC. Would you please descripe for me, what the reason is?

2nd qoustion: If I wanna limit the amount of traffic each user is able to use (for example 1G/per week),

Is there any way be done helping ISE and vWLC? or should I use another tool for doing that?

BR,

Morteza.

Access points in Local Mode are not supported on the vWLC:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn81mr2.html#pgfId-1319001

We can handle bandwidth contracts as I spelled out above, but metering aggregate bandwidth consumption over time is not something we can do with ISE or the WLC (as far as I know).  Someone else may be able to provide some direction with other Cisco products.

Tim

Thanks for your response

Apoligize for taking your time Sep and Thanks a lot,

If instead of router, I have a cisco 3750 switch, the solution is same?

if i've thought correctly, with this solution, shaping is done per Vlan and not per user, you know if 10 users put in a same Vlan, then allocated bandwidth to this Vlan should be share among the users, is it correct?

If I want to shape available bandwidth per user, what's the solution?

BR,

Morteza.