Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1877
Views
0
Helpful
5
Replies

ISE per user policy map

Go to solution
peter.matuska1
Level 1
Level 1

‎09-06-2021 08:30 AM

Hi,

ISE 2.7 with Catalyst 9300. I want to apply policy-map on an interface as a result of authorization. The goal is to limit the speed for the connected device to 15/15M.

Is it possible? What av-pair to use?

thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-06-2021 05:30 PM

You might try this approach. I have not tested the traffic policing, but I have confirmed that the policy-map is applied in my lab.

Create an empty class-map (e.g. CLASS_POLICE) and a policy-map (e.g. POLICY_POLICE) on the switch as per this guide.

Create a new template (e.g. NAC_Police) on the switch with the same configuration as your NAC template (e.g. DefaultWiredDot1xOpenAuth) but with the added configuration of your Policing policy (service-policy input POLICY_POLICE).

In your ISE AuthZ Profile, enable the Common Task for 'Interface Template' and specify your new template name (NAC_Police).

Upon authZ, you should see the Interface Template applied to the session:

sw1#show access-sess interf gig0/x det 
            Interface:  GigabitEthernet0/x
<snip>
       Current Policy:  PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Server Policies:
<snip>
   Interface Template:  NAC_Police
              ACS ACL:  xACSACLx-IP-MM-DACL-AD-User-609cc325

You should also see the service-policy applied in the derived-config:

sw1#show derived-config int gig0/x
Building configuration...

Derived configuration : 507 bytes
!
interface GigabitEthernet0/x
<snip>
 service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
 service-policy input POLICY_POLICE
end

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎09-06-2021 08:46 AM

Hi,

These attributes work for WLC but not sure about IOS. Try them from
authorization results > advanced attributes > radius. You can verify them
using show session interface x/x details and see what has been passed from
server policies.

Aire-Real-Time-Bandwidth-Average-UpStream-Contract
Aire-Data-Bandwidth-Average-DownStream-Contract
Aire-Data-Bandwidth-Burst-UpStream-Contract
Aire-Real-Time-Bandwidth-Burst-DownStream-Contract
Aire-Real-Time-Bandwidth-Average-DownStream-Contract
Aire-Real-Time-Bandwidth-Burst-UpStream-Contract
Aire-Data-Bandwidth-Average-UpStream-Contract
Aire-Data-Bandwidth-Burst-DownStream-Contract

**** please remember to rate useful posts

0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1
In response to Mohammed al Baqari

‎09-06-2021 10:39 AM

thank you, but didn't work.

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to peter.matuska1

‎09-06-2021 11:08 AM

I did some research and seems its possible on routers with ISG enabled
(usually service providers enviroments).

See below doc

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/isg/configuration/xe-3s/isg-xe-3s-book/isg-radius-pol.html

***** please remember to rate useful posts
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-06-2021 05:30 PM

You might try this approach. I have not tested the traffic policing, but I have confirmed that the policy-map is applied in my lab.

Create an empty class-map (e.g. CLASS_POLICE) and a policy-map (e.g. POLICY_POLICE) on the switch as per this guide.

Create a new template (e.g. NAC_Police) on the switch with the same configuration as your NAC template (e.g. DefaultWiredDot1xOpenAuth) but with the added configuration of your Policing policy (service-policy input POLICY_POLICE).

In your ISE AuthZ Profile, enable the Common Task for 'Interface Template' and specify your new template name (NAC_Police).

Upon authZ, you should see the Interface Template applied to the session:

sw1#show access-sess interf gig0/x det 
            Interface:  GigabitEthernet0/x
<snip>
       Current Policy:  PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

Server Policies:
<snip>
   Interface Template:  NAC_Police
              ACS ACL:  xACSACLx-IP-MM-DACL-AD-User-609cc325

You should also see the service-policy applied in the derived-config:

sw1#show derived-config int gig0/x
Building configuration...

Derived configuration : 507 bytes
!
interface GigabitEthernet0/x
<snip>
 service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
 service-policy input POLICY_POLICE
end
0 Helpful

Go to solution
peter.matuska1
Level 1
Level 1
In response to Greg Gibbs

‎09-08-2021 12:34 AM

thank you. this worked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents