Hi,
i am using cisco switches for network access, mostly, 2960S with PoE, configured with dot1x and MAB authentication. dot1x for computers and mab for phones.
radius server is on MS 2008 r2 - nps service. workign fine, all my pc are added to domain.
i want to deploy also qos, and to push some configs from radius using avpairs.
so, here is may basic port config without qos:
interface GigabitEthernet1/0/13
switchport mode access
switchport voice vlan 22
ip arp inspection limit rate 50
authentication event fail action authorize vlan 21
authentication event no-response action authorize vlan 21
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout quiet-period 5
dot1x timeout tx-period 5
dot1x timeout auth-period 5
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
phones get authenticated (non cisco phones), and pc also.
what i did for qos, i have enabled qos globally and adjusted srr queues. added also a policy map with respective class maps:
class-map match-all voip-sign-cm-01
match ip dscp af31
class-map match-all voip-data-cm-02
match ip dscp ef
class-map match-all voip-data-cm-01
match ip dscp cs5
class-map match-all voip-sign-cm-02
match ip dscp cs3
!
policy-map voip-mitel-pm
class voip-data-cm-01
set dscp ef
police 256000 8000 exceed-action policed-dscp-transmit
class voip-sign-cm-01
set dscp cs3
police 64000 8000 exceed-action policed-dscp-transmit
class voip-data-cm-02
set dscp ef
police 256000 8000 exceed-action policed-dscp-transmit
class voip-sign-cm-02
set dscp cs3
police 64000 8000 exceed-action policed-dscp-transmit
class class-default
set dscp default
police 20000000 8000 exceed-action policed-dscp-transmit
so, next is what i add to port config:
interface GigabitEthernet1/0/13
srr-queue bandwidth share 1 30 35 5
priority-queue out
mls qos trust dscp
service-policy input voip-mitel-pm
What i want to do is to push above commands from Radius and to have only applied for authenticated ports.
i use next cisco avpai strings:
ip:sub-qos-policy-in=voip-mitel-pm
lcp:interface-config#1=srr-queue bandwidth share 1 30 35 5
lcp:interface-config#2=priority-queue out
lcp:interface-config#3=mls qos trust dscp
but unfortunately i cannot see, qos enabled under interface (as i see with command show mls qos interfaces g1/0/13 or show policy-map interface g1/0/13).
any ideas?