Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
533
Views
0
Helpful
0
Replies

QoS settings push from MS Radius

plotniku7
Level 1
Level 1

‎09-07-2013 01:57 AM - edited ‎03-10-2019 08:52 PM

Hi,

i am using cisco switches for network access, mostly, 2960S with PoE, configured with dot1x and MAB authentication. dot1x for computers and mab for phones.

radius server is on MS 2008 r2 - nps service. workign fine, all my pc are added to domain.

i want to deploy also qos, and to push some configs from radius using avpairs.

so, here is may basic port config without qos:

interface GigabitEthernet1/0/13

switchport mode access

switchport voice vlan 22

ip arp inspection limit rate 50

authentication event fail action authorize vlan 21

authentication event no-response action authorize vlan 21

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

authentication violation restrict

mab

dot1x pae authenticator

dot1x timeout quiet-period 5

dot1x timeout tx-period 5

dot1x timeout auth-period 5

spanning-tree portfast

spanning-tree bpdufilter enable

spanning-tree bpduguard enable

phones get authenticated (non cisco phones), and pc also.

what i did for qos, i have enabled qos globally and adjusted srr queues. added also a policy map with respective class maps:

class-map match-all voip-sign-cm-01

  match ip dscp af31

class-map match-all voip-data-cm-02

  match ip dscp ef

class-map match-all voip-data-cm-01

  match ip dscp cs5

class-map match-all voip-sign-cm-02

  match ip dscp cs3

!

policy-map voip-mitel-pm

class voip-data-cm-01

   set dscp ef

  police 256000 8000 exceed-action policed-dscp-transmit

class voip-sign-cm-01

   set dscp cs3

  police 64000 8000 exceed-action policed-dscp-transmit

class voip-data-cm-02

   set dscp ef

  police 256000 8000 exceed-action policed-dscp-transmit

class voip-sign-cm-02

   set dscp cs3

  police 64000 8000 exceed-action policed-dscp-transmit

class class-default

   set dscp default

  police 20000000 8000 exceed-action policed-dscp-transmit

so, next is what i add to port config:

interface GigabitEthernet1/0/13

srr-queue bandwidth share 1 30 35 5

priority-queue out

mls qos trust dscp

service-policy input voip-mitel-pm

What i want to do is to push above commands from Radius and to have only applied for authenticated ports.

i use next cisco avpai strings:

ip:sub-qos-policy-in=voip-mitel-pm

lcp:interface-config#1=srr-queue bandwidth share 1 30 35 5

lcp:interface-config#2=priority-queue out

lcp:interface-config#3=mls qos trust dscp

but unfortunately i cannot see, qos enabled under interface (as i see with command   show mls qos interfaces g1/0/13 or show policy-map interface g1/0/13).

any ideas?

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents