Policy enforcement and usage monitoring
A policy enforcement and usage monitoring system is a network management mechanism that
-
applies dynamic QoS policies and enforces upstream and downstream TCP or UDP data rate limits on 802.11 clients
-
monitors each client’s data usage without disrupting ongoing sessions, and
-
supports multiple wireless authentication methods such as 802.1X, PSK, and web authentication.
APs send client statistics to the controller periodically. This includes bandwidth consumption. The AAA server receives Accounting-Interim messages at configured intervals to accumulate consumption data for each client. When a client exceeds the configured data threshold, the AAA server sends a Change-of-Authorization (CoA) message to the controller. This process ensures continuous client connectivity. It maintains session persistence during policy changes.
 Note |
Only FlexConnect local switching mode is supported. |
Configure policy enforcement and enable CoA (CLI)
Procedure
|
Step 1 |
Enter global configuration mode. Example: |
|
Step 2 |
Create a local server RADIUS profile in the controller. Example: |
|
Step 3 |
Configure a server key for a RADIUS client. Example: |
|
Step 4 |
(Optional) Display the AAA CoA packet statistics. Example: |
Example: Configure policy enforcement and usage monitoring
Policy enforcement and usage monitoring is applied on a group where a class-map is created for quality of service (QoS) policies. This is done using Change of Authorization (CoA).
Here is a sample configuration for policy enforcement and usage monitoring:
aaa new-model
radius server radius_free
address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
key cisco123
exit
aaa new-model
aaa server radius dynamic-author
client 10.0.0.1 server-key cisco123
aaa new-model
aaa group server radius rad_eap
server name radius_free
exit
aaa new-model
dot1x system-auth-control
aaa authentication dot1x eap_methods group rad_eap
dot1x system-auth-control
class-map client_dscp_clsmapout
match dscp af13
exit
class-map client_dscp_clsmapin
match dscp af13
exit
policy-map qos_new
class client_dscp_clsmapout
police 512000 conform-action transmit exceed-action drop
policy-map qos_nbn
class client_dscp_clsmapin
police 16000000 conform-action transmit exceed-action drop
wlan test1 3 test2
broadcast-ssid
security wpa wpa2 ciphers aes
security dot1x authentication-list eap_methods
no shutdown
exit
wireless profile policy named-policy-profile
shutdown
vlan 10
aaa-override
no central association
no central dhcp
no central switching
no shutdown
wireless tag policy named-policy-tag
wlan test1 policy named-policy-profile
wireless profile flex FP_name_001
native-vlan-id 10
wireless tag site ST_name_001
no local-site
flex-profile FP_name_001
exit
ap test-ap
policy-tag named-policy-tag
site-tag ST_name_001
exit
aaa authorization network default group radius
exitVerify policy usage and enforcement
To view the detailed information about the policies applied to a specific client, use this command:
Device# show wireless client mac-address mac-address detail
To view client-level mobility statistics, use this command:
Device# show wireless client mac-address mac-address mobility statistics
To view client-level roaming history for an active client in a sub-domain, use this command:
Device# show wireless client mac-address mac-address mobility history
To view detailed parameters of a given profile policy, use this command:
Device# show wireless profile policy detailed policy-name
Feedback