Policy Enforcement and Usage Monitoring

Policy Enforcement and Usage Monitoring

You can enforce dynamic QoS policies and upstream and downstream TCP or UDP data rates on 802.11 clients seamlessly without disrupting the client's ongoing sessions. The feature ensures that clients do not have to get dissociated from the network. All the authentication methods: 802.1X, PSK, web authentication, and so on, are supported.

The APs periodically send client statistics including bandwidth usage to the Controller. The AAA server receives Accounting-Interim messages which include the clients data utilization at the configured intervals. The AAA server accumulates information about data consumption for each client and when the client exhausts the data limit, the AAA server sends a change-of-authorization (CoA) message to the Controllers. Upon successful CoA handshakes, the Controllers apply and send new policies to the APs.

Restrictions on Policy Enforcement and Usage Monitoring

  • Only FlexConnect local switching mode is supported.

Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI)

For more information, follow the utility specified in Utilities for configuring Security section of this guide.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

aaa server radius dynamic-author

Example:

Device(config)# aaa server radius dynamic-author

Creates a local server RADIUS profile in the controller.

Step 3

client client-ip-addr server-key key

Example:

Device(config-locsvr-da-radius)# client 3.2.4.3 server-key testpwd

Configures a server key for a RADIUS client.

Step 4

[Optional] show aaa command handler

Example:

Device#show aaa command handler

Displays the AAA CoA packet statistics.

Example: Configuring Policy Enforcement and Usage Monitoring

Policy enforcement and usage monitoring is applied on a group where a class-map is created for QOS policies. This is done via CoA.

Given below is a sample configuration for policy enforcement and usage monitoring:


aaa new-model
  radius server radius_free
  address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
  key cisco123
  exit

aaa new-model
  aaa server radius dynamic-author
  client 10.0.0.1 server-key cisco123
aaa new-model
  aaa group server radius rad_eap
  server name radius_free
  exit
aaa new-model
  dot1x system-auth-control
  aaa authentication dot1x eap_methods group rad_eap
  dot1x system-auth-control
class-map client_dscp_clsmapout
match dscp af13
exit
class-map client_dscp_clsmapin
match dscp af13
exit
policy-map qos_new
  class client_dscp_clsmapout
  police 512000 conform-action transmit exceed-action drop
  policy-map qos_nbn
  class client_dscp_clsmapin
  police 16000000 conform-action transmit exceed-action drop
wlan test1 3 test2
  broadcast-ssid
  security wpa wpa2 ciphers aes
  security dot1x authentication-list eap_methods
no shutdown
exit
wireless profile policy named-policy-profile
shutdown
  vlan 10
  aaa-override
  no central association
  no central dhcp
  no central switching
  no shutdown
wireless tag policy named-policy-tag
  wlan test1 policy named-policy-profile
wireless profile flex FP_name_001
  native-vlan-id 10
wireless tag site ST_name_001
  no local-site
  flex-profile FP_name_001
  exit
ap test-ap
  policy-tag named-policy-tag
  site-tag ST_name_001
  exit
aaa authorization network default group radius
exit

Verifying Policy Usage and Enforcement

To view the detailed information about the policies applied to a specific client, use the following command:

Device# show wireless client mac-address mac-address detail 

To view client-level mobility statistics, use the following command:

Device# show wireless client mac-address mac-address mobility statistics 

To view client-level roaming history for an active client in a sub-domain, use the following command:

Device# show wireless client mac-address mac-address mobility history 

To view detailed parameters of a given profile policy, use the following command:

Device# show wireless profile policy detailed policy-name