- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor-Specific Attributes
- RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 Framed-IP-Address in Access Requests
- RADIUS Attribute 82 Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
- RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
- RADIUS Attribute Screening
- RADIUS NAS-IP-Address Attribute Configurability
- AAA Per VC QoS Policy Support
Contents
- AAA Per VC QoS Policy Support
- Finding Feature Information
- Prerequisites for AAA Per VC QoS Policy Support
- Restrictions for AAA Per VC QoS Policy Support
- Information About AAA Per VC QoS Policy Support
- RADIUS Push and Pull
- Interface Policy Map AAA Attributes
- Configuration Examples for AAA Per VC QoS Policy Support
- RADIUS Interface Policy Map Profile Example
- Define the Policy Map on the Router Example
- Display the Service Policy Example
- Additional References
- Feature Information for AAA Per VC QoS Policy Support
AAA Per VC QoS Policy Support
The AAA Per VC QoS Policy Support feature provides the ability to modify an existing quality of service (QoS) profile applied to a session while that session remains active using new Cisco attribute-value (AV) pairs that specify service policy output and service policy input.
- Finding Feature Information
- Prerequisites for AAA Per VC QoS Policy Support
- Restrictions for AAA Per VC QoS Policy Support
- Information About AAA Per VC QoS Policy Support
- Configuration Examples for AAA Per VC QoS Policy Support
- Additional References
- Feature Information for AAA Per VC QoS Policy Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for AAA Per VC QoS Policy Support
You should be familiar with defining policy maps for managing subscriber sessions, and with configuring QoS traffic conditioning. See the Additional References section for information on these topics.
Restrictions for AAA Per VC QoS Policy Support
Although there are no specific restrictions for using the AAA Per VC QoS Policy Support feature, defect report CSCef69140 describes a problem whereby in PPPoA sessions, an input service policy cannot be applied at the ATM virtual circuit (VC) level. Instead, an input service policy, and therefore an input policy AV pair, must be applied under interface virtual template mode.
Also, read through the configuration guidelines in the Interface Policy Map AAA Attributes section before using the attributes described in this document.
Information About AAA Per VC QoS Policy Support
RADIUS Push and Pull
Cisco Systems software offers applications for the DSL aggregation market and service providers that make powerful use of dynamic policy maps. Policy maps govern user services to be deployed in the network and are triggered by a service or by a user--concepts referred to as push and pull. Pull refers to a policy applied during authentication. Push refers to the dynamic change of policy on the session using Change of Authorization (CoA) message. Before the AAA Per VC QoS Policy Support feature introduced in Cisco IOS Release 12.4(2)T, there was no RADIUS push and pull capability for a policy map at the ATM VC level. RADIUS only supported dynamic bandwidth selection and virtual access interface policy maps applied during the establishment of a PPP session. The AAA Per VC QoS Policy Support feature provides support for RADIUS push and pull capability for a policy map at the ATM VC level.
RADIUS pull of policy maps on a VC means that a policy map can be applied on the VC while a PPP over ATM (PPPoA) session is being established. PPPoA sessions are established between a policy server and a routing gateway.
Service policies are applied only when a subscriber first authenticates the VC. Software creates an identifier that is used as the session unique identifier between the router and the RADIUS server using RADIUS Internet Engineering Task Force (IETF) attribute 44. This identifier is sent with an Access Request message and all accounting records for that session.
RADIUS push functionality provides the ability to modify an existing QoS profile applied to a session while that session remains active. A policy server governs the authorization of active sessions with its ability to send a Change of Authorization (CoA) message (see the figure below). Specific events can trigger the CoA message and allow modification of the QoS configuration. Implementation of RADIUS push eliminates the need to preprovision subscribers, allowing QoS policies to be transparently applied where and when required without the disruption of session reauthentication.
These abilities provide a high degree of flexibility, smaller configuration files, and more efficient use of queueing resources. And perhaps more importantly, RADIUS push and pull eliminates the need to statically configure a policy map on every VC or VLAN.
This feature is implemented by Cisco AV pairs that identify QoS policies configured on the router from a RADIUS server by defining service policy output and service policy input. The AV pairs place the appropriate policy map, which is identified by name, directly on the interface. The interface can be either an ATM VC or Ethernet VLAN.
After the initial subscriber authentication, authorization process, RADIUS returns the appropriate AV name for the policy maps to be applied at the VC and virtual-access interface level. The QoS policy maps define the subscriber user experience for broadband service and can be leveraged to deliver higher value services such as VoIP and video.
Interface Policy Map AAA Attributes
Two new generic Cisco RADIUS VSA attributes are introduced by the AAA Per VC QoS Policy Support feature, as follows:
cisco-avpair = “atm:vc-qos-policy-in=in-policy-name ” cisco-avpair = “atm:vc-qos-policy-out=out-policy-name ”
Use these attributes in the RADIUS server profile to define service policy output and service policy input. The AV pairs place the appropriate policy map, which is identified by name, directly on the interface. The interface can be either an ATM VC or Ethernet VLAN.
The AAA Per VC QoS Policy Support feature also replaces the following generic Cisco RADIUS vendor-specific attribute (VSA) attributes:
cisco-avpair = “ip:sub-policy-In=in-policy-name ” cisco-avpair = “ip:sub-policy-Out=out-policy-name ”
with the following new attributes:
cisco-avpair = "ip:sub-qos-policy-in=in-policy-name ” cisco-avpair = "ip:sub-qos-policy-out=out-policy-name ”
The replaced attributes will be supported for several more software releases, but profiles should be updated with the new attributes as soon as it is feasible to do so.
Remember the following guidelines as you configure these attributes:
A policy map pulled or pushed from the RADIUS server has a higher precedence than a policy map configured under a permanent virtual circuit (PVC).
The Cisco IOS show policy-map interfaceEXEC command will display the policy map pushed or pulled from the RADIUS server. This policy map is actually used by the driver, even though the policy map was configured using the service-policy command under PVC configuration mode.
Once a policy map is pushed or pulled on the VC and successfully installed or updated, any configuration or removal of the configuration would affect only the running configuration, and not the driver and actual policy map used by the VC.
You must enable dynamic bandwidth selection using the dbs enablecommand. Dynamic policies that are pulled and pushed from the RADIUS server must be specifically disabled using the no dbs enable command.
Configuration Examples for AAA Per VC QoS Policy Support
- RADIUS Interface Policy Map Profile Example
- Define the Policy Map on the Router Example
- Display the Service Policy Example
RADIUS Interface Policy Map Profile Example
Following is an example of a RADIUS profile defining an input service policy named test_vc:
radius subscriber 2 vsa cisco generic 1 string “atm:vc-qos-policy-in=test_vc” attribute 1 string “user@cisco.com” attribute 44 string “00000002” ! radius client 192.168.1.4 access-ports 1645 1645 accounting-ports 1646 1646 radius host 192.168.1.3 auth-port 1645 acct-port 1646 key 0 cisco radius host 192.168.1.4 auth-port 1645 acct-port 1646 radius retransmit 0 radius timeout 15 radius key 0 cisco radius server 192.168.1.4 client 192.168.1.3 shared-secret word
Define the Policy Map on the Router Example
The following example shows the Cisco IOS commands that are used to define the service policy on the router:
! interface ATM4/0 no ip address no atm ilmi-keepalive pvc 1/101 dbs enable service-policy input test_vc ! end
Display the Service Policy Example
The following example shows the report from the show policy-map interfacecommand when the policy map named test_vc has been pushed on PVC 1/101:
Router# show policy interface atm 4/0
ATM4/0: VC 1/101 -
Service-policy input: test_vc
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Additional References
The following sections provide references related to the RADIUS Attribute 8 (Framed-IP-Address) in Access Requests feature.
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Configuring authentication and configuring RADIUS |
“ Configuring Authentication ” and “Configuring RADIUS ” chapters, Cisco Security Configuration Guide |
|
RFC 2138 (RADIUS) |
RFC 2138 , Remote Authentication Dial In User Service (RADIUS) |
Standards
|
Standard |
Title |
|---|---|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
RFC |
Title |
|---|---|
|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
-- |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for AAA Per VC QoS Policy Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
AAA Per VC QoS Policy Support |
12.4(2)T 12.2(33)SRE |
The AAA Per VC QoS Policy Support feature provides the ability to modify an existing quality of service (QoS) profile applied to a session while that session remains active using new Cisco attribute-value (AV) pairs that specify service policy output and service policy input. In 12.4(2)T, this feature was introduced on the Cisco 10000. In Cisco IOS Release 12.2(33)SRE, the AAA Per VC QoS Policy Support feature was added for the Cisco 7600 series router. |