Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.15.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: August 14, 2024

Chapter: Policy Enforcement and Usage Monitoring

Policy Enforcement and Usage Monitoring
Policy Enforcement and Usage Monitoring
Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI)
Example: Configuring Policy Enforcement and Usage Monitoring
Verifying Policy Usage and Enforcement

Policy Enforcement and Usage Monitoring

You can enforce dynamic QoS policies and upstream and downstream TCP or UDP data rates on 802.11 clients seamlessly without disrupting the client's ongoing sessions. The feature ensures that clients do not have to get dissociated from the network. All the authentication methods: 802.1X, PSK, web authentication, and so on, are supported.

The APs periodically send client statistics including bandwidth usage to the Controller. The AAA server receives Accounting-Interim messages which include the clients data utilization at the configured intervals. The AAA server accumulates information about data consumption for each client and when the client exhausts the data limit, the AAA server sends a change-of-authorization (CoA) message to the Controllers. Upon successful CoA handshakes, the Controllers apply and send new policies to the APs.

Restrictions on Policy Enforcement and Usage Monitoring

Only FlexConnect local switching mode is supported.

Configuring Policy Enforcement and Enabling Change-of-Authorization (CLI)

For more information, follow the utility specified in Utilities for configuring Security section of this guide.

Procedure

	Command or Action	Purpose
Step 1	configure terminal Example: `Device# configure terminal`	Enters global configuration mode.
Step 2	aaa server radius dynamic-author Example: `Device(config)# aaa server radius dynamic-author`	Creates a local server RADIUS profile in the controller.
Step 3	client `client-ip-addr` server-key `key` Example: `Device(config-locsvr-da-radius)# client 3.2.4.3 server-key testpwd`	Configures a server key for a RADIUS client.
Step 4	[Optional] show aaa command handler Example: `Device#show aaa command handler`	Displays the AAA CoA packet statistics.

Example: Configuring Policy Enforcement and Usage Monitoring

Policy enforcement and usage monitoring is applied on a group where a class-map is created for QOS policies. This is done via CoA.

Given below is a sample configuration for policy enforcement and usage monitoring:


aaa new-model
  radius server radius_free
  address ipv4 10.0.0.1 auth-port 1812 acct-port 1813
  key cisco123
  exit

aaa new-model
  aaa server radius dynamic-author
  client 10.0.0.1 server-key cisco123
aaa new-model
  aaa group server radius rad_eap
  server name radius_free
  exit
aaa new-model
  dot1x system-auth-control
  aaa authentication dot1x eap_methods group rad_eap
  dot1x system-auth-control
class-map client_dscp_clsmapout
match dscp af13
exit
class-map client_dscp_clsmapin
match dscp af13
exit
policy-map qos_new
  class client_dscp_clsmapout
  police 512000 conform-action transmit exceed-action drop
  policy-map qos_nbn
  class client_dscp_clsmapin
  police 16000000 conform-action transmit exceed-action drop
wlan test1 3 test2
  broadcast-ssid
  security wpa wpa2 ciphers aes
  security dot1x authentication-list eap_methods
no shutdown
exit
wireless profile policy named-policy-profile
shutdown
  vlan 10
  aaa-override
  no central association
  no central dhcp
  no central switching
  no shutdown
wireless tag policy named-policy-tag
  wlan test1 policy named-policy-profile
wireless profile flex FP_name_001
  native-vlan-id 10
wireless tag site ST_name_001
  no local-site
  flex-profile FP_name_001
  exit
ap test-ap
  policy-tag named-policy-tag
  site-tag ST_name_001
  exit
aaa authorization network default group radius
exit

Verifying Policy Usage and Enforcement

To view the detailed information about the policies applied to a specific client, use the following command:

Device# show wireless client mac-address mac-address detail

To view client-level mobility statistics, use the following command:

Device# show wireless client mac-address mac-address mobility statistics

To view client-level roaming history for an active client in a sub-domain, use the following command:

Device# show wireless client mac-address mac-address mobility history

To view detailed parameters of a given profile policy, use the following command:

Device# show wireless profile policy detailed policy-name

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)