RADIUS server configuration for CoS (802.1p priority) and rate-limiting

The following information provides general guidelines for configuring RADIUS servers, so that the features listed here can be dynamically applied on ports that support authenticated clients.

CoS and rate-limiting services

Service

Control method and operating notes

802.1p

Assigns a RADIUS-configured 802.1p priority to the inbound packets received from a specific client authenticated on a switch port.
NOTE:

This attribute is assigned per-authenticated-user.

Standard Attribute used in the RADIUS server: 59 (This is the preferred attribute for new or updated configurations.)

Vendor-Specific Attribute used in the RADIUS server: 40 (vendor-specific ID:11). (This attribute is maintained for legacy configurations.)

Setting: User-Priority-Table=xxxxxxxx where: xxxxxxxx is the desired 802.1p priority.

The priority uses an eight-digit field. Enter the same x-value for all eight digits. This requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client port on the switch. See "Quality of Service (QoS)" in the advanced traffic management guide for your switch.

Ingress (inbound) rate-limiting per-user

Assigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port.
NOTE:

This attribute is assigned per-authenticated-user instead of per-port. To assign a per-port inbound rate limit, use the rate-limit all in the CLI command instead of this option.

Vendor-Specific Attribute used in the RADIUS server: 46 (vendor-specific ID:11).

Setting: HP-Bandwidth-Max-Ingress=<bandwidth-in-Kbps>

RADIUS-assigned rate limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-user rate limit requires the actual Kbps to which you want to limit ingress (inbound) traffic volume. For example, to limit inbound traffic on a gigabit port to half of the port bandwidth capacity requires a VSA setting of 500,000 Kbps.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client port on the switch.

The actual bandwidth available for ingress traffic from an authenticated client is affected by the total bandwidth available on the client port. See Per-port bandwidth override.

Egress (outbound) rate-limiting per-port

Assigns a RADIUS-configured bandwidth limit to the outbound traffic sent to a switch port.

Vendor-Specific Attribute used in the RADIUS server: 48 (string=HP) (vendor-specific ID:11).

Setting: HP-RATE-LIMIT=<bandwidth-in-Kbps>

RADIUS-assigned rate limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-port rate limit requires the actual Kbps to which you want to limit outbound traffic volume. For example, to limit outbound traffic on a gigabit port to half of the port bandwidth capacity requires a VSA setting of 500,000 Kbps.

In instances where multiple, authenticated clients are using this feature on the same switch port, only one (per-port) rate limit is applied. In this case, the actual rate used is the rate assigned by the RADIUS server to the most recently authenticated client. This rate remains in effect as long as any authenticated client remains connected on the port.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client port on the switch. The actual bandwidth available for egress traffic from an authenticated client is affected by the total bandwidth available on the client port. See Per-port bandwidth override.

To configure support for the services listed here on a specific RADIUS server application, see the documentation provided with the RADIUS application.