RADIUS server configuration for CoS (802.1p priority) and rate-limiting

The following information provides general guidelines for configuring RADIUS servers, so that the features listed in the following table can be dynamically applied on ports that support authenticated clients.

CoS and rate-limiting services

Service

Control method and operating notes

802.1p (CoS) Priority Assignments Per-User on Traffic Inbound to the Switch
Assigns a RADIUS-configured 802.1p priority to the inbound packets received from a specific client authenticated on a switch port.
NOTE:

This attribute is assigned per-authenticated-user instead of per-port.

Standard Attribute used in the RADIUS server: 59 (This is the preferred attribute for new or updated configurations.)Vendor-Specific Attribute used in the RADIUS server.(This attribute is maintained for legacy configurations.)vendor-specific ID:11VSA: 40Setting: User-Priority-Table=xxxxxxxx where: x=desired 802.1p priority
NOTE:

This is an eight-digit field. Enter the same x-value for all eight digits.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.For more on 802.1p priority levels, see "Quality of Service (QoS)" in the advanced traffic management guide for your switch.
Ingress (inbound) rate-limiting per-userAssigns a RADIUS-configured bandwidth limit to the inbound packets received from a specific client authenticated on a port.
NOTE:

This attribute is assigned per-authenticated-user instead of per-port. To assign a per-port inbound rate limit, use the rate-limit all in CLI command instead of this option.

Vendor-Specific Attribute used in the RADIUS server.vendor-specific ID:11VSA: 46Setting: HP-Bandwidth-Max-Egress=< bandwidth-in-Kbps >
NOTE:

RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-user rate-limit requires the actual Kbps to which you want to limit ingress (inbound) traffic volume. For example, to limit inbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.The actual bandwidth available for ingress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override.

Egress (outbound) rate-limiting per-portAssigns a RADIUS-configured bandwidth limit to the outbound traffic sent to a switch port.

Vendor-Specific Attribute used in the RADIUS server.vendor-specific ID:11VSA: 48 (string=HP)Setting: HP-RATE-LIMIT= < bandwidth-in-Kbps >
NOTE:

RADIUS-assigned rate-limit bandwidths must be specified in Kbps. (Bandwidth percentage settings are not supported.) Using a VSA on a RADIUS server to specify a per-port rate-limit requires the actual Kbps to which you want to limit outbound traffic volume. For example, to limit outbound traffic on a gigabit port to half of the port's bandwidth capacity requires a VSA setting of 500,000 Kbps.

In instances where multiple, authenticated clients are using this feature on the same switch port, only one (per-port) rate limit will be applied. In this case, the actual rate used is the rate assigned by the RADIUS server to the most recently authenticated client. This rate remains in effect as long as any authenticated client remains connected on the port.

Requires a port-access authentication method (802.1X, Web Auth, or MAC Auth) configured on the client's port on the switch.

The actual bandwidth available for egress traffic from an authenticated client can be affected by the total bandwidth available on the client port. See Per-port bandwidth override.

To configure support for the services listed in the preceding table on a specific RADIUS server application, see the documentation provided with the RADIUS application.