By: Douglas Schiel, Network Engineer
Many network operators are familiar with the concept of bandwidth contracts. Aruba owners may be familiar with per-user and per-role static bandwidth contracts that limit the amount of bandwidth used by that user, or sum-total by all the users in that role name. The idea is to statically structure the amount of bandwidth used on the wireless and upstream wired network to maintain predictable levels of service to applications and users, or preserve bandwidth for mission-critical operations. The limitation of a static bandwidth contract is, well, that it’s static. You can only set one level for the user or role-wide and that’s it. Static contracts are also somewhat imprecise and unbiased, laying restrictions on wide swaths of users, irrespective of an individual user’s actual usage. The Network Administrator is also challenged with striking a balance between the competing goals of usability and bandwidth preservation. Often, the contracts need to be higher than would otherwise be desired by the operator to limit end-user complaints, or so low that the network is considered unusable for certain applications or user groups. In short, composing effective static bandwidth management plans can be very challenging.
Aruba Networks can answer this complex challenge by leveraging the power of the ClearPass Policy Manager Access Management solution, and the same per-user and per-role bandwidth contracts.
How, you ask? First, let’s consider a use case.
Let’s say a School wants to limit the bandwidth usage of users on a Daily (or Weekly or Monthly) basis. Users are allowed unrestricted or very high bandwidth rates to start, but if they begin to abuse the privilege and exceed the daily thresholds, they are placed in a lower bandwidth allowance. If the user crosses the next daily threshold, they’re placed in an even more restricted role. This can continue ad-infinitum to a point where the connection is unusable, or perhaps even better still, a captive portal is presented to the user (on Web capable computers and smart devices) that explains that they’ve reached the limit.
Using standard 802.1X, RADIUS Authentication and RADIUS accounting records, we can build a profile of bandwidth usage from each individual user. This INCLUDES devices that are MAC authenticated or Registered Devices that are tied to the users during the Guest or Device registration processes. Thus ALL of the user’s devices bandwidth usage is considered.
ClearPass accomplishes this by first authenticated the user and placing them in the “High” bandwidth role—let’s call this 20 Mbps. RADIUS Accounting records are peridocally sent to ClearPass and the Insight database indexes these for later queries. ClearPass or the user-role on the Controller set the re-authentication interval to a shorter than normal period–say, every 15 minutes. At each re-authentication interval, ClearPass Insight adds-up the bandwidth usage field for all of the accounting records for all devices that user owns. If the user remains below all thresholds, they remain in the “High” bandwidth role. If, however we’ve set a 2 Gigabyte-per-day limit and the user crosses that limit, ClearPass will send back a bandwidth contract or a “Medium” bandwidth role allowing only 2 Mbps of throughput. If in some subsequent re-authentication, the user crosses a third threshold of say 5 Gigabytes-per-day, ClearPass will send back a role to reduce throughput to 512k for that user. Perhaps our final step is to place a user in a role with a Captive Portal profile associated to it that explains that the user has exceeded their bandwidth usage for the day, and perhaps some instructions on how to remediate the situation.
Keep in-mind, these numbers and limits are infinitely variable. ClearPass can continue evaluating the bandwidth usage and place users in varying bandwidth limits dynamically based on their real usage habits over a number of different timeframes. This method of dynamic bandwidth management can be more effective and precise, as responsible users of the shared resource are not penalized, while habitual offenders whom have real impacts on the network performance are not only curbed to protect that resource, but are also provided some negative feedback by which they can consider adapting their bandwidth usage habits.
To learn more about what Comm Solutions can do for your organization, Contact Us.
Comm Solutions is an Aruba Networks Platinum Partner, Learn More.