© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 70
If the policy name is downloaded from the ISE server, the server needs to be configured as shown in Figure 6, with
the AV pair ip:sub-qos-policy-in=Standard-Employee.
Figure 6. Authentication Profile
The same policy can be applied for open wired ports as well. The policy needs to be attached to the port and not to
the clients. Currently QoS policies cannot be attached to wired “clients.”
Note: Wired port application is described earlier in the wired section.
Ingress Policies on WLAN/SSID
Although the policy application happens at the WLAN level from a CLI standpoint, the policies are actually applied
to every instance of the SSID in each of the <access point, radio> pairs in the system. This is internally referred to
as the BSSID. SSID is used synonymously with BSSID in this document. At SSID level we can police and mark.
However, at SSID level, marking is only possible with a table-map. In the following example only table-map with a
default action of copy is defined. It retains the incoming DSCP in the IP packet.