Bandwidth Management
Overview
Bandwidth management controls how much network capacity each user or group consumes. IronWiFi uses RADIUS reply attributes to instruct access points and controllers to enforce bandwidth limits, ensuring fair access and preventing any single user from degrading the network for others.
This guide covers bandwidth limiting, per-user and per-group policies, data caps, and QoS enforcement through IronWiFi RADIUS attributes.
How Bandwidth Limiting Works
RADIUS-Based Bandwidth Control
The AP or controller is responsible for enforcing the limits. IronWiFi tells the AP what limits to apply, and the AP handles the actual traffic shaping.
Bandwidth enforcement happens on the access point or controller, not on IronWiFi's servers. The AP must support the RADIUS bandwidth attributes you configure. Most enterprise APs support WISPr bandwidth attributes.
Configuring Bandwidth Limits
Bandwidth Attributes
| Attribute | Type | Value | Description |
|---|---|---|---|
| reply | bits per second | Maximum download speed |
| reply | bits per second | Maximum upload speed |
| reply | string | MikroTik-specific rate limit format |
| reply | string | Cisco-specific QoS attributes |
Common Bandwidth Values
| Speed | Value (bps) | Value to Use |
|---|---|---|
| 1 Mbps | 1,000,000 | |
| 2 Mbps | 2,000,000 | |
| 5 Mbps | 5,000,000 | |
| 10 Mbps | 10,000,000 | |
| 25 Mbps | 25,000,000 | |
| 50 Mbps | 50,000,000 | |
| 100 Mbps | 100,000,000 | |
Setting Per-User Bandwidth
Apply bandwidth limits to an individual user:
- Navigate to Users in the IronWiFi Console
- Select the user
- Under Reply Attributes, add:
This limits the user to 10 Mbps download and 5 Mbps upload.
Setting Per-Group Bandwidth
Apply bandwidth limits to all users in a group:
- Navigate to Users > Groups
- Select or create a group
- Under Reply Attributes, add the bandwidth attributes
All members of this group inherit these bandwidth limits.
See Groups for detailed group configuration.
Use group-level bandwidth policies for consistent management. Only set per-user attributes when a specific user needs an exception to their group policy.
Bandwidth Tiers
Designing Bandwidth Tiers
Create multiple groups representing different bandwidth tiers:
| Tier | Use Case | Download | Upload | Group Name |
|---|---|---|---|---|
| Basic | Guest WiFi | 5 Mbps | 2 Mbps | |
| Standard | Employees | 25 Mbps | 10 Mbps | |
| Premium | Executives, VoIP users | 50 Mbps | 25 Mbps | |
| Unlimited | IT administrators | No limit | No limit | |
Configuring Each Tier
Basic Tier (Guest WiFi):
Standard Tier (Employees):
Premium Tier (Executives/VoIP):
Unlimited Tier (IT Admin):
(No bandwidth attributes = no RADIUS-enforced limit.)
Assigning Users to Tiers
- Navigate to Users > select a user
- Under Groups, add the user to the appropriate bandwidth tier group
- The user inherits the group's bandwidth attributes on next authentication
Data Caps
Implementing Data Caps
Data caps limit the total amount of data a user can transfer during a session or billing period. Data caps require RADIUS accounting to track usage.
Session-Based Data Caps
Limit total data per session using check attributes:
Volume-Based Limits
Some AP vendors support volume-based disconnection:
Volume-based limits depend on AP vendor support. WISPr bandwidth attributes are the most universally supported method for bandwidth control. For data caps on vendors that do not support volume attributes, implement cap enforcement at the network/firewall layer.
Monitoring Data Usage
Track user data consumption via RADIUS accounting:
- Ensure RADIUS accounting is enabled on your APs
- Set the accounting interim interval:
Reply Attribute: Acct-Interim-Interval := 300
- View usage in the IronWiFi Console:
- Navigate to Logs > Accounting
- Filter by username
- Review (upload) and
Acct-Input-Octets(download)Acct-Output-Octets
Vendor-Specific Configuration
MikroTik Rate Limiting
MikroTik supports a rich rate-limit syntax via the
Mikrotik-Rate-Limit
Format:
Simplified example (10 Mbps down / 5 Mbps up):
Mikrotik-Rate-Limit := "5M/10M"
MikroTik uses
rx/tx
rx
tx
Cisco/Meraki QoS
Cisco and Meraki APs support bandwidth limiting via:
Meraki also supports QoS marking:
UniFi Bandwidth
Ubiquiti UniFi supports WISPr bandwidth attributes:
UniFi also supports rate limiting at the controller level (per SSID or per user group), which can complement RADIUS-based limits.
Aruba/HPE
Aruba APs support WISPr attributes and Aruba-specific attributes:
Aruba User Roles can define complex QoS policies including bandwidth limits, firewall rules, and application-layer filtering.
QoS Enforcement Strategies
Prioritizing Traffic Types
While RADIUS bandwidth limits control total throughput, QoS prioritization ensures critical traffic (VoIP, video conferencing) gets priority over bulk transfers:
| Traffic Type | Priority | Recommended DSCP | Bandwidth Allocation |
|---|---|---|---|
| Voice (VoIP) | Highest | EF (46) | Guaranteed 1 Mbps per user |
| Video conferencing | High | AF41 (34) | Guaranteed 5 Mbps per user |
| Business applications | Medium | AF21 (18) | Best effort with guarantee |
| Web browsing | Normal | CS0 (0) | Best effort |
| Bulk downloads | Low | CS1 (8) | Remaining capacity |
QoS traffic prioritization is configured on the AP controller or network switches, not through RADIUS attributes. Use RADIUS to assign users to QoS roles/policies defined on the controller. See your AP vendor's QoS documentation for configuration details.
Combining RADIUS Bandwidth with Controller QoS
For the most effective bandwidth management:
- RADIUS attributes set per-user maximum bandwidth
- Controller QoS policies prioritize traffic types within that limit
- VLAN-based policies segment networks with different overall bandwidth allocations
Example architecture:
Captive Portal Bandwidth for Guest WiFi
Bandwidth Tiers with Paid Access
For venues offering tiered WiFi access:
- Free tier: Basic bandwidth with captive portal
- Premium tier: Higher bandwidth after payment
Configure the free tier on the captive portal group:
Configure the premium tier as a separate group:
Integrate with payment gateways like Stripe to automatically upgrade users to the premium group after payment. See Vouchers for prepaid access codes with bandwidth tiers.
Fair Use Policies
Implement fair use policies to prevent abuse on guest networks:
- Set reasonable bandwidth limits (5--10 Mbps for guest WiFi)
- Configure session timeouts to periodically re-authenticate users
- Set idle timeouts to free resources from inactive users
- Use accounting data to identify high-usage users
Troubleshooting Bandwidth Issues
Bandwidth Limits Not Applied
Symptoms: User connects but speed tests show no bandwidth restriction.
| Cause | Solution |
|---|---|
| AP does not support WISPr attributes | Check AP documentation for supported RADIUS attributes |
| Attribute name misspelled | Verify attribute name exactly: |
| Value in wrong unit | WISPr values are in bits per second, not kilobits or megabits |
| Group attribute overridden by user | Check user-level attributes for conflicts |
| AP requires specific attribute format | Some APs need vendor-specific attributes (see vendor sections above) |
Verification steps:
- Check the IronWiFi authentication logs to confirm the bandwidth attributes are in the Access-Accept response
- On the AP, verify the user's session shows the bandwidth limit
- Run a speed test from the user's device
Inconsistent Speeds
Symptoms: Bandwidth varies significantly from the configured limit.
| Cause | Solution |
|---|---|
| WiFi signal strength | Weak signal limits actual throughput regardless of RADIUS limits |
| Channel congestion | Too many devices on the same channel reduce per-user throughput |
| AP hardware limit | Budget APs may not achieve high per-user throughput |
| Speed test variability | Run multiple tests and average the results |
Speed Higher Than Configured Limit
Symptoms: User achieves speeds above the configured bandwidth limit.
| Cause | Solution |
|---|---|
| Burst allowed by AP | Some APs allow brief bursts above the limit |
| Attribute not being enforced | Verify the AP logs show the attribute was received and applied |
| Multiple connections | User may have multiple devices, each with their own limit |
Best Practices
- Start with group policies -- Define bandwidth tiers as groups, assign users to groups
- Use consistent units -- WISPr values are always in bits per second
- Set both up and down -- Always configure both download and upload limits
- Enable accounting -- Required for monitoring actual usage against limits
- Test after configuration -- Verify limits work with a speed test
- Document your tiers -- Maintain a reference table of bandwidth tiers and their RADIUS attributes
- Review regularly -- Adjust bandwidth tiers as network capacity and user needs change
- Consider asymmetric limits -- Upload is typically used less, so a 2:1 or 3:1 down:up ratio is common
Related Topics
- Attributes -- Full list of RADIUS attributes
- Groups -- Creating groups with shared policies
- Session Management -- Session timeouts and concurrent limits
- Vouchers -- Prepaid access with bandwidth tiers
- Captive Portals -- Guest WiFi portal configuration
- Troubleshooting -- Bandwidth limits not working
- Networks -- Network configuration
Was this page helpful?