Prioritizing Emergency and Paid Services with RADIUS based QoS using WayFi Offload Services

In today’s hybrid roaming environments — where emergency responders, paid users, and OpenRoaming guests all share the same infrastructure — managing bandwidth allocation fairly and contractually is no longer optional.

At WayFi, our mission is to prioritize emergency traffic, elevate paid service experiences, and still meet SLAs for roaming and unpaid tiers — all without manual provisioning.

This guide outlines how we use FreeRADIUS to apply vendor-specific Quality of Service (QoS) policies across a multi-vendor Wi-Fi footprint, including Cisco, Aruba, Ruckus, MikroTik, and Juniper Mist.

🎯 Objectives

We define three service tiers, each with associated bandwidth and prioritization goals:

• WAYFI-EXEMPT

  • Purpose: Emergency services / FirstNet

  • Priority: 🔺 High

  • Typical Bandwidth: Unlimited / Full QoS

• WAYFI-BASELINE

  • Purpose: Paid commercial access

  • Priority: ⚖️ Medium

  • Typical Bandwidth: ~100 Mbps symmetrical

• WAYFI-THROTTLE

  • Purpose: OpenRoaming & unpaid partners

  • Priority: 🔻 Low

  • Typical Bandwidth: 25 Mbps down / 5 Mbps up

Each tier is enforced using dynamic RADIUS attributes, matched to the user's realm or identity.

🔧 RADIUS-Based Policy Mapping

FreeRADIUS returns tier-specific attributes like:

• Filter-Id := "WAYFI-THROTTLE"

• Cisco-AVPair := "policy-map input WAYFI-THROTTLE"

• Aruba-User-Role := "WAYFI-THROTTLE"

• Mikrotik-Rate-Limit := "25M/5M 25M/5M 25M/5M 1/1"

• Juniper-Local-User-Role := "WAYFI-THROTTLE"

These attributes are interpreted by vendor devices to enforce policy without manual configuration per user.

🏢 Multi-Vendor Implementation

Here’s how each vendor supports these policies:

🏢 Multi-Vendor Implementation

✅ Cisco WLC & Catalyst Switches

• RADIUS Attributes:

  • Filter-Id := "WAYFI-XXX"

  • Cisco-AVPair := "policy-map input WAYFI-XXX" + "policy-map output WAYFI-XXX"

• WLC Configuration:

  • Go to WLANs > Edit WLAN > Advanced

  • Check “AAA Override”

  • Apply named policy-map to WLAN or interface via Filter-Id

• Switch Configuration Example:

  policy-map WAYFI-THROTTLE class class-default police 25000000 8000 exceed-action drop

• Verification:

  bash

  CopyEdit

  show client detail <MAC> show policy-map interface <interface>

✅ Aruba Mobility Controllers

• RADIUS Attribute:

  • Aruba-User-Role := "WAYFI-XXX"

• Controller Configuration:

  • CLI:

    user-role WAYFI-THROTTLE access-list session any any any permit bandwidth-contract bandwidth-limit 25000 5000

  • GUI:

    • Navigate to Configuration > Roles

    • Create WAYFI-XXX roles and assign bandwidth contracts

    • Bind roles to AAA profiles in Security > AAA Profiles

• AAA Profile Settings:

  • Attach AAA profile to the relevant WLAN

  • Ensure RADIUS-assigned role is enabled

✅ Ruckus SmartZone / ZoneDirector

• RADIUS Attribute:

  • Filter-Id := "WAYFI-XXX"

• SmartZone Configuration:

  • Navigate to Roles & Policies

  • Create user roles named WAYFI-EXEMPT, etc.

  • Assign Rate Limiting (e.g., 25 Mbps down / 5 Mbps up)

• Apply to WLAN:

  • Ensure WLAN is configured to accept RADIUS override roles

• Monitoring:

  • Use RADIUS logs or client monitoring page to confirm role assignment

✅ MikroTik RouterOS

• RADIUS Attribute:

  • Mikrotik-Rate-Limit := "25M/5M 25M/5M 25M/5M 1/1"

• RouterOS Configuration:

  /radius add service=wireless address=<freeradius-ip> secret=<shared> /interface wireless set <wlan1> radius-mac-authentication=yes radius-mac-accounting=yes

• Behavior:

  • MikroTik will auto-create Simple Queues per authenticated user

  • Queues reflect the rate limits defined in the RADIUS response

• Verify:

  /queue simple print /radius monitor

✅ Juniper Mist (AI-Driven Wi-Fi)

• RADIUS Attribute:

  • Filter-Id := "WAYFI-XXX"

• Mist Dashboard Configuration:

  • Go to Organization > Network Policies > Roles

  • Create roles named WAYFI-THROTTLE, WAYFI-BASELINE, etc.

  • Assign Bandwidth Profile within each role

• Bind Roles to SSIDs:

  • In SSID config, set “RADIUS-based role assignment” to use RADIUS attribute

  • Map roles to VLANs or rate-limits

• Confirm via Dashboard:

  • Look under Client Details > RADIUS Attributes

  • Confirm role assignment and bandwidth enforcement

⚠️ About Ubiquiti

Ubiquiti UniFi does not support dynamic QoS via RADIUS natively. VLAN assignment is possible, but you must:

• Create VLAN profiles per site

• Map VLANs to bandwidth groups manually

• Match FreeRADIUS VLAN assignment per user

❗This makes Ubiquiti unsuitable for scalable QoS enforcement in OpenRoaming networks without per-site customization.

🤖 What Happens If a Device Doesn't Support These Attributes?

If a device receives an AVP it doesn't support (e.g., Cisco-AVPair on a Ruckus AP), it simply ignores it. Authentication still succeeds, and fallback policies apply.

This makes it safe to broadcast all attributes to all devices without the need for vendor-specific reply filtering.

📈 Operational Benefits

• Emergency services always receive priority

• Paid traffic isn't degraded by OpenRoaming loads

• Unpaid tiers get access without affecting SLA

• Compliance with partner agreements via automated tier matching

🧭 Conclusion

In dynamic, shared wireless environments — especially those supporting emergency responders, commercial subscribers, and OpenRoaming guests — precise and enforceable QoS policies are essential. FreeRADIUS empowers network operators to implement role-based bandwidth enforcement across a wide range of infrastructure with minimal manual intervention.

By leveraging vendor-specific RADIUS attributes and standardizing service tiers like WAYFI-EXEMPT, WAYFI-BASELINE, and WAYFI-THROTTLE, you can ensure:

• Priority access for emergency and critical services

• Fair usage for paid users without contention from free tiers

• Contractual compliance for OpenRoaming partners

What makes this approach powerful is its scalability and flexibility. Regardless of the hardware vendor — Cisco, Aruba, Ruckus, MikroTik, or Juniper Mist — FreeRADIUS provides a centralized mechanism to enforce consistent, predictable policy decisions across your network.

As the need for interoperable and SLA-compliant access grows, especially with initiatives like OpenRoaming, this strategy puts you in control — reliably, securely, and at scale.