Prioritizing Emergency and Paid Services with RADIUS based QoS using WayFi Offload Services
Learn how to implement role-based Quality of Service (QoS) across Cisco, Aruba, Ruckus, MikroTik, and Juniper Mist networks using our Services. This guide shows how to prioritize emergency traffic, fairly manage bandwidth for paid and OpenRoaming users, and meet SLAs using vendor-specific RADIUS attributes — all without manual provisioning.
GUIDES
WayFi Wireless
4/23/20253 min read


In today’s hybrid roaming environments — where emergency responders, paid users, and OpenRoaming guests all share the same infrastructure — managing bandwidth allocation fairly and contractually is no longer optional.
At WayFi, our mission is to prioritize emergency traffic, elevate paid service experiences, and still meet SLAs for roaming and unpaid tiers — all without manual provisioning.
This guide outlines how we use FreeRADIUS to apply vendor-specific Quality of Service (QoS) policies across a multi-vendor Wi-Fi footprint, including Cisco, Aruba, Ruckus, MikroTik, and Juniper Mist.
🎯 Objectives
We define three service tiers, each with associated bandwidth and prioritization goals:
WAYFI-EXEMPT
Purpose: Emergency services / FirstNet
Priority: 🔺 High
Typical Bandwidth: Unlimited / Full QoS
WAYFI-BASELINE
Purpose: Paid commercial access
Priority: ⚖️ Medium
Typical Bandwidth: ~100 Mbps symmetrical
WAYFI-THROTTLE
Purpose: OpenRoaming & unpaid partners
Priority: 🔻 Low
Typical Bandwidth: 25 Mbps down / 5 Mbps up
Each tier is enforced using dynamic RADIUS attributes, matched to the user's realm or identity.
🔧 RADIUS-Based Policy Mapping
FreeRADIUS returns tier-specific attributes like:
Filter-Id := "WAYFI-THROTTLE"
Cisco-AVPair := "policy-map input WAYFI-THROTTLE"
Aruba-User-Role := "WAYFI-THROTTLE"
Mikrotik-Rate-Limit := "25M/5M 25M/5M 25M/5M 1/1"
Juniper-Local-User-Role := "WAYFI-THROTTLE"
These attributes are interpreted by vendor devices to enforce policy without manual configuration per user.
🏢 Multi-Vendor Implementation
Here’s how each vendor supports these policies:
🏢 Multi-Vendor Implementation
✅ Cisco WLC & Catalyst Switches
RADIUS Attributes:
Filter-Id := "WAYFI-XXX"
Cisco-AVPair := "policy-map input WAYFI-XXX" + "policy-map output WAYFI-XXX"
WLC Configuration:
Go to WLANs > Edit WLAN > Advanced
Check “AAA Override”
Apply named policy-map to WLAN or interface via Filter-Id
Switch Configuration Example:
policy-map WAYFI-THROTTLE class class-default police 25000000 8000 exceed-action drop
Verification:
bash
CopyEdit
show client detail <MAC> show policy-map interface <interface>
✅ Aruba Mobility Controllers
RADIUS Attribute:
Aruba-User-Role := "WAYFI-XXX"
Controller Configuration:
CLI:
user-role WAYFI-THROTTLE access-list session any any any permit bandwidth-contract bandwidth-limit 25000 5000
GUI:
Navigate to Configuration > Roles
Create WAYFI-XXX roles and assign bandwidth contracts
Bind roles to AAA profiles in Security > AAA Profiles
AAA Profile Settings:
Attach AAA profile to the relevant WLAN
Ensure RADIUS-assigned role is enabled
✅ Ruckus SmartZone / ZoneDirector
RADIUS Attribute:
Filter-Id := "WAYFI-XXX"
SmartZone Configuration:
Navigate to Roles & Policies
Create user roles named WAYFI-EXEMPT, etc.
Assign Rate Limiting (e.g., 25 Mbps down / 5 Mbps up)
Apply to WLAN:
Ensure WLAN is configured to accept RADIUS override roles
Monitoring:
Use RADIUS logs or client monitoring page to confirm role assignment
✅ MikroTik RouterOS
RADIUS Attribute:
Mikrotik-Rate-Limit := "25M/5M 25M/5M 25M/5M 1/1"
RouterOS Configuration:
/radius add service=wireless address=<freeradius-ip> secret=<shared> /interface wireless set <wlan1> radius-mac-authentication=yes radius-mac-accounting=yes
Behavior:
MikroTik will auto-create Simple Queues per authenticated user
Queues reflect the rate limits defined in the RADIUS response
Verify:
/queue simple print /radius monitor
✅ Juniper Mist (AI-Driven Wi-Fi)
RADIUS Attribute:
Filter-Id := "WAYFI-XXX"
Mist Dashboard Configuration:
Go to Organization > Network Policies > Roles
Create roles named WAYFI-THROTTLE, WAYFI-BASELINE, etc.
Assign Bandwidth Profile within each role
Bind Roles to SSIDs:
In SSID config, set “RADIUS-based role assignment” to use RADIUS attribute
Map roles to VLANs or rate-limits
Confirm via Dashboard:
Look under Client Details > RADIUS Attributes
Confirm role assignment and bandwidth enforcement
⚠️ About Ubiquiti
Ubiquiti UniFi does not support dynamic QoS via RADIUS natively. VLAN assignment is possible, but you must:
Create VLAN profiles per site
Map VLANs to bandwidth groups manually
Match FreeRADIUS VLAN assignment per user
❗This makes Ubiquiti unsuitable for scalable QoS enforcement in OpenRoaming networks without per-site customization.
🤖 What Happens If a Device Doesn't Support These Attributes?
If a device receives an AVP it doesn't support (e.g., Cisco-AVPair on a Ruckus AP), it simply ignores it. Authentication still succeeds, and fallback policies apply.
This makes it safe to broadcast all attributes to all devices without the need for vendor-specific reply filtering.
📈 Operational Benefits
Emergency services always receive priority
Paid traffic isn't degraded by OpenRoaming loads
Unpaid tiers get access without affecting SLA
Compliance with partner agreements via automated tier matching
🧭 Conclusion
In dynamic, shared wireless environments — especially those supporting emergency responders, commercial subscribers, and OpenRoaming guests — precise and enforceable QoS policies are essential. FreeRADIUS empowers network operators to implement role-based bandwidth enforcement across a wide range of infrastructure with minimal manual intervention.
By leveraging vendor-specific RADIUS attributes and standardizing service tiers like WAYFI-EXEMPT, WAYFI-BASELINE, and WAYFI-THROTTLE, you can ensure:
Priority access for emergency and critical services
Fair usage for paid users without contention from free tiers
Contractual compliance for OpenRoaming partners
What makes this approach powerful is its scalability and flexibility. Regardless of the hardware vendor — Cisco, Aruba, Ruckus, MikroTik, or Juniper Mist — FreeRADIUS provides a centralized mechanism to enforce consistent, predictable policy decisions across your network.
As the need for interoperable and SLA-compliant access grows, especially with initiatives like OpenRoaming, this strategy puts you in control — reliably, securely, and at scale.
WayFi Wireless
Helpful Pages
SUBSCRIBE TO OUR NEWSLETTER
© 2024 - 2025. All rights reserved.
Browser Extentions
TOOLS