Forum Discussion
smp_86112
Cirrostratus
CirrostratusCisco ISE load-balancing and Change of Authorization (CoA)
First, let me clearly state that I do not have a Cisco background. I have no experience with the RADIUS protocol, and am not familiar with the details of the CoA, so I am not in a position to know if...
JackF
Employee
EmployeeYes that is correct--you do need to account for that. You want a forwarding VS from the PSN network outbound: UDP/0.0.0.0:1700 --and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP. This way the clients believe the server (which to them is the F5 VS) is responding.
I also just posted the updated iRule that worked best for us to the main thread, which is: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" }
smp_86112Thank you for yourresponse JackF. What you have described seems like what I am being asked for. However, if there is a way to do this outside the LTM, that is my preference. I realize now that same preference might not be shared by everyone in this forum, and might be partially responsible for the approach you have decided to take. So after having digested your response, my question can be changed slightly to whether or not the same effect might be achieved by doing what the Cisco forum article I reference instructs: ("Each PSN gets listed individually in the Dynamic-Authorization (CoA). Use the real IP Address of the PSN, not the VIP.") I read that as meaning you simply add the IP addresses of the RADIUS/ISE F5 Nodes into some "Dynamic Authorization" field on the "client of the RADIUS VIP". That's obviously my term, and I'm reading into that statement up above slightly because it doesn't come out and explicitly state this. But in context, that's how I read it. Wondering if that interpretation is right or wrong.