Forum Discussion
smp_86112
Cirrostratus
CirrostratusCisco ISE load-balancing and Change of Authorization (CoA)
First, let me clearly state that I do not have a Cisco background. I have no experience with the RADIUS protocol, and am not familiar with the details of the CoA, so I am not in a position to know if...
Jason_47442
Nimbostratus
NimbostratusThe real trick if you are using ISE for mobile/guest provisioning is to redirect the user to the same PSN that they authenticated to on tcp/8443 when that call comes in. The persist method in this case wouldn't work as there would be no radius attributes. Furthermore, if the guest SSID is anchored in a DMZ (Best practice) the radius authentication is done on the local controller before the client can request DHCP. So the radius framed IP address is null in this scenario. I know Cisco states to LB on the MAC & IP as a best practice, but in the anchor scenario I don't believe it will work.
Also it's a bad idea to SNAT with the LTM for ISE RADIUS. ISE does not use the RADIUS NAS-IP field to determine the NAS. It uses the source IP address. So you would be writing authorization rules based on the LTM address rather than the real NAS.
Chances are if you are talking about CoA you're doing some type of NAC either switch based or WLC based, possibly both. While there are many radius fields you can use to narrow down the type of traffic to send authentication to the appropriate ISE policy sets, if the NAS IP was passed through then you wouldn't have to write as granular a selection rule set, not to mention make the reporting logs much more attractive.
Route to ISE via the LTM and make the ISE appliances default gateway a self IP of the LTM. Can be tricky if you need to isolate the ISE appliances with a firewall, you'll need to care out space for the LTM then too as you won't want to bridge the firewall VIA the LTM. That should get you the load balancing as well as the appliance transparency.
- Jason_47442Some LAB testing.... Cisco 5508 WLCs hosting Guest SSID in an anchor configuration. (v7.6.100) ISE – Distributed deployment with each node having 1 persona. (v1.2.1) 2 PSNs per data center 1 LTM VIP per data center From testing it looks like the following configuration works for the WLCs: WLAN / Security / AAA definition contains only the VIP address(es). WLC Security / AAA / RADIUS / Authentication section contains the definition of the ISE PSNs individually and specifies RFC 3576 support as well as the VIP addresses (my VIPs are defined with no RFC 3576 support). So far so good....
rangara10_75278Hi Jason - can you specify what version of LTM you were using? I'm hearing from Cisco consulting that this won't work with any version below 11.4.1 HF5; I'm trying to verify this statement.- Jason_47442I set this up with 10.2.4 train, I forget what the hotfix was at the time. I assure you that it does work. Let me know what you are having trouble with and I'll be glad to assist where I can. Also, see if your Cisco folks can reach out to Aaron Woland if they are unsure how to move forward. I worked with him briefly at Cisco Live in 2014. Very good resource, his blog post about load balancing behind the now defunct ACE appliances is what I based a lot of my configuration on.