Cisco ISE load-balancing and Change of Authorization (CoA)

The real trick if you are using ISE for mobile/guest provisioning is to redirect the user to the same PSN that they authenticated to on tcp/8443 when that call comes in. The persist method in this case wouldn't work as there would be no radius attributes. Furthermore, if the guest SSID is anchored in a DMZ (Best practice) the radius authentication is done on the local controller before the client can request DHCP. So the radius framed IP address is null in this scenario. I know Cisco states to LB on the MAC & IP as a best practice, but in the anchor scenario I don't believe it will work.

Also it's a bad idea to SNAT with the LTM for ISE RADIUS. ISE does not use the RADIUS NAS-IP field to determine the NAS. It uses the source IP address. So you would be writing authorization rules based on the LTM address rather than the real NAS.

Chances are if you are talking about CoA you're doing some type of NAC either switch based or WLC based, possibly both. While there are many radius fields you can use to narrow down the type of traffic to send authentication to the appropriate ISE policy sets, if the NAS IP was passed through then you wouldn't have to write as granular a selection rule set, not to mention make the reporting logs much more attractive.

Route to ISE via the LTM and make the ISE appliances default gateway a self IP of the LTM. Can be tricky if you need to isolate the ISE appliances with a firewall, you'll need to care out space for the LTM then too as you won't want to bridge the firewall VIA the LTM. That should get you the load balancing as well as the appliance transparency.