Cisco ISE

We are in testing Cisco ISE with F5 load-balancing.

We followed Craig Hyps document for configuring F5 LB. https://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf

My question is regarding persistence.

I am not using irules for setting up persistence. I have a RADIUS service profile that uses AV=31 for the persistence attribute. And I have a persistence profile called "radius sticky" that sets the sticky timeout to 3600sec. (all this is per the guide and is a valid option if one chooses not to use irules. I can't use irules for various reasons but it seems that I should be able to use the non-irules option easily).

In my VS, I use "radius_sticky" for my default persistence and I use "source-addr" for fallback persistence.

The results I am getting are as-follows:

When wireless client-1 does a radius-auth, i get two persistence entries...one with the mac and another with the source IP of the wireless lan controller, both to server-71

When client2 sends a radius auth, it doesn't get load-balanced, the persistence entry based on source-address is matched and my request goes to server-71.

The same thing happens with CLients-3,4,5....as long as that source-addr entry is present, it is used for all clients.

My question is...how do I truly make the fallback persistence work correctly? Why is the backup persistence used when the default method is telling the F5 to use the mac-address? If its supposed to work this way, then does the guide have an error in how they recommend fallback to be setup? Has anyone encountered this?

When I disable fallback-persistence, it works correctly.