Load Balance Cisco ISE servers

Hey Richard. The Session-ID of what? A RADIUS 'request'?

Yes, I believe it would be Radius Request. If fyou can provide me with an e-mail, I can send you the ACE configuration document, but reading thru that, I believe it would be a Radius Request.

Yes, I believe it would be Radius Request. If fyou can provide me with an e-mail, I can send you the ACE configuration document, but reading thru that, I believe it would be a Radius Request.

Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin.

have you tried "Persist Attribute" setting in radius profile?

 

Hi

 

 

Use source persistence the problem is with the Natting in theory you should create a pass though to the backend but i'm not sure how to do that on F5. if you bypass the F5 does it work or not?

THis is a new trun-up. Testing this week and next.

 

 

Couple of bullet points that are taken from the Cisco ACE configuration PDF....

 

 

• Load Balancers get listed as NADs in ISE so their test authentications may be answered.

 

 

• ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the

 

RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to

 

VIP.

 

 

So the way I'm understanding it is that NADs or network access devices which are the end station send the request to the LTM’s. Once the packet hits the LTM, then the LTM becomes the NAD from the perspective of the ISE servers.

 

I don' think source persistence works because on the initial request the end device still doesn't have an IP address. The ISE servers determine who and what the client is, and then based on that assign the vlan and IP space etc.

 

 

I had never used the "Persist Attribute" setting in radius profile before. I see where that setting is, but where do you apply it once you create it?

THis is a new trun-up. Testing this week and next.

 

 

Couple of bullet points that are taken from the Cisco ACE configuration PDF....

 

 

• Load Balancers get listed as NADs in ISE so their test authentications may be answered.

 

 

• ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the

 

RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to

 

VIP.

 

 

So the way I'm understanding it is that NADs or network access devices which are the end station send the request to the LTM’s. Once the packet hits the LTM, then the LTM becomes the NAD from the perspective of the ISE servers.

 

I don' think source persistence works because on the initial request the end device still doesn't have an IP address. The ISE servers determine who and what the client is, and then based on that assign the vlan and IP space etc.

 

 

I had never used the "Persist Attribute" setting in radius profile before. I see where that setting is, but where do you apply it once you create it?

I believe a RADIUS profile is assigned to a Virtual Server.

 

 

Based on your notes about the initial L3 address (it must have one) changing, is the persistence required initially? I assume the VLAN and address assignment is all done over a single connection. After that, what comes next, does it have to go to the same server? It'll be a new connection for sure as the source IP would have changed I assume. Don't the ISE servers share state in some way? It seems poor that they don't.

 

 

The operation doesn't exclude the use of SNAT btw, but to use it you'd have to use static translations (not automap etc.)

 

@Richard, have you managed to get this working?

 

 

Unfortunately, I got pulled into some other stuff and this got passed onto another engineer. I'm trying to find out if he got it resolved. If so, I will post the answer.

 

Thanks, Rich