Forum Discussion
NimbostratusLoad Balance Cisco ISE servers
EmployeeLot's of great information in this thread! To try and sum it up here is how I got this to work:
NO NAT - so put the PSN servers on their own subnet and set their default route to the BIG-IP. Create two forwarding VS for inbound to the PSN traffic and outbound--make sure to use "enabled on vlan's" to tie these to the appropriate interface.
Create two standard VS, one for 1812 and one for 1813. Use protocol UDP, use a UDP protocol profile, use a RADIUS profile -- these are important to enable the iRules use of the RADIUS command. It may be possible to get away with default profiles for UDP and RADIUS--I haven't tested that. i.e:
ltm virtual /RADIUS-AUTH {
destination /10.10.10.113:1812
ip-protocol udp
mask 255.255.255.255
persist {
/RADIUS_STICKY {
default yes
}
}
pool /pool-1812-radius
profiles {
/udp-for-ise-profile { }
/radius-profile { }
}
rules {
/RADIUS-PERSIST-IRULE
}
vlans-disabled
}
Apply a universal persistence profile:
ltm persistence universal /RADIUS_STICKY {
app-service none
defaults-from /Common/universal
match-across-pools disabled
match-across-services enabled
match-across-virtuals disabled
mirror disabled
override-connection-limit disabled
rule none
timeout 600
And the iRule:
ltm rule /RADIUS-PERSIST-IRULE {
ISE persistence iRules based on MAC Address with fall-back to WLC IP address as persistence identifier
set debug 1
set persist_ttl 14400
when CLIENT_DATA {
set persist_ttl 14400
If MAC address is present - use it as persistent identifier
See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31]
Persist config
persist uie $mac $persist_ttl
set target [persist lookup uie [RADIUS::avp 31]]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac TARGET=$target"
} else {
set persist_ttl 14400
if { $debug > 0 } {log local0.alert "No MAC Address found - Using NAS IP as persistent identifier" }
set nas_ip [RADIUS::avp 4]
persist uie $nas_ip $persist_ttl
set target [persist lookup uie $nas_ip]
log local0.alert "Username=[RADIUS::avp 1] NAS IP=$nas_ip TARGET=$target"
}
}
}
Pool:
ltm pool /pool-1812-radius {
allow-nat no
allow-snat no
members {
/10.10.194.133:1812 {
address 10.10.194.133
session user-disabled
}
/10.10.194.134:1812 {
address 10.10.194.134
}
/10.10.194.135:1812 {
address 10.10.194.135
}
}
monitor /radius-auth-1812
}
Monitors are straightforward--just use the RADIUS ones on the box.
ltm profile radius /radius-child-31 { app-service none clients none defaults-from /Common/radiusLB persist-avp 31 } ltm profile udp /radius-child-31-profile { app-service none defaults-from /Common/udp }
Depending on your configuration you may also need an additional std VS to send DHCP :67 traffic to the PSN servers. I've also seen where an forwarding VS from the PSN network out: UDP/0.0.0.0:1700 was needed--and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP.
I'm not sure if I have made this less muddy but hopefully there is enough config examples above to get you rolling in the right direction.
Cheers!
LBAL_93235Could you be so kind to define your profiles on the virtual please? profiles { /udp-for-ise-profile { } /radius-profile { }- JackFEnded up just using this iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" } Best of luck!
tomHooper_13312Hey Jack, Which VIP did this irule get applied against.- rangara10_75278Hi JackF - what version of LTM were you able to get this setup working? By any chance, was it earlier than 11.4.1 HF5? Thanks.
- JackF@rangara10 It was on version 11.1 with a later hotfix. Also you may find this new document from F5/Cisco to be helpful: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf
- JackF@tomhooper It was: ltm virtual /RADIUS-AUTH
