For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_Schmit_'s avatar
Richard_Schmit_
Icon for Nimbostratus rankNimbostratus
Apr 22, 2013

Load Balance Cisco ISE servers

Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I h...
application delivery
dev
devops
iRules
JackF_39445's avatar
JackF_39445
Historic F5 Account
Jun 26, 2014

Lot's of great information in this thread! To try and sum it up here is how I got this to work:

NO NAT - so put the PSN servers on their own subnet and set their default route to the BIG-IP. Create two forwarding VS for inbound to the PSN traffic and outbound--make sure to use "enabled on vlan's" to tie these to the appropriate interface.

Create two standard VS, one for 1812 and one for 1813. Use protocol UDP, use a UDP protocol profile, use a RADIUS profile -- these are important to enable the iRules use of the RADIUS command. It may be possible to get away with default profiles for UDP and RADIUS--I haven't tested that. i.e:

ltm virtual /RADIUS-AUTH {
    destination /10.10.10.113:1812
    ip-protocol udp
    mask 255.255.255.255
    persist {
        /RADIUS_STICKY {
            default yes
        }
    }
    pool /pool-1812-radius
    profiles {
        /udp-for-ise-profile { }
        /radius-profile { }
    }
    rules {
        /RADIUS-PERSIST-IRULE
    }
    vlans-disabled
}

Apply a universal persistence profile:

ltm persistence universal /RADIUS_STICKY {
    app-service none
    defaults-from /Common/universal
    match-across-pools disabled
    match-across-services enabled
    match-across-virtuals disabled
    mirror disabled
    override-connection-limit disabled
    rule none
    timeout 600

And the iRule:

ltm rule /RADIUS-PERSIST-IRULE {
 ISE persistence iRules based on MAC Address with fall-back to WLC IP address as persistence identifier
set debug 1
set persist_ttl 14400
when CLIENT_DATA {
    set persist_ttl 14400
     If MAC address is present - use it as persistent identifier
     See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
    if {[RADIUS::avp 31] ne "" }{
        set mac [RADIUS::avp 31]
         Persist config
        persist uie $mac $persist_ttl
        set target [persist lookup uie [RADIUS::avp 31]]
        log local0.alert "Username=[RADIUS::avp 1] MAC=$mac TARGET=$target"

    } else {
        set persist_ttl 14400
        if { $debug > 0 } {log local0.alert "No MAC Address found - Using NAS IP as persistent identifier" }
        set nas_ip [RADIUS::avp 4]
        persist uie $nas_ip $persist_ttl
        set target [persist lookup uie $nas_ip]
        log local0.alert "Username=[RADIUS::avp 1] NAS IP=$nas_ip TARGET=$target"
    }
}
}    

Pool:

ltm pool /pool-1812-radius {
    allow-nat no
    allow-snat no
    members {
        /10.10.194.133:1812 {
            address 10.10.194.133
            session user-disabled
        }
        /10.10.194.134:1812 {
            address 10.10.194.134
        }
        /10.10.194.135:1812 {
            address 10.10.194.135
        }
    }
    monitor /radius-auth-1812
}

Monitors are straightforward--just use the RADIUS ones on the box.

ltm profile radius /radius-child-31 { app-service none clients none defaults-from /Common/radiusLB persist-avp 31 } ltm profile udp /radius-child-31-profile { app-service none defaults-from /Common/udp }

Depending on your configuration you may also need an additional std VS to send DHCP :67 traffic to the PSN servers. I've also seen where an forwarding VS from the PSN network out: UDP/0.0.0.0:1700 was needed--and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP.

I'm not sure if I have made this less muddy but hopefully there is enough config examples above to get you rolling in the right direction.

Cheers!

JackF_39445's avatar
JackF_39445
Historic F5 Account
Aug 19, 2014
Ended up just using this iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" } Best of luck!