For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Richard_Schmit_'s avatar
Richard_Schmit_
Icon for Nimbostratus rankNimbostratus
Apr 22, 2013

Load Balance Cisco ISE servers

Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I h...
application delivery
dev
devops
iRules
Daniel_Tavernie's avatar
Daniel_Tavernie
Icon for Cirrostratus rankCirrostratus
Oct 08, 2014
  • If you must support MSCHAP (challenge-response) authentication things get messy.
  • Apparently Datagram LB assumes a single request/response, so additional responses may get dropped or grabbed by a wildcard forwarding virtual server and incorrectly routed (with RADIUS server as source IP).
  • If you disable Datagram LB then persistence is based on the UDP "connection" and not each individual RADIUS packet.

  • It appears that you can get around this issue by setting the UDP profile's idle timeout to "Immediate" and then setting up one or more outbound forwarding virtual servers configured to SNAT using the RADIUS virtual server's IP.

     

  • Does anyone have experience with this?