Forum Discussion
NimbostratusLoad Balance Cisco ISE servers
Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I have documentation for the Cisco ACE, but using F5 LTM's. Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin. I tried attaching the Cisco PDF, but not able for whatever reason. If anyone has any examples of knowledge of how to do this, would be appreciated. I can send the Cisco document via e-mail if that helps. I just am not able to attach it to this forum???
57 Replies
Joe_B_41386I'm also in the same boat.. Persist attribute in the Radius profile only seems to take one value, which i'm currently using Calling-Station-ID and i'm getting suboptimal results. Anyone made any headway on this?
Dclick_115936Good afternoon. New F5 user here - but I also need to use F5's to load balance my Cisco ISE servers.- nitass
Employee
Persist attribute in the Radius profile only seems to take one value, which i'm currently using Calling-Station-ID and i'm getting suboptimal results.you do not have to use persist attribute in radius profile. you are able to use persist irule command to persist whatever avp data or any combination you want. - Joe_B_41386I'll probably have to dig around for an example on how to do this, then. The radius load balancing irule examples I've seen seemed a little complicated and perhaps more involved than I was expecting to get. Cisco provides plenty of examples on how to do this but it's limited to ACE load balancers.
- nitass
i do not think it is going to be too complicated. i understand you just retrieve avp you want to persist on using RADIUS::avp and use it in persist uie command.
RADIUS::avp wiki https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
sol7392: Overview of universal persistence http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html
- Joe_B_41386
I've read through that, but I think I need to persist on multiple values together (calling-station-id and framed-ip-address) and not just one. Any tips?
nitass_89166Noctilucent
e.g.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:1812 ip protocol 17 rules myrule profiles udp_gtm_dns {} } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:1812 {} } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { log local0. "\[RADIUS::avp CALLING-STATION-ID\] [RADIUS::avp CALLING-STATION-ID]" log local0. "\[RADIUS::avp FRAMED-IP-ADDRESS\] [RADIUS::avp FRAMED-IP-ADDRESS]" persist uie "[RADIUS::avp CALLING-STATION-ID]:[RADIUS::avp FRAMED-IP-ADDRESS]" } } [root@ve10:Active] config tail -f /var/log/ltm Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule : [RADIUS::avp CALLING-STATION-ID] 123456 Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule : [RADIUS::avp FRAMED-IP-ADDRESS] 1.1.1.1 [root@ve10:Active] config b persist show all PERSISTENT CONNECTIONS | Mode universal Value 123456:1.1.1.1 | virtual 172.28.19.252:1812 node 200.200.200.101:1812 age 14sec- Nick_Ehlers_132Working iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" }
- rangara10_75278Hi - what version of LTM was this irule working? Will this work on 11.2.1?
- nitasse.g.
[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.252:1812 ip protocol 17 rules myrule profiles udp_gtm_dns {} } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:1812 {} } [root@ve10:Active] config b rule myrule list rule myrule { when CLIENT_ACCEPTED { log local0. "\[RADIUS::avp CALLING-STATION-ID\] [RADIUS::avp CALLING-STATION-ID]" log local0. "\[RADIUS::avp FRAMED-IP-ADDRESS\] [RADIUS::avp FRAMED-IP-ADDRESS]" persist uie "[RADIUS::avp CALLING-STATION-ID]:[RADIUS::avp FRAMED-IP-ADDRESS]" } } [root@ve10:Active] config tail -f /var/log/ltm Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule : [RADIUS::avp CALLING-STATION-ID] 123456 Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule : [RADIUS::avp FRAMED-IP-ADDRESS] 1.1.1.1 [root@ve10:Active] config b persist show all PERSISTENT CONNECTIONS | Mode universal Value 123456:1.1.1.1 | virtual 172.28.19.252:1812 node 200.200.200.101:1812 age 14sec- Nick_Ehlers_132Working iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" }
- rangara10_75278Hi - what version of LTM was this irule working? Will this work on 11.2.1?
Will_131036Did you get this working? I need the same persistence.
vaneet_133274How to avoid SNAT as well on top of it?
