Forum Discussion
NimbostratusLoad Balance Cisco ISE servers
Trying to load Balance several Cisco ISE servers. For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it. I have documentation for the Cisco ACE, but using F5 LTM's. Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin. I tried attaching the Cisco PDF, but not able for whatever reason. If anyone has any examples of knowledge of how to do this, would be appreciated. I can send the Cisco document via e-mail if that helps. I just am not able to attach it to this forum???
57 Replies
- nitass
Employee
How to avoid SNAT as well on top of it?
if return packet passes through bigip (e.g. server's default gateway is bigip), you do not need to configure snat automap under virtual server configuration.
is this what you are asking?
Amartya_Ghosh_1I have tried this script and it worked as per our expectation. Thanks for sharing the script.
Prakash_73226Hello Amarya - What script you are referring here ? CAn you please share as I am configuring ISE with LB in our company.
- Amartya_Ghosh_1
Any Idea how we can change the persistence timeout in this case.
- What_Lies_Bene1
Cirrostratus
You should be able to just change the timeout wherever you've used the 'persist uie' command in your rule. See here for more information: https://devcentral.f5.com/wiki/iRules.persist.ashx
SLCirrus
Hi All
can anyone shared how they have configured there VIPs to load balance the CISCO ISE servers.
- Amartya_Ghosh_1
You can refer below config:
Virtual-Server:ltm virtual vs_CISCO_ISE_xxxx { destination X.X.X.X:radius ip-protocol udp mask 255.255.255.255 pool Pool_CISCO_ISE_xxxx profiles { CISCO_ISE_UDP { } radiusLB { } } rules { ISE_Rule } }============
Profiles:ltm profile udp CISCO_ISE_UDP { datagram-load-balancing enabled defaults-from udp }
ltm profile radius radiusLB { clients none persist-avp none }
Nick_Ehlers_132Amartya, Can you give me the syntax of the iRule used for this? I can't seem to get it working.
- Nick_Ehlers_132
Amartya Ghosh, can you go more into what you used for the iRule as part of your solution?
Joe_B_41386You'll want to ensure you load balance both your accounting and authentication packets to the same node. I did this with two VIPs, and used Match Across Services in a universal persistence profile and calling station ID in the iRule.
- Nick_Ehlers_132Joe B, Can I perhaps get the template for the iRule syntax? Thats my problem, I can't get that correct. much appreciated!
- Nick_Ehlers_132Joe, Any chance you could grab me the syntax for the iRule for calling station ID ? I tried copy pasting the one above but it didn't work.
Lot's of great information in this thread! To try and sum it up here is how I got this to work:
NO NAT - so put the PSN servers on their own subnet and set their default route to the BIG-IP. Create two forwarding VS for inbound to the PSN traffic and outbound--make sure to use "enabled on vlan's" to tie these to the appropriate interface.
Create two standard VS, one for 1812 and one for 1813. Use protocol UDP, use a UDP protocol profile, use a RADIUS profile -- these are important to enable the iRules use of the RADIUS command. It may be possible to get away with default profiles for UDP and RADIUS--I haven't tested that. i.e:
ltm virtual /RADIUS-AUTH { destination /10.10.10.113:1812 ip-protocol udp mask 255.255.255.255 persist { /RADIUS_STICKY { default yes } } pool /pool-1812-radius profiles { /udp-for-ise-profile { } /radius-profile { } } rules { /RADIUS-PERSIST-IRULE } vlans-disabled } Apply a universal persistence profile: ltm persistence universal /RADIUS_STICKY { app-service none defaults-from /Common/universal match-across-pools disabled match-across-services enabled match-across-virtuals disabled mirror disabled override-connection-limit disabled rule none timeout 600 And the iRule: ltm rule /RADIUS-PERSIST-IRULE { ISE persistence iRules based on MAC Address with fall-back to WLC IP address as persistence identifier set debug 1 set persist_ttl 14400 when CLIENT_DATA { set persist_ttl 14400 If MAC address is present - use it as persistent identifier See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31] Persist config persist uie $mac $persist_ttl set target [persist lookup uie [RADIUS::avp 31]] log local0.alert "Username=[RADIUS::avp 1] MAC=$mac TARGET=$target" } else { set persist_ttl 14400 if { $debug > 0 } {log local0.alert "No MAC Address found - Using NAS IP as persistent identifier" } set nas_ip [RADIUS::avp 4] persist uie $nas_ip $persist_ttl set target [persist lookup uie $nas_ip] log local0.alert "Username=[RADIUS::avp 1] NAS IP=$nas_ip TARGET=$target" } } } Pool: ltm pool /pool-1812-radius { allow-nat no allow-snat no members { /10.10.194.133:1812 { address 10.10.194.133 session user-disabled } /10.10.194.134:1812 { address 10.10.194.134 } /10.10.194.135:1812 { address 10.10.194.135 } } monitor /radius-auth-1812 }Monitors are straightforward--just use the RADIUS ones on the box.
ltm profile radius /radius-child-31 { app-service none clients none defaults-from /Common/radiusLB persist-avp 31 } ltm profile udp /radius-child-31-profile { app-service none defaults-from /Common/udp }
Depending on your configuration you may also need an additional std VS to send DHCP :67 traffic to the PSN servers. I've also seen where an forwarding VS from the PSN network out: UDP/0.0.0.0:1700 was needed--and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP.
I'm not sure if I have made this less muddy but hopefully there is enough config examples above to get you rolling in the right direction.
Cheers!
LBAL_93235Could you be so kind to define your profiles on the virtual please? profiles { /udp-for-ise-profile { } /radius-profile { }- Ended up just using this iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" } Best of luck!
- tomHooper_13312Hey Jack, Which VIP did this irule get applied against.
- JackF
Lot's of great information in this thread! To try and sum it up here is how I got this to work:
NO NAT - so put the PSN servers on their own subnet and set their default route to the BIG-IP. Create two forwarding VS for inbound to the PSN traffic and outbound--make sure to use "enabled on vlan's" to tie these to the appropriate interface.
Create two standard VS, one for 1812 and one for 1813. Use protocol UDP, use a UDP protocol profile, use a RADIUS profile -- these are important to enable the iRules use of the RADIUS command. It may be possible to get away with default profiles for UDP and RADIUS--I haven't tested that. i.e:
ltm virtual /RADIUS-AUTH { destination /10.10.10.113:1812 ip-protocol udp mask 255.255.255.255 persist { /RADIUS_STICKY { default yes } } pool /pool-1812-radius profiles { /udp-for-ise-profile { } /radius-profile { } } rules { /RADIUS-PERSIST-IRULE } vlans-disabled } Apply a universal persistence profile: ltm persistence universal /RADIUS_STICKY { app-service none defaults-from /Common/universal match-across-pools disabled match-across-services enabled match-across-virtuals disabled mirror disabled override-connection-limit disabled rule none timeout 600 And the iRule: ltm rule /RADIUS-PERSIST-IRULE { ISE persistence iRules based on MAC Address with fall-back to WLC IP address as persistence identifier set debug 1 set persist_ttl 14400 when CLIENT_DATA { set persist_ttl 14400 If MAC address is present - use it as persistent identifier See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31] Persist config persist uie $mac $persist_ttl set target [persist lookup uie [RADIUS::avp 31]] log local0.alert "Username=[RADIUS::avp 1] MAC=$mac TARGET=$target" } else { set persist_ttl 14400 if { $debug > 0 } {log local0.alert "No MAC Address found - Using NAS IP as persistent identifier" } set nas_ip [RADIUS::avp 4] persist uie $nas_ip $persist_ttl set target [persist lookup uie $nas_ip] log local0.alert "Username=[RADIUS::avp 1] NAS IP=$nas_ip TARGET=$target" } } } Pool: ltm pool /pool-1812-radius { allow-nat no allow-snat no members { /10.10.194.133:1812 { address 10.10.194.133 session user-disabled } /10.10.194.134:1812 { address 10.10.194.134 } /10.10.194.135:1812 { address 10.10.194.135 } } monitor /radius-auth-1812 }Monitors are straightforward--just use the RADIUS ones on the box.
ltm profile radius /radius-child-31 { app-service none clients none defaults-from /Common/radiusLB persist-avp 31 } ltm profile udp /radius-child-31-profile { app-service none defaults-from /Common/udp }
Depending on your configuration you may also need an additional std VS to send DHCP :67 traffic to the PSN servers. I've also seen where an forwarding VS from the PSN network out: UDP/0.0.0.0:1700 was needed--and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP.
I'm not sure if I have made this less muddy but hopefully there is enough config examples above to get you rolling in the right direction.
Cheers!
- LBAL_93235Could you be so kind to define your profiles on the virtual please? profiles { /udp-for-ise-profile { } /radius-profile { }
- JackFEnded up just using this iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" } Best of luck!
- tomHooper_13312Hey Jack, Which VIP did this irule get applied against.
