Forum Discussion
NimbostratusLoad Balancing RADIUS - Cisco ISE
Hi All,
Trying to load balance RADIUS requests for Cisco ISE.
Using This Guide the iRule that is suggested is returning an error:
01070151:3: Rule [/Common/test_radius] error: /Common/test_radius:2: error: [undefined procedure: as][as persistence identifier]
Here is the iRule, any help is highly appreciated.
ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NASIP-Address
as persistence identifier
when CLIENT_DATA {
0: No Debug Logging 1: Debug Logging
set debug 0
Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600
if {$debug} {set access_media "Wireless"}
} else {
set persist_ttl 28800
if {$debug} {set access_media "Wired"}
}
If MAC address is present - use it as persistent identifier
See Radius AV Pair documentation on
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up
MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist id.
Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
4 Replies
R_MarcYou have a line wrap issue. Second line in your iRule:
ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NASIP-Address as persistence identifierChange it to:
ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NASIP-Address as persistence identifier- JamesD
Altostratus
I think this was a comment for one line.
# ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address as persistence identifier
- JamesD
Cisco Community has a very detail deployment Guide https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159
Andrew_HuskingCirrus
Seem to be missing a few comment markers, try below
# ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NASIP-Addressas persistence identifier when CLIENT_DATA { #0: No Debug Logging 1: Debug Logging set debug 0 #Persist timeout (seconds) set nas_port_type [RADIUS::avp 61 "integer"] if {$nas_port_type equals "19"}{ set persist_ttl 3600 if {$debug} {set access_media "Wireless"} } else { set persist_ttl 28800 if {$debug} {set access_media "Wired"} } #If MAC address is present - use it as persistent identifier #See Radius AV Pair documentation on if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31 "string"] # Normalize MAC address to upper case set mac_up [string toupper $mac] persist uie $mac_up $persist_ttl if {$debug} { set target [persist lookup uie $mac_up] log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target" } } else { set nas_ip [RADIUS::avp 4 ip4] persist uie $nas_ip $persist_ttl if {$debug} { set target [persist lookup uie $nas_ip] log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target" } } }
