Forum Discussion

sudeep_patil_35's avatar
sudeep_patil_35
Icon for Nimbostratus rankNimbostratus
Aug 29, 2018

Load balancing the ISE services Radius and HTTPS

I'm trying to load balance the Cisco ISE services Radius and HTTPS service using the F5 LTM. To setup the irule i'm following the procedure given on the Cisco portal   https://www.cisco.com/c/en/us...
application delivery
iRules
LTM
Anonymous25's avatar
Anonymous25
Icon for Nimbostratus rankNimbostratus
Dec 16, 2019

I am also running into this issue. Something has to have changed since that article was written. Additionally, the direct copy and paste of that iRule is as follows:

# adding persistence based on Calling-Station-ID
when LB_SELECTED {
    log local0. "session table entry added: <persist:[RADIUS::avp 31] node [LB::server addr]>"
    session add uie "persist:[RADIUS::avp 31]" [LB::server addr]
}
 
# lookup and adding persistence based on Framed-IP-Addr
when CLIENT_ACCEPTED {
   log local0. "session table lookup result for calling station ID of [RADIUS::avp 31]: [session lookup uie "persist:[RADIUS::avp 31]"]"
    if {[session lookup uie "persist:[RADIUS::avp 31]"] ne ""} {
       log local0. "lookup match: [session lookup uie "persist:[RADIUS::avp 31]"]"
       node [session lookup uie "persist:[RADIUS::avp 31]"]
       log local0. "session table entry added: <persist:[RADIUS::avp 8] [session lookup uie "persist:[RADIUS::avp 31]"]>"
       session add uie "persist:[RADIUS::avp 8]" [session lookup uie "persist:[RADIUS::avp 31]"]  
   }
}
  • Andrew_Husking's avatar
    Andrew_Husking
    Icon for Cirrus rankCirrus
    Dec 17, 2019

    I believe the RADIUS commands are no longer allowed in the CLIENT_ACCEPTED events.

     

    We solved the issue by doing priority groups to ensure that everything went to the same server.

    • Hai_Nguyen's avatar
      Hai_Nguyen
      Icon for Nimbostratus rankNimbostratus
      Dec 17, 2019

      ​Can you share with us the TMSH output that fixed this Andrew Husking?

    • Andrew_Husking's avatar
      Andrew_Husking
      Icon for Cirrus rankCirrus
      Dec 17, 2019
      ltm pool iseportal {
    load-balancing-mode least-connections-node
    members {
        node1:8443 {
            address 1.1.1.1
        }
        node2:8443 {
            address 2.2.2.2
            priority-group 10
        }
    }
    min-active-members 1
}

      Here you go.

    • Anonymous25's avatar
      Anonymous25
      Icon for Nimbostratus rankNimbostratus
      Dec 17, 2019

      How does this solve the issue of carrying persistence from Radius auth/acct via MAC to the HTTPS redirect using IP?

       

      Another way the phrase this is how did using priority groups solve the issue of persistence to make sure the client gets to the correct node to continue the session?