Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
25016
Views
1
Helpful
2
Comments

ISE Deployment with Load Balancing

thomas
Cisco Employee
Cisco Employee

‎02-23-2022 03:49 PM - edited ‎02-23-2022 03:54 PM

Load_Balancer.png

 

 

General Guidelines

When using ISE with a load balancer from any vendor, you must ensure a few things :

  • Each ISE Policy Service Node (PSN) must be reachable by the Policy Administration Node (PAN) and Monitoring and Troubleshooting (MNT) node directly, without NAT.  RADIUS Authentication and Accounting traffic from access devices to PSNs should also pass through the load balancer without NAT.
  • Each PSN must also be reachable directly by the endpoints for redirections / CWA / Posture, etc…
  • You may want to generate PSN digital certificates to include the VIP fully-qualified domain name (FQDN) in the SAN field.
  • Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
  • The load balancer(s) virtual IP (VIP) gets listed as the RADIUS server of each network device for all 802.1X-related AAA requests.
  • Each PSN gets listed individually in the Dynamic-Authorization (CoA) configuration of each network device.  Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
  • The load balancers must be configured as network devices in ISE so their test authentications may be answered.
  • ISE uses the Layer-3 Address to identify the network device, not the NAS-IP-Address in the RADIUS packet.  This is the reason to not use SNAT for inbound RADIUS traffic.

 

Load Balancer Configurations

Please consult your load balancer vendor's documentation for how to configure RADIUS or TACACS load balancing with their product.  You may look in the ISE Ecosystem Integration Guides for possible vendor documents.

Comments
andy!doesnt!like!uucp
Spotlight
Spotlight
‎04-26-2023 11:24 AM

Thanks Thomas

great guidelines! it triggered me to think in more depth with my upcoming 1st experience w/ use of LBs for RADIUS load-balancing. 

andy!doesnt!like!uucp
Spotlight
Spotlight
‎05-10-2023 01:31 AM

One Q though: in the CoA use-case we expect CoA (N)ACK to arrive back to F5's VIP & to be relayed to PSN-originator of CoA-request. Not sure i get how it works with IP-forwarding service applied to RADIUS COA SNAT VS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents