topic Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address in Network Access Control

Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

dcurry9131 — Tue, 29 Oct 2019 16:43:18 GMT

Hello,

I'm coming into an environment where we are going to implement a large distributed Cisco ISE architecture with dedicated primary and secondary PAN, MTN, and several PSNs in a node group. These devices will sit behind an A10 load balancer. I was reading an article and it was recommended with regards to Radius and AAA traffic to perform sticky (aka:persistence) based on calling-station and framed-ip-address.

Can someone provide more details with regards to this, and is there any best practice and implementation guide for this using load balancers?

Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

Timothy Abbott — Tue, 29 Oct 2019 17:55:23 GMT

We have design guides and presentations regarding load balancing with ISE located at the below URL:

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

Regards,

-Tim

Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

Damien Miller — Tue, 29 Oct 2019 19:32:30 GMT

You might benefit from Pauls old post which has an A10 example.
https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-loadbalancing-with-a10-loadbalancer/m-p/3424450/highlight/true#M406
The simple way would be to leverage only source ip persistence. We tend to want to avoid that since it can cause a lot of load to land on a single node if you have very large WLCs and/or stacked switches. All endpoints from a single source IP (ex. wlc) would persist to the same ISE node in that case.

This repo has an example aflex/tcl script which you may be able to build on, at least for standard radius authentication flow this would work. Because it only contains calling station ID it would cause issues with TrustSec PAC provisioning. it would need to be modified to work in that case.
https://github.com/a10networks/aflex-collection/blob/master/calling-station-persist.tcl

Reading the F5 guide nested within the link Timothy posted could be beneficial. It explains most things relevant to radius load balancing quite well.

Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

dcurry9131 — Wed, 30 Oct 2019 13:10:03 GMT

Thanks for the reply Timothy! I'll look through the design guides and presentations. Will let you know if I have any questions.

Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

dcurry9131 — Wed, 30 Oct 2019 13:13:29 GMT

Thanks for the reply Damien! I'll take a look at the F5 guide in Timothy's link you recommended. If I'm not understanding or grasping something, I'll hit you guys back up. Thank you!

Re: Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

Jason Kunst — Wed, 30 Oct 2019 14:49:01 GMT

There are also some nice slide references for this under http://cs.co/ise-training BRKSEC-3432