topic Re: Switch Config with two Load Balancer in Network Access Control

Switch Config with two Load Balancer

mitchp75 — Thu, 07 Mar 2019 17:01:06 GMT

I'm looking for a little help with Switch Configuration for ISE with 2 Data Centers each with a Load Balancer and 15 PSN's at each site. We'd like to point the NAD's to the LB's and from there the LB will distribute to the PSN's but having a little issue with what that will look like in the Switch template? Any tips?

! Define the RADIUS servers and RADIUS group
radius server DC1-LB-VIP
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>
!
radius server DC2-LB-VIP
address ipv4 10.2.2.2 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>

aaa group server radius ISE-RADIUS
server name DC1-LB-VIP
server name DC2-LB-VIP

aaa server radius dynamic-author
client 10.1.1.1 server-key <password>
client 10.2.2.2 server-key <password>

Re: Switch Config with two Load Balancer

ITCOMMS — Fri, 08 Mar 2019 12:01:35 GMT

With your current config its basically active / standby, DC1-LB-VIP will always be hit if available, and DC2-LB-VIP is the backup.

Given you're using a named group, its just one command you need to add, though this may not be valid for all platforms.

To give you an example on 16.6.x

aaa group server radius ISE-RADIUS

server name DC1-LB-VIP
server name DC2-LB-VIP

load-balance method least-outstanding

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16-6/sec-usr-rad-xe-16-6-book/sec-rad-load-bal.html

BTW if you can get access to some of the Cisco Live sessions for ISE, there is some really good content, and there is definitely coverage of load balancing in great detail, enjoy!

Re: Switch Config with two Load Balancer

bern81 — Fri, 08 Mar 2019 12:09:42 GMT

Hi ,

Which Load-balancing device you have?

If F5, there is a very detailed how-to document called:

How-To-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP

Check it on internet.

Also loab-balancing command under the radius-server is not advisable.

Please rate if this is helpfull.

Re: Switch Config with two Load Balancer

Damien Miller — Sat, 09 Mar 2019 07:43:43 GMT

Your config looks good for what you want to do, we use similar for our customers with load balancers. The load balancer is going to the piece where the complicated pieces happen. Load balancing large environments works great, I wouldn't shy away from the set up and testing, in the long run it will be much easier with configs. Start here with the load balancer guides.

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

One thing to note about your config, you have to make sure you use reverse NAT for your UDP 1700 COAs as well as for the RADIUS/TACACS communication.

If you are using an F5 and plan to also use your VIPs for TACACS, check out my F5 TACACS amendment here
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

If you are going to be using the netscaler guide and also leveraging TrustSec (or SDA) then you need to read my amendment around CTS request persistence too.
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/td-p/3694180