topic Re: Load Balancing Radius traffic to ISE in Network Access Control

Load Balancing Radius traffic to ISE

MAMO — Fri, 26 May 2017 10:18:26 GMT

Hi ISE Team,

As far as I understand to use multiple PSNs I need to place a load balancer in front of the PSNs. I'd like to use a "central" load balancer with source NAT by adding a new Radius AV pair with the source IP ( or tell ISE to use an already existing attribute for the source IP). Is that possible i.e. Can I tell ISE to uas a Radius attribute as source IP of the connection instead of the UDP packet IP ?

Thank you

Markus

Re: Load Balancing Radius traffic to ISE

Timothy Abbott — Fri, 26 May 2017 17:05:46 GMT

Markus,

Please see the below document for additional information on load balancing with ISE.

ISE Load Balancing

Regards,

-Tim

Re: Load Balancing Radius traffic to ISE

MAMO — Fri, 26 May 2017 17:14:28 GMT

Hi Tim,

I looked at the documents already and did not find it ( or did I overlooked it ) . i.e. I saw the F5 SNAT option for communication from the PSNs back to the switch. But I am interested in the other way round from the switch to the PSN.

Thank you

Markus

Re: Load Balancing Radius traffic to ISE

Craig Hyps — Fri, 26 May 2017 19:22:09 GMT

Not supported today IF you need functions like CoA to work. The reasons are discussed in the guide as well as reference version of BRKSEC-3699 posted to CiscoLive.com. The short reason is that CoA is returned to the NAD IP which ISE believes to be LB in the SNAT case. LB drops it as there is no other destination in packet header. Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

Regards,
Craig

Re: Load Balancing Radius traffic to ISE

MAMO — Fri, 26 May 2017 19:28:38 GMT

Hi Craig,

Thank you for the information. I'll check the COA case which I am also interested in .

But COA is from the PSN to the switch. I am looking for the other direction i.e. when the switch send the Radius request to the LB and the LB to a PSN.

Markus

Re: Load Balancing Radius traffic to ISE

Craig Hyps — Sat, 27 May 2017 00:44:41 GMT

Yes. I am referring to same use case. Forget about the SNAT for CoA for the moment. The issue is SNAT for NAD will cause all CoA to fail--regardless of whether you choose to SNAT CoA or not. Be sure to review BRKSEC-3699 (reference version). My summation statement is...

SNAT for NAD is BAD

SNAT for CoA is OK.

Re: Load Balancing Radius traffic to ISE

MAMO — Sat, 27 May 2017 10:47:21 GMT

Hi Chyps,

Apologies I looked at the wrong pages, I see now on page 279 the comment

NAS IP Address is correct, but not currently used for CoA

So what do I have to do to support an enhancement request to use the NAS-IP. Where do I find details about

User Story 8601 : CoA support for NAT'edload balanced environments

Thank you

Markus

Re: Load Balancing Radius traffic to ISE

Craig Hyps — Sat, 27 May 2017 15:44:25 GMT

Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

Re: Load Balancing Radius traffic to ISE

MAMO — Sat, 27 May 2017 15:50:59 GMT

Will do

Thank you

Markus