https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539649#M537111 <HTML><HEAD></HEAD><BODY><P>Thanks Hsing-Tsu.</P><P></P><P>What I'm specifically after is an F5 persistence setup when using ISE for both network access and device administration purposes (RADIUS only).</P><P></P><P>According to the F5 &amp; ISE Deployment guide which covers network access (not device admin), Calling Station ID is a recommended persistence method with a fall back in place (Eg. Source IP).</P><P></P><P>What I've found is that with Cisco WLCs, device admin RADIUS requests don't contain the Calling Station ID, causing the fall back method to be hit, which then causes all new requests from the WLC (including network access requests) to stick to one ISE PSN.&nbsp; With enough load from the WLC, this has the potential to overload the PSN rather than spread the load amongst the PSN pool.</P><P></P><P>Is there any Cisco recommended and/or tested persistence method for device admin in a Load Balanced setup?</P></BODY></HTML> Thu, 03 Nov 2016 06:29:18 GMT dvan 2016-11-03T06:29:18Z https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539647#M537107 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Are there any published best practices documents or guides for performing Cisco Device Administration against ISE via RADIUS in an F5 LB setup? Have searched around with no luck so far...&nbsp; The current F5 &amp; ISE deployment guide covers network access only.</P><P></P><P>Thanks,</P><P>Denis</P></BODY></HTML> Wed, 02 Nov 2016 15:21:46 GMT https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539647#M537107 dvan 2016-11-02T15:21:46Z https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539648#M537109 <HTML><HEAD></HEAD><BODY><P>Nothing from our product team. Each vendor and products have varied implementations to accept AAA authentications for device administration purposes so please refer to vendor docs.</P><P></P><P>These two F5 links might help.</P><P></P><P style="font-size: 12px; font-family: Helvetica;"><A href="https://devcentral.f5.com/questions/f5-radius-authentication-for-admins">F5 Radius Authentication for admins</A></P><P style="font-size: 12px; font-family: Helvetica;"><A href="https://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html">SOL14324 - Using F5 vendor-specific attributes with RADIUS authentication (11.x -12.x)</A></P><P style="font-size: 12px; font-family: Helvetica;"></P><P style="font-size: 12px; font-family: Helvetica;">You may use <A _jive_internal="true" href="https://community.cisco.com/docs/DOC-70352">dictionary.f5</A> to import the F5 VSAs to ISE.</P></BODY></HTML> Wed, 02 Nov 2016 18:58:05 GMT https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539648#M537109 hslai 2016-11-02T18:58:05Z https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539649#M537111 <HTML><HEAD></HEAD><BODY><P>Thanks Hsing-Tsu.</P><P></P><P>What I'm specifically after is an F5 persistence setup when using ISE for both network access and device administration purposes (RADIUS only).</P><P></P><P>According to the F5 &amp; ISE Deployment guide which covers network access (not device admin), Calling Station ID is a recommended persistence method with a fall back in place (Eg. Source IP).</P><P></P><P>What I've found is that with Cisco WLCs, device admin RADIUS requests don't contain the Calling Station ID, causing the fall back method to be hit, which then causes all new requests from the WLC (including network access requests) to stick to one ISE PSN.&nbsp; With enough load from the WLC, this has the potential to overload the PSN rather than spread the load amongst the PSN pool.</P><P></P><P>Is there any Cisco recommended and/or tested persistence method for device admin in a Load Balanced setup?</P></BODY></HTML> Thu, 03 Nov 2016 06:29:18 GMT https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539649#M537111 dvan 2016-11-03T06:29:18Z https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539650#M537113 <HTML><HEAD></HEAD><BODY><P>That is correct that T+ not relying calling-station-Id. I believe it would work to load balance based on the field "remote address". <A href="https://community.cisco.com//u1/28477">chyps</A> may comment on this further.</P><P></P><P>BTW, are you not separating PSNs for RADIUS and T+?</P></BODY></HTML> Thu, 03 Nov 2016 13:27:14 GMT https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539650#M537113 hslai 2016-11-03T13:27:14Z https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539651#M537115 <HTML><HEAD></HEAD><BODY><P>If I understand the issue correctly, no TACACS+ involved, just user and device admin--both using RADIUS.</P><P></P><P>The F5 should be matching on more specific record, so LTM should not be reverting all sessions based on source IP only.&nbsp; If seeing issue for any new connections then we may need to work with F5 to see best way to prevent this from occurring, and only leverage existing IP-based persist entry when Calling-Station-ID is not present.&nbsp;&nbsp; For some NADs it is possible to populate the Calling-Station-Id with the client IP so that should allow persist on client IP.</P><P></P><P>Another option may be to fallback to RADIUS username, NAS Port ID, NAS Port Type, etc, such that you are able to distinguish and persist device admin auth requests from network access requests.&nbsp; For example, on my switch, a RADIUS auth via SSH to switch yields: </P><P>&nbsp;&nbsp;&nbsp;&nbsp; Calling-Station-ID: Admin client IP address</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Nas-Port-Id: tty2</P><P>&nbsp;&nbsp;&nbsp;&nbsp; Nas-Port-Type: Virtual</P><P></P><P>/Craig</P></BODY></HTML> Thu, 03 Nov 2016 17:22:02 GMT https://community.cisco.com/t5/network-access-control/f5-loadbalance-on-radius-t/m-p/3539651#M537115 Craig Hyps 2016-11-03T17:22:02Z