topic Re: My Devices Portal with Multiple PSNs F5 Load Balanced in Network Access Control

My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry — Wed, 28 Jun 2023 16:48:24 GMT

We have a 6 node ISE deployment, which includes 4 PSNs. They are load balanced via an F5 load balancer

For the My Devices Portal setup would I need to create a new F5 VIP and load balance it between the PSNs I choose?

Is there an option besides creating a new F5 VIP? I ask because with the PSNs being load balanced their default route is pointing back towards the F5 gateway.

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Nancy Saini — Wed, 28 Jun 2023 17:17:51 GMT

You would need virtual IP on LB as it will serve as a catch all for these traffic flows and perform IP forwarding.

MDM being a URL-redirected web services uses ISE sessionization. It uses an Audit Session ID to track the lifecycle of an endpoint’s connection between a network access device and a specific PSN. URL Redirection with sessionization requires that endpoints are redirected to a specific PSN that “owns” the session. During RADIUS authorization, the PSN processing the connection may return a URL Redirect that includes its own FQDN and unique Audit Session ID. This tells the client exactly which PSN to attempt direct HTTPS access and informs the receiving PSN which specific RADIUS session the request pertains.

Reference : https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Damien Miller — Wed, 28 Jun 2023 21:08:50 GMT

You don't need a new VIP for portals, they can use the same VIP as RADIUS, but you would want to define a virtual server for port 8443. Source IP persistence takes care of this use case. Your my devices portal fqdn should resolve the F5 VIP.

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry — Wed, 28 Jun 2023 21:57:49 GMT

So that would be using the same VIP, but configure the virtual for 8443? Would the pool members also be configured for 8443?

For the Source IP Persistence are you referring to SNAT being turned off or setting the persistence profile to use source address?

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry — Wed, 28 Jun 2023 23:17:17 GMT

I got a VIP set up. The URL/FQDN for the portal is reachable, but I keep getting an error: "[ 404 ] Resource Not Found. The resource requested cannot be found."

I have two interfaces on my ISE VMs. One being GigabitEthernet 0 for the management interface and the other being GigabitEthernet 1 facing the F5 load balancer. Does the portal need to be using the Gig 1 interface?

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Nancy Saini — Thu, 29 Jun 2023 18:01:42 GMT

You can have portal hosted on gig1.

Are you load balancing only RADIUS traffic? The initial authentication request and the web redirection should happen on the same PSN. Check if the RADIUS request and the web redirection is happening on the same PSN.

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry — Thu, 29 Jun 2023 18:56:52 GMT

I'm testing it out on the test deployment we have which is two nodes. We do have VIPs for RADIUS. The issue I can see is that it's just going to https://<URL>:8443/portal/ instead of https://<URL>:8443/mydevices/PortalSetup.action?portal=..........

Re: My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry — Wed, 05 Jul 2023 15:03:22 GMT

It only worked after I had a VIP created for port 443 as well.