Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
0
Helpful
2
Replies

CTS PAC provisioning and loadbalancer persistence

Go to solution
andrewswanson
Level 7
Level 7

‎11-12-2019 07:54 AM

Hi

 

I'm looking to deploy TrustSec to a number of 3650 stacks running 16.6.6

 

The production ISE psns are behind a Netscaler MPX. I tested my config with a dev ISE box that wasn't loadbalanced and all looked to be ok.

When I treed to provision cts pac with the loadbalanced ISE, I was getting the following errors in the ISE logs.


11302 Received Secure RADIUS request without a cts-pac-opaque cisco-av-pair attribute
12953 Received EAP packet from the middle of conversation that contains a session on this PSN that does not exist


Some threads on the forum suggested this could be a loadbalancer persistence issue - I changed a switch to use a psn IP address rather the loadbalnced VIP and sure enough cts provisioning worked and the switch could download the cts environment data.

 

The loadbalanced production ISE VIP has the following rule for persistence with no backup method specified:

 

CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(8)

 

What backup persistence method should be used to facilitate cts pac provisioning through the loadbalancer?

 

Thanks
Andy

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-12-2019 08:06 AM

I have posted about this in the past. I have done pac provisioning with Citrix and F5's leveraging similar many times so I do know it works.

What I suggested for citrix.
"-rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)""
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/m-p/3694180/highlight/true#M16975

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-12-2019 08:06 AM

I have posted about this in the past. I have done pac provisioning with Citrix and F5's leveraging similar many times so I do know it works.

What I suggested for citrix.
"-rule "CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)""
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/m-p/3694180/highlight/true#M16975
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to Damien Miller

‎11-12-2019 08:16 AM

Thanks a lot Damien - sometimes I'm too quick to post on the forum rather than search it!

 

I had changed the backup persistence to source IP and pac provisioning worked ok through the loadbalncer. I'll look at implementing your single rule for this.

 

Thanks again

Andy

 

0 Helpful
Customers Also Viewed These Support Documents