Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
3
Replies

ISE and F5 Load Balancer (RADIUS + TACACS) using SAME IPs

MS-JK
Level 1
Level 1

‎01-24-2020 10:39 AM

Any issues using same IP address (diff port for TACACS for f5 VIPs for both RADIUS functions and TACACS+ to the SAME PSN nodes? PSN nodes have ONE IP.

 

Example:

VIP1: 10.10.10.1 Radius VIP with all its settings for AUTH

VIP2: 10.10.10.1 Profiling VIP as needed.

VIP3: 10.10.10.1 TCP 49 - tacacs VIP with all its settings.

 

NOTE: Reading the Cisco's ISE/F5 deployment guides and looking at Cisco's live BRKSEC-3699 session I can not find answer.

 

Would this create issues in certain scenarios where for example outbound SNAT is used for traffic initiating from PSNs. 

 

Thanks for input.

 

0 Helpful
3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

‎01-25-2020 09:34 AM

While I find it nice to keep VIPs separate, there is nothing stopping this from working. The same virtual servers will be set up, just using the same VIP instead of different.
0 Helpful

MS-JK
Level 1
Level 1
In response to Damien Miller

‎01-26-2020 03:29 PM

Thanks for your response - BUT now you're mixing UDP with TCP. For example: design document calls for the VIP on the F5 for RADIUS to be configured as UDP protocol. I'm afraid that TACACS traffic will then have issues.

 

With that said - let me ADD to this question to make it little bit more complicated:

The F5 is (F5 on a stick) design. BUT - it doesn't have external/internal - it actually has only ONE VLAN X that shares both VIPs and NODES. Example: VIP: 10.0.0.1/24 PS1 NODE: 10.0.0.2/24. With traffic such as HTTP I know this wouldn't be a problem - BUT will this create issues with any RADIUS/TACACS/PROFILING/PORTALS ..etc?

 

Basically you have L3 Router on VLAX that has the internal VLAX and external VLANY. This router will do /32 for VIPs to point to the F5 and PSNs will have DG to the F5. Now that I think of this - routes will probably NOT be enough, static MAC/ARP assignments will also be required to prevent the router from answering for the VIPs/NODEs.

 

Thanks for feedback.

 

 

0 Helpful

MS-JK
Level 1
Level 1
In response to MS-JK

‎01-26-2020 03:51 PM

OK - actually found a slide on this ( on the same VLAN/F5 on stick). Has ANYONE or is ANYONE doing this that can comment how its going or any issues?

 

 

Screen Shot 2020-01-26 at 4.49.59 PM.png

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents