This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi ISE Team,
As far as I understand to use multiple PSNs I need to place a load balancer in front of the PSNs. I'd like to use a "central" load balancer with source NAT by adding a new Radius AV pair with the source IP ( or tell ISE to use an already existing attribute for the source IP). Is that possible i.e. Can I tell ISE to uas a Radius attribute as source IP of the connection instead of the UDP packet IP ?
Solved! Go to Solution.
Please see the below document for additional information on load balancing with ISE.
I looked at the documents already and did not find it ( or did I overlooked it ) . i.e. I saw the F5 SNAT option for communication from the PSNs back to the switch. But I am interested in the other way round from the switch to the PSN.
Not supported today IF you need functions like CoA to work. The reasons are discussed in the guide as well as reference version of BRKSEC-3699 posted to CiscoLive.com. The short reason is that CoA is returned to the NAD IP which ISE believes to be LB in the SNAT case. LB drops it as there is no other destination in packet header. Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.
User Story 8601 : CoA support for NAT'ed load balanced environments
Thank you for the information. I'll check the COA case which I am also interested in .
But COA is from the PSN to the switch. I am looking for the other direction i.e. when the switch send the Radius request to the LB and the LB to a PSN.
Yes. I am referring to same use case. Forget about the SNAT for CoA for the moment. The issue is SNAT for NAD will cause all CoA to fail--regardless of whether you choose to SNAT CoA or not. Be sure to review BRKSEC-3699 (reference version). My summation statement is...
SNAT for NAD is BAD
SNAT for CoA is OK.
Apologies I looked at the wrong pages, I see now on page 279 the comment
NAS IP Address is correct, but not currently used for CoA
So what do I have to do to support an enhancement request to use the NAS-IP. Where do I find details about
User Story 8601 : CoA support for NAT'edload balanced environments