cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

109
Views
5
Helpful
3
Replies
Highlighted
Beginner

Radius persistence Irule for CWA

Hi I'm having an issue with creating an Irule on our big ip f5 load balancer . Have anyone created an Irule that create persistance based off the CPM in the radius request.

 

Cisco’s Audit Session ID (also known as CPM Session ID) is a unique value that is calculated by the NAD based on its NAS-IP-Address, an incrementing counter value, and the session start timestamp

 

We want the CWA url to point to the VIP on the F5 but need to forward the https traffic to the same ins that served the radius request..

 

Any help appreciated, I have plenty of examples of persistance using client mac and source up but no Irule using audit-session-id

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Radius persistence Irule for CWA

Not an answer to your post, but looks like session ID is not recommended per ISE + F5 guide. I understand that it will provide smoother load balancing than other attributes, but recommend using MAC address instead:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId--1915212342

 

3 REPLIES 3
Cisco Employee

Re: Radius persistence Irule for CWA

Not an answer to your post, but looks like session ID is not recommended per ISE + F5 guide. I understand that it will provide smoother load balancing than other attributes, but recommend using MAC address instead:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId--1915212342

 

Beginner

Re: Radius persistence Irule for CWA

This is true but the mac address of the client end point when they get redirected is not available on the F5 to used to load balance.

 

The flow is this.

 

Client connects and radius packet is send from wlc to F5. Persistence is created using the Calling-station id and mac address from the WLC. When the client connects the mac address and calling station ID is different and the sessionization is broken.

 

This is why i need to Load balance on session-id.

 

The main objective is to have a global FQDN eg. contractor.domain.com sent back to the client to hide the psn fqdns

VIP Engager

Re: Radius persistence Irule for CWA

One thing I will mention is that if you only use session ID, you will have issues provisioning CTS PAC's on your switches since they don't include a session ID. They actually don't include calling station ID either. I wrote an amendment post last year to the published Citrix LB guide. On the example Citrix config, persistence was only configured using the calling station ID, I ended up using the Calling station ID compounded with NAS IP address for radius. For 8443 we used source IP address to persist, and udp 1700 coa's were source destination ip compound.

Last time I looked at the F5 guide, this was already accounted for in the persistence fallback irule config, I wouldn't be recommend to use just mac/calling station ID for radius.