cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
899
Views
5
Helpful
3
Replies

Radius persistence Irule for CWA

x00008037
Level 1
Level 1

Hi I'm having an issue with creating an Irule on our big ip f5 load balancer . Have anyone created an Irule that create persistance based off the CPM in the radius request.

 

Cisco’s Audit Session ID (also known as CPM Session ID) is a unique value that is calculated by the NAD based on its NAS-IP-Address, an incrementing counter value, and the session start timestamp

 

We want the CWA url to point to the VIP on the F5 but need to forward the https traffic to the same ins that served the radius request..

 

Any help appreciated, I have plenty of examples of persistance using client mac and source up but no Irule using audit-session-id

1 Accepted Solution

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Not an answer to your post, but looks like session ID is not recommended per ISE + F5 guide. I understand that it will provide smoother load balancing than other attributes, but recommend using MAC address instead:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId--1915212342

 

View solution in original post

3 Replies 3

howon
Cisco Employee
Cisco Employee

Not an answer to your post, but looks like session ID is not recommended per ISE + F5 guide. I understand that it will provide smoother load balancing than other attributes, but recommend using MAC address instead:

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId--1915212342

 

This is true but the mac address of the client end point when they get redirected is not available on the F5 to used to load balance.

 

The flow is this.

 

Client connects and radius packet is send from wlc to F5. Persistence is created using the Calling-station id and mac address from the WLC. When the client connects the mac address and calling station ID is different and the sessionization is broken.

 

This is why i need to Load balance on session-id.

 

The main objective is to have a global FQDN eg. contractor.domain.com sent back to the client to hide the psn fqdns

One thing I will mention is that if you only use session ID, you will have issues provisioning CTS PAC's on your switches since they don't include a session ID. They actually don't include calling station ID either. I wrote an amendment post last year to the published Citrix LB guide. On the example Citrix config, persistence was only configured using the calling station ID, I ended up using the Calling station ID compounded with NAS IP address for radius. For 8443 we used source IP address to persist, and udp 1700 coa's were source destination ip compound.

Last time I looked at the F5 guide, this was already accounted for in the persistence fallback irule config, I wouldn't be recommend to use just mac/calling station ID for radius.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: