Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1095
Views
0
Helpful
3
Replies

Switch Config with two Load Balancer

Go to solution
mitchp75
Level 1
Level 1

‎03-07-2019 09:01 AM

I'm looking for a little help with Switch Configuration for ISE with 2 Data Centers each with a Load Balancer and 15 PSN's at each site. We'd like to point the NAD's to the LB's and from there the LB will distribute to the PSN's but having a little issue with what that will look like in the Switch template? Any tips? 

 

 

! Define the RADIUS servers and RADIUS group
radius server DC1-LB-VIP
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>
!
radius server DC2-LB-VIP
address ipv4 10.2.2.2 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>

 

aaa group server radius ISE-RADIUS
server name DC1-LB-VIP
server name DC2-LB-VIP

 

aaa server radius dynamic-author
client 10.1.1.1 server-key <password>
client 10.2.2.2 server-key <password>

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-08-2019 11:43 PM

Your config looks good for what you want to do, we use similar for our customers with load balancers.  The load balancer is going to the piece where the complicated pieces happen. Load balancing large environments works great, I wouldn't shy away from the set up and testing, in the long run it will be much easier with configs.  Start here with the load balancer guides.

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

 

One thing to note about your config, you have to make sure you use reverse NAT for your UDP 1700 COAs as well as for the RADIUS/TACACS communication.  

 

If you are using an F5 and plan to also use your VIPs for TACACS, check out my F5 TACACS amendment here
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

 

If you are going to be using the netscaler guide and also leveraging TrustSec (or SDA) then you need to read my amendment around CTS request persistence too.
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/td-p/3694180

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ITCOMMS
Level 1
Level 1

‎03-08-2019 04:01 AM

With your current config its basically active / standby, DC1-LB-VIP will always be hit if available, and DC2-LB-VIP is the backup.

 

Given you're using a named group, its just one command you need to add, though this may not be valid for all platforms.

 

To give you an example on 16.6.x

 

!

aaa group server radius ISE-RADIUS

server name DC1-LB-VIP
server name DC2-LB-VIP

load-balance method least-outstanding

!

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16-6/sec-usr-rad-xe-16-6-book/sec-rad-load-bal.html

 

BTW if you can get access to some of the Cisco Live sessions for ISE, there is some really good content, and there is definitely coverage of load balancing in great detail, enjoy!

0 Helpful

Go to solution
bern81
Level 1
Level 1
In response to ITCOMMS

‎03-08-2019 04:09 AM

Hi ,

 

Which Load-balancing device you have?

 

If F5, there is a very detailed how-to document called:

 

How-To-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP

 

Check it on internet.

 

Also loab-balancing command under the radius-server is not advisable.

 

Please rate if this is helpfull.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-08-2019 11:43 PM

Your config looks good for what you want to do, we use similar for our customers with load balancers.  The load balancer is going to the piece where the complicated pieces happen. Load balancing large environments works great, I wouldn't shy away from the set up and testing, in the long run it will be much easier with configs.  Start here with the load balancer guides.

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

 

One thing to note about your config, you have to make sure you use reverse NAT for your UDP 1700 COAs as well as for the RADIUS/TACACS communication.  

 

If you are using an F5 and plan to also use your VIPs for TACACS, check out my F5 TACACS amendment here
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

 

If you are going to be using the netscaler guide and also leveraging TrustSec (or SDA) then you need to read my amendment around CTS request persistence too.
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/td-p/3694180

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents