Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
5
Helpful
4
Replies

TAC supported F5 Design?

Go to solution
matsiege
Cisco Employee
Cisco Employee

‎04-16-2018 11:28 AM

I need to confirm whether the following scenarios are supported or whether there are any potential issues in one. I don't believe so, but a sanity check would be greatly appreciated.

Both scenarios are about avoiding the need to readdress F5 VIPs or change NAD configs when migrating from ACS to new ISE deployments (separate Device Admin and Radius Deployments).

Scenario 1:

Using a single F5 VIP address for both TACACS and RADIUS deployments (since today the ACS and it's VIP handles both). The VIP would leverage the DST port to distinguish between TACACS and RADIUS requests so that the F5 will send TACACS requests to the ISE server pool and keep RADIUS requests sent to their existing ACS (or future ISE deployment).

Scenario 2:

Today we currently have Wireless auth NADs and VPN auth NADs using two different F5 VIPs. In order to avoid readdressing on the NADs we would like to keep the two F5 VIPs, but leverage identical ISE server pools on the F5 behind each VIP.

Thanks!

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎04-16-2018 04:01 PM

Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.

Yes, LB based on port TCP/49 and source IP-based LB should be sufficient.  T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.

Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
paul
Level 10
Level 10

‎04-16-2018 02:41 PM

Both scenarios should work just fine.  I have done scenario 1 in almost all of my F5 ISE deployments when doing both RADIUS and TACACS, although in my case I am usually load balancing to different PSNs in the same ISE deployment.  These are all different virtual servers on the F5s so you can assign them to whatever pools (or the same pools) you want.

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎04-16-2018 04:01 PM

Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.

Yes, LB based on port TCP/49 and source IP-based LB should be sufficient.  T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.

Craig

0 Helpful

Go to solution
matsiege
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎04-17-2018 08:01 AM

Craig,

Thanks for the reply, your presentations are always the best! Sounds like Question 1 is covered for T+, what about for RADIUS? When consulting your slides it looks like both RADIUS and COA ports need to be accounted for?


Lastly, can you confirm that scenario 2 is supported as well.

Thanks!

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to matsiege

‎04-17-2018 08:06 AM

Yes, #2 could work but need to make sure the load across pools is evenly distributed.

Customers Also Viewed These Support Documents