04-16-2018 11:28 AM
I need to confirm whether the following scenarios are supported or whether there are any potential issues in one. I don't believe so, but a sanity check would be greatly appreciated.
Both scenarios are about avoiding the need to readdress F5 VIPs or change NAD configs when migrating from ACS to new ISE deployments (separate Device Admin and Radius Deployments).
Scenario 1:
Using a single F5 VIP address for both TACACS and RADIUS deployments (since today the ACS and it's VIP handles both). The VIP would leverage the DST port to distinguish between TACACS and RADIUS requests so that the F5 will send TACACS requests to the ISE server pool and keep RADIUS requests sent to their existing ACS (or future ISE deployment).
Scenario 2:
Today we currently have Wireless auth NADs and VPN auth NADs using two different F5 VIPs. In order to avoid readdressing on the NADs we would like to keep the two F5 VIPs, but leverage identical ISE server pools on the F5 behind each VIP.
Thanks!
Solved! Go to Solution.
04-16-2018 04:01 PM
Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.
Yes, LB based on port TCP/49 and source IP-based LB should be sufficient. T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.
Craig
04-16-2018 02:41 PM
Both scenarios should work just fine. I have done scenario 1 in almost all of my F5 ISE deployments when doing both RADIUS and TACACS, although in my case I am usually load balancing to different PSNs in the same ISE deployment. These are all different virtual servers on the F5s so you can assign them to whatever pools (or the same pools) you want.
04-16-2018 04:01 PM
Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.
Yes, LB based on port TCP/49 and source IP-based LB should be sufficient. T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.
Craig
04-17-2018 08:01 AM
Craig,
Thanks for the reply, your presentations are always the best! Sounds like Question 1 is covered for T+, what about for RADIUS? When consulting your slides it looks like both RADIUS and COA ports need to be accounted for?
Lastly, can you confirm that scenario 2 is supported as well.
Thanks!
04-17-2018 08:06 AM
Yes, #2 could work but need to make sure the load across pools is evenly distributed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide