802.1x Radius Server Load-Balancing

milos_p · ‎10-18-2021

Hi guys,

What are your experience with using radius load-balancing feature in Cisco IOS, specifically on 2960x switches (15.x versions).

I am speaking about command "load-balance method least-outstanding" under radius server group.

Are there any problems with sending accounting stop/interim messages back to wrong PSN maybe, or switch can successfully maintain all the packets for the same session and bind them to the same PSN?

I want to use load balancing, but don't want to have stale/phantom sessions on PSNs.

Any feedback is much appreciated

Thanks!.

Greg Gibbs · ‎10-18-2021

I'll let others in the Community provide their opinions as well, but I will say that the load balancer feature on the Catalyst switches is a very basic implementation and provides limited visibility or control of the load balanced sessions. It is neither validated nor recommended for use in an ISE deployment, especially if you will have CWA flows (Guest, BYOD, etc) that require the same PSN that handles the RADIUS session to provide the Portal.

milos_p · ‎10-19-2021

Hi Greg,

This is very valuable information, thank you!

I saw that command in multiple guides, including some ISE books as well.

No one drilled down about it, just basic info that is is load-balancing requests, depending on the batch size you configure.

My concern is the stickiness of the session for the reasons you mentioned, and I cannot find any relevant information about it.

I guess, another option is to put servers in different order on NADs, so I can balance traffic that way without any concerns of session stickiness.

Any other input from your side will be fantastic.

Thanks a lot one more time!