cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

741
Views
8
Helpful
2
Replies
Highlighted
Cisco Employee

Cisco ISE design supporting large number of RADIUS/COA servers

Hi Team,

A question about maximum devices that can be configured to support Cisco ISE in a large deployment for University.

In the release notes for  WLCs it states in version 8, that the maximum number of RADIUS servers that can be configured is 17, while we are configuring the RADIUS requests to go via VIPs on their netscaler, only two servers will be defined (Primary and secondary) . To support COA does every PSN need to be defined with network user authentication checked, if we have more than 17 PSNs in production how can we support the additional, does the COA messages need to be nat’ed?

The same question goes for the wired infrastructure, I am trying to find the maximum number of COA devices that is supported on an iOS switch, for nexus devices it is stated in the documentation that a maximum of 64 RADIUS servers can be defined.

What is the best practice regarding large environments and the way COA is configured, should it be nat’ed to a single IP address  or should all the PSNs be individually configured.

Regards,

Anshul

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Anshul, if using a LB, you can also configure source NAT for CoA messages so the CoA from PSN is seen to be sourcing from the VIP instead. Check out page 51 of the F5 ISE/F5 how-to:

How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Anshul, if using a LB, you can also configure source NAT for CoA messages so the CoA from PSN is seen to be sourcing from the VIP instead. Check out page 51 of the F5 ISE/F5 how-to:

How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP

View solution in original post

Highlighted
Frequent Contributor
Frequent Contributor

Hi hosuk,

When you are using F5 for PSN LB, do you have only 1 entry for each SSID (no matter if you are using CWA, EAP-TLS, PEAP, LWA, MAB) on the WLC pointing to the F5 VIP?. That unique entry (F5 VIP) also applies to the WLC Global AAA Authentication and Accounting entry so no individual PSN's are configured in the WLC.

thanks