Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1401
Views
8
Helpful
2
Replies

Cisco ISE design supporting large number of RADIUS/COA servers

Go to solution
ankaushi
Cisco Employee
Cisco Employee

‎05-01-2017 12:20 AM

Hi Team,

A question about maximum devices that can be configured to support Cisco ISE in a large deployment for University.

In the release notes for  WLCs it states in version 8, that the maximum number of RADIUS servers that can be configured is 17, while we are configuring the RADIUS requests to go via VIPs on their netscaler, only two servers will be defined (Primary and secondary) . To support COA does every PSN need to be defined with network user authentication checked, if we have more than 17 PSNs in production how can we support the additional, does the COA messages need to be nat’ed?

The same question goes for the wired infrastructure, I am trying to find the maximum number of COA devices that is supported on an iOS switch, for nexus devices it is stated in the documentation that a maximum of 64 RADIUS servers can be defined.

What is the best practice regarding large environments and the way COA is configured, should it be nat’ed to a single IP address  or should all the PSNs be individually configured.

Regards,

Anshul

1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-01-2017 06:57 AM

Anshul, if using a LB, you can also configure source NAT for CoA messages so the CoA from PSN is seen to be sourcing from the VIP instead. Check out page 51 of the F5 ISE/F5 how-to:

How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP

View solution in original post

2 Replies 2

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-01-2017 06:57 AM

Anshul, if using a LB, you can also configure source NAT for CoA messages so the CoA from PSN is seen to be sourcing from the VIP instead. Check out page 51 of the F5 ISE/F5 how-to:

How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP

Go to solution
ajc
Level 7
Level 7
In response to howon

‎05-11-2017 10:22 AM

Hi hosuk,

When you are using F5 for PSN LB, do you have only 1 entry for each SSID (no matter if you are using CWA, EAP-TLS, PEAP, LWA, MAB) on the WLC pointing to the F5 VIP?. That unique entry (F5 VIP) also applies to the WLC Global AAA Authentication and Accounting entry so no individual PSN's are configured in the WLC.

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents