Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3352
Views
0
Helpful
5
Replies

Cisco ISE PSN loadbalancing with Netscaler query

andrewswanson
Level 7
Level 7

‎10-10-2016 05:27 AM - edited ‎03-11-2019 12:08 AM

Hello

I have an ISE 2.1 deployment in development (3xPSN in a node cluster and 2xPAN/Mnt). Deployment is for 802.1x/MAB in a wired environment and device profiling will be used.

I have the above working well and am now looking to migrate to a loadbalanced environment using Netscaler MPX 8200 running NS10.5: Build 61.11.nc (active/standby pair).

The development work for this will use a VPX which I currently don't have access too.

I looked at the Cisco documentation, CiscoLive presentations and Cisco/Citrix forums and come up with the attached plan which outlines 2 options:

  1. Cisco ISE deployed Fully Inline behind the Netscaler (all ISE traffic flows through the Netscaler)
  2. Cisco ISE deployed Fully Inline behind the Netscaler with Multiple PSN Interfaces (only RADIUS loadbalanced traffic flows through the Netscaler)

Option 1 seems to move the more complex configuration onto the Netscaler while option 2 requires more work done on the PSNs

Can any Netscaler with Cisco ISE users share their experience of the above scenarios please? The Cisco ISE with F5 documentation outlines option 1 and details how F5 deals with ISE traffic that isn't loadbalanced (using "forwarding IP virtual server"). What is the equivalent of this on Netscaler - I've posted on Citrix forums with no luck so far.

Thanks
Andy

ps The attached document is a work in progress and doesn't deal with ISE profiler traffic

Labels:
Preview file
856 KB
0 Helpful
5 Replies 5

sanorthrup
Level 1
Level 1

‎10-12-2016 12:30 PM

We do option 1 with ~20 PSNs behind one NS and ~20 PSNs behind another NS (different datacenter).  It works really well.  With as many reliability issues as we've had, I can't imagine NOT being behind a Netscaler.

We've got a couple of probes setup but I'd be curious to see what probes others are using.

0 Helpful

andrewswanson
Level 7
Level 7
In response to sanorthrup

‎10-12-2016 01:03 PM

Thanks for the response. Are you using Bridge type "ns acl" to permit/deny non loadbalanced PSN traffic through the Netscaler? Also, are your 2 Netscalers standalaone or in HA pairs?

Thanks
Andy

0 Helpful

sekhabbaz
Level 1
Level 1
In response to sanorthrup

‎12-05-2018 03:01 AM

Hi, do you also do CWA ?

My specific question is how to configure Netscaler VPX to persist communication to same PSN, when handling the URL redirect.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-12-2016 01:12 PM

There is a sample Netscaler-ISE config from Cisco posted here:

https://communities.cisco.com/docs/DOC-64434

For a large deployment, a frontend ADC is a must-have. I've done a few with F5 BigIP and they work like a charm,

0 Helpful

andrewswanson
Level 7
Level 7
In response to Marvin Rhoads

‎10-12-2016 01:25 PM

Many thanks for the link. I setup a netscaler VPX today and quickly got RADIUS authentication/ accounting and CoA working through the Netscaler (basing the config on the F5 documentaion).

Cheers

Andy

0 Helpful
Customers Also Viewed These Support Documents