Hello
I have an ISE deployment (2x PAN/MnT and 3 PSNs) in development. Deployment is primarily for wired 802.1x/MAB.
Before deploying the PSNs behind a Citrix Netscaler I setup a dev environment:
- NAD is WS-C3650-48PD 03.06.05E (device-sensor collecting dhcp/cdp/lldp)
- NAD configured with the 3 PSNs in a radius aaa group.
Cisco phones connected to the NAD were being profiled correctly by ISE with Endpointsource listed as RADIUS Probe. I could see all the device-sensor cdp/lldp/dhcp information ok.
I setup ISE loadbalancing on a Citrix VPX (NetScaler NS10.5: Build 61.11.nc) - VIPs were configured for RADIUS 1812/1813 and I moved one PSN logically fully behined the VPX.
NAD was reconfigured with the Netscaler VIP as the only RADIUS server and for CoA.
On testing phones (profiled previously) authentication/accounting worked fine. I deleted one of the profiled phones as a test and found ISE couldn't profile it. I done packet captures on the NAD and VPX and found:
- NAD was sending RADIUS authentication (plus attributes required for profiling)
- VPX was truncating the RADIUS authentication packet cutting of some off the attributes.
I then setup a snmp trap VIP on the VPX and a trap statement on the NAD and now the loadbalanced PSN can profile the phone ok (Endpointsource is still listed as RADIUS Probe)
I knew there was an issue with Netscaler RADIUS fragmentation/reassembly on Netscaler but thought this was resolved in 10.5 build 50. Has any other Netscaler/ISE users come across this? VPX appliance is the free demo version.
Thanks
Andy