Hello

I have an ISE deployment (2x PAN/MnT and 3 PSNs) in development. Deployment is primarily for wired 802.1x/MAB.

Before deploying the PSNs behind a Citrix Netscaler I setup a dev environment:

• NAD is WS-C3650-48PD 03.06.05E (device-sensor collecting dhcp/cdp/lldp)
• NAD configured with the 3 PSNs in a radius aaa group.

Cisco phones connected to the NAD were being profiled correctly by ISE with Endpointsource listed as RADIUS Probe. I could see all the device-sensor cdp/lldp/dhcp information ok.

I setup ISE loadbalancing on a Citrix VPX (NetScaler NS10.5: Build 61.11.nc) - VIPs were configured for RADIUS 1812/1813 and I moved one PSN logically fully behined the VPX.

NAD was reconfigured with the Netscaler VIP as the only RADIUS server and for CoA.

On testing phones (profiled previously) authentication/accounting worked fine. I deleted one of the profiled phones as a test and found ISE couldn't profile it. I done packet captures on the NAD and VPX and found:

• NAD was sending RADIUS authentication (plus attributes required for profiling)
• VPX was truncating the RADIUS authentication packet cutting of some off the attributes.

I then setup a snmp trap VIP on the VPX and a trap statement on the NAD and now the loadbalanced PSN can profile the phone ok (Endpointsource is still listed as RADIUS Probe)

I knew there was an issue with Netscaler RADIUS fragmentation/reassembly on Netscaler but thought this was resolved in 10.5 build 50. Has any other Netscaler/ISE users come across this? VPX appliance is the free demo version.

Thanks
Andy