Hi TME team,
I just need to confirm if there are any caveats related to multiple PSNs and a load balancer with the new ISE 2.2 feature for Max Sessions.
Does this feature still work correctly if multiple user/endpoint sessions happen to be sent to different PSNs by the load balancer?
Solved! Go to Solution.
chyps, I wanted to run this by you since you have prior experience from writing the how-to guide with F5.
I was thinking about trying the following persistence logic in the F5 to work around this Max Session limitation in ISE.
if framed-protocol, then use username as persistence identifier
if not framed-protocol, then use calling-station-id with fallback to nas-ip-address as persistence identifier
Do you think this is feasible to do with an iRule?
If so, do you foresee any issues with this persistence config for any ISE flows?
The customer is deploying wired/wireless dot1x and wireless Guest, but no BYOD or Posture flows.
Thanks Craig. You make a good point.
It sounds like we might have to just change the persistence identifier to use the NAS-IP. It won't provide as much balancing as using the Calling-Station-ID, but it might be the best way to workaround this Max Sessions limitation for the Wireless endpoints.
Is that a fair statement, or can you think of anything else we can use as a persistence ID on the F5 to accomplish this?
Assuming same device used, then same user should be persisted to same PSN via Calling Station ID. As noted, there is a roadmap item. Plan is to extend feature to node group/PSN cluster but details and timing need to be communicated privately by ISE PM team.
Thanks Craig. We're trying to ensure that sessions using different endpoints with the same username are stuck to the same PSN to be limited by the Max Sessions settings (particularly on Wireless), so it sounds like we'll have to use the NAS-IP for persistence ID.
I'll contact the ISE PMs for info on roadmap.