Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ISE and Citrix Netscaler for LB

I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.

Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?

Load Balancing guidelines.


  • Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
  • Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)

Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

  • Session-ID is recommended if load balancer is capable (ACE is not).

VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.

Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).

  • If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.

Load Balancers get listed as NADs in ISE so their test authentications may be answered.

ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.


Accepted Solutions

It looks like I have the switch configuration sorted out.  I had to point the 'aaa server radius dynamic-author' to the VIP and set the individual 'radius server <host>' to the real IP of the PSN. On the PSN I left the default GW as the NetScaler and I'm seeing successful auths and reauths consistently!!


Now I just need to test with our WLCs, fingers crossed :)


Thanks for all your help Nick!

View solution in original post



I have not had a chance to set this up but wanted to know if the user's session is being authorized fine? Also are you seeing this for user certs as well as machine certs too? I know in ISE at times the client during bootup and at times during user authentication the supplicant will initiate multiple eap sessions where one of the sessions is used to authorize the session and the other session is left to age out on the radius servers side.

I wanted to make sure you are not running into a common issue, also what is your timeout settings for eap conversations on the port, also what is the re-try interval, with eap-tls the session takes a little more time to authenticate then with peap.


Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

Hi there

Anyone got a "solution" to this?




Use "any" instead of "Radius" as the protocol specified in the Netscaler and it will work. Some kind of bugg in the inspection of radius in netscaler that drops EAP-TLS traffic.


The solution was the release of 10.5 50.10 version of NetScaler code.  This fixed several AAA bugs and corrected packet handling of load balanced RADIUS traffic.


The other comment suggesting 'any' instead of 'RADIUS' is misinformation.  Our setup is using RADIUS as the protocol and works perfectly.


So either upgrade to or use "any" ;)


@j-sutterfield can you elaborate on your setup?  I am having a similar issue with ISE and NetScaler but I am having a issue with all EAP types not just TLS.  I can do captive web portal without issue.  I am on NetScaler 10.5 53.9 so passed the version you mentioned with the bug.  I just feel I am doing something small incorrect.


Can you post the rules you have setup in Citrix to track sessions? I had to use source IP, which was the NAD (wlc controller), and radius 1812/1813 in our case due to the limitation at the time. Not sure if they have upgraded to 10.5 as mentioned above.


The policy expression we use for persistence is:
add policy expression FramedIP_CallingStationID "CLIENT.UDP.RADIUS.ATTR_TYPE(8)+CLIENT.UDP.RADIUS.ATTR_TYPE(31)"

I notice that we have that policy bound to the virtual servers themselves as well as the persistence group (see below).  I'm not certain that is necessary but I can say we have a working environment.

add lb vserver isepsn_radius-acct RADIUS 1813 -rule FramedIP_CallingStationID -cltTimeout 120
add lb vserver isepsn_radius-auth RADIUS 1812 -rule FramedIP_CallingStationID -cltTimeout 120

set lb group isepsn-pg -persistenceType RULE -rule FramedIP_CallingStationID





I think we worked through a similar issue (it's been awhile) and I think it had to do with the routing flow.  Basically you want your PSNs to use the NetScaler as their gateway (or at least flow the traffic back through them at some point in the network).

Can you be any more specific about what you are seeing as the failure?  Any logs or results from the switch?


@j-sutterfield I would see basic errors in ISE and I didn't see any in the NS but I am new to the NS so I may not have been looking in the right spot.  All I would see is the connection log in ISE and then a error about not being able to complete the EAP session.  I can't recall the exact message since it was a month or two ago and I put the project on hold for a bit.  Is it possible for you to maybe post your working configuration for ISE and the NS?  I originally tried doing it L2 to mimic what we did with the ACE but when that didn't work I tried to do it L3 with the same issue.


For those stuck at the same point I was I discovered what the issue was with LB type RADIUS.  I could get everything working correctly with LB type ANY but not type RADIUS.  While earlier versions of NS code had a issue with processing under type RADIUS I was not at one of the problem versions.  It turned out to be that for whatever reason the NS would not work with type RADIUS unless the service group or service has the "Use Proxy Port" option set to YES.




I am also experiencing this issue while using Netscaler as the load balancer.  I Have a policy setup to allow PEAP and EAP-TLS coming in on a Called-Station-ID or specific SSID.  PEAP works fine on this single SSID but EAP-TLS fails when it's using Netscaler as the load balancer.  However, when i use cisco ACE as the load balaner, EAP-TLS works fine and devices are able to authenticate using EAP-TLS.  Any insight on the matter would be greatly appreciated!


Does anyone have a working configuration for this?  I'm getting successful authentications from the supplicant, but CoA fails. When I perform a CoA I get two of each of the following messages:

1) Event & Failure reason "5436 RADIUS packet already in the process"


2) Event "5417 Dynamic Authorization failed" / Failure reason "11215 No response has been received from Dynamic Authorization Client in ISE"


The policy nodes are not physically located behind the NetScaler, so I have them pointing to the NetScaler as the default GW.  I'm not sure if we have the policy on the NS configured correctly though, because I had to add the NetScaler as a Network Device and I was under the impression that the switch and PSN should continue to talk directly to each other.


Any help would be greatly appreciated!






It works great! BUT we have the ISE-network behind the NS, routed. Which is the way to go. If you have to add the NS to your Network Devices, it is probably doing NAT. This is not supported, as you notice with CoA. This will Cause the ISE to send the CoA to the NS instead of the switch => will not work.


Only time your should have the NS in the Network Device list in ISE is if the NS needs to check that the PSN-servers are alive using radius, for example.




Content for Community-Ad