Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
0
Helpful
1
Replies

ISE Meraki MS switches and RADIUS accouting

Go to solution
slevesqu
Cisco Employee
Cisco Employee

‎06-06-2019 12:51 PM

Customer has 2 sets of PSNs in DC1 and DC2 (one node group per DC) with F5 Load Balancer for Meraki MS switches with ISE 2.2 latest patch. These switches do not allow re-authentication and do not have 802.1X timeouts but do provide RADIUS accounting interim-updates for these sessions.

 

The customer needs to perform maintenance on the F5 LB and the PSNs in DC1 and wants to understand what will be the behavior with the MS switches and the endpoints when they do as the PSNs in DC2 will receive RADIUS accounting interim updates for sessions that do no exist?

 

Will the PSNs in DC2 just drop these accounting updates? Will they send a CoA?

 

Should they perform a manual CoA to force all the endpoints on PSN in DC1 to restart their sessions on PSN in DC2 before the maintenance?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-17-2019 05:01 PM

The latter would be better since the PSN's and node groups are different. It will also help the endpoints in establishing a session. The sessions are created in the network devices. Radius accounting packets should be sent to same PSN's for many reasons including cleanup, optimization etc.

I am not sure if you have persistance configured in F5. Please see some of the recommendation related to persistance and Radius accounting in ISE load balancing guide

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId-1216151719

 

Thanks

Krishnan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-17-2019 05:01 PM

The latter would be better since the PSN's and node groups are different. It will also help the endpoints in establishing a session. The sessions are created in the network devices. Radius accounting packets should be sent to same PSN's for many reasons including cleanup, optimization etc.

I am not sure if you have persistance configured in F5. Please see some of the recommendation related to persistance and Radius accounting in ISE load balancing guide

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId-1216151719

 

Thanks

Krishnan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents