cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
0
Helpful
1
Replies

ISE Meraki MS switches and RADIUS accouting

slevesqu
Cisco Employee
Cisco Employee

Customer has 2 sets of PSNs in DC1 and DC2 (one node group per DC) with F5 Load Balancer for Meraki MS switches with ISE 2.2 latest patch. These switches do not allow re-authentication and do not have 802.1X timeouts but do provide RADIUS accounting interim-updates for these sessions.

 

The customer needs to perform maintenance on the F5 LB and the PSNs in DC1 and wants to understand what will be the behavior with the MS switches and the endpoints when they do as the PSNs in DC2 will receive RADIUS accounting interim updates for sessions that do no exist?

 

Will the PSNs in DC2 just drop these accounting updates? Will they send a CoA?

 

Should they perform a manual CoA to force all the endpoints on PSN in DC1 to restart their sessions on PSN in DC2 before the maintenance?

 

Thanks

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

The latter would be better since the PSN's and node groups are different. It will also help the endpoints in establishing a session. The sessions are created in the network devices. Radius accounting packets should be sent to same PSN's for many reasons including cleanup, optimization etc.

I am not sure if you have persistance configured in F5. Please see some of the recommendation related to persistance and Radius accounting in ISE load balancing guide

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId-1216151719

 

Thanks

Krishnan

View solution in original post

1 Reply 1

kthiruve
Cisco Employee
Cisco Employee

The latter would be better since the PSN's and node groups are different. It will also help the endpoints in establishing a session. The sessions are created in the network devices. Radius accounting packets should be sent to same PSN's for many reasons including cleanup, optimization etc.

I am not sure if you have persistance configured in F5. Please see some of the recommendation related to persistance and Radius accounting in ISE load balancing guide

https://community.cisco.com/t5/security-documents/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159#toc-hId-1216151719

 

Thanks

Krishnan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers