Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
0
Helpful
2
Replies

ISE PSN's behind F5 Load balancer

hsangral
Cisco Employee
Cisco Employee

‎03-11-2019 04:05 AM

This is regarding ISE PSN’s being load balanced behind a F5 in a distributed environment for Device administration

 

Customer has some constraints regrading using F5 as the gateways and is planning to use SNAT which would NAT the source IP of the NAD to F5 internal IP address

 

From what I understand the authentications will be successful however it would lead to visibility issues as the F5 would see all requests coming from a single ip address.

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎03-11-2019 03:00 PM

This is perfectly acceptable and it's how we have been doing it for years, even back in the ACS days.  And it makes perfect sense to SNAT thousands of routers and switches into one IP address inside of your TACACS server.   If you need to do something funky with an individual device for some reason, then perhaps there is a TACACS attribute (like NAS-IP-Address ... I don't know what the TACACS equivalent it) that you can use in your Policy Sets.  But the reality is that you treat all your thousands of devices like cattle (same policy) by giving them one entry in the ISE Client List - that entry is the VIP of the load balancer because the load balancer performs the SNAT.

Craig Hyps coined the phrase "SNAT for NAD is bad" - but what he meant by that is that it's bad for Radius flows where CoA might be required.  If you don't need CoA then SNAT is not an issue.  And TACACS doesn't have a concept of CoA so you're good to go.

As far as I know, with SNAT, you will not lose visibility in ISE and you can still see individual TACACS requests from devices.

See BRKSEC-3699 and Craig Hyps extensive work on ISE and F5 integration (search this Community for it)

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎03-11-2019 03:26 PM

Aaron Woland also had a network world article claiming SNAT is a no go. All the load balanced deployments I have set up were pass through, the "correct" way. Hairpinned or inline has all worked without too much issue, I've added my feedback to the guides.

Now as for visibility, how would that look? Today we see the NAD's IP and ISE translates that in to a NAD name from the NAD database. If you NAT your NADs doesn't everything look like it's coming from the LB?


Now I do have a slight worry for the future deployment we are discussing here. If you want TACACS NADs to failover over VIPs with the F5's, you have to modify the way it reacts to TCP handshakes. So i'm wondering in what situation you can't use the F5's as the default gateway, but can still modify the forward facing VIP to handle this. Post for reference.
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

0 Helpful
Customers Also Viewed These Support Documents