cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6433
Views
1
Helpful
8
Replies

Load Balancing Radius traffic to ISE

MAMO
Level 1
Level 1

Hi ISE Team,

  As far as I understand to use multiple PSNs I need to place a load balancer in front  of the PSNs. I'd like to use a "central" load balancer with source NAT by adding  a new Radius AV pair with  the source IP ( or tell ISE to use an already existing attribute for the source IP).  Is that possible i.e. Can I tell ISE to uas a Radius attribute as source IP of the connection instead of the UDP packet IP ?

Thank you

Markus

1 Accepted Solution

Accepted Solutions

Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

View solution in original post

8 Replies 8

Timothy Abbott
Cisco Employee
Cisco Employee

Markus,

Please see the below document for additional information on load balancing with ISE.

ISE Load Balancing

Regards,

-Tim

Hi Tim,

   I looked at the documents already and did not find it ( or did I overlooked it ) . i.e.  I saw the F5 SNAT option for communication from the PSNs back to the switch. But I am interested in the other way round from the switch to the PSN.

Thank you

Markus

Not supported today IF you need functions like CoA to work.  The reasons are discussed in the guide as well as reference version of BRKSEC-3699 posted to CiscoLive.com.  The short reason is that CoA is returned to the NAD IP which ISE believes to be LB in the SNAT case.  LB drops it as there is no other destination in packet header.  Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

Regards,
Craig

Hi Craig,

  Thank  you for the information.  I'll check the COA case which I am also  interested in .

  But COA is from the PSN to the switch.  I am looking for the other direction i.e. when the switch send the Radius request to the LB and the LB to a PSN.

Markus

Yes. I am referring to same use case.  Forget about the SNAT for CoA for the moment.  The issue is SNAT for NAD will cause all CoA to fail--regardless of whether you choose to SNAT CoA or not.  Be sure to review BRKSEC-3699 (reference version).  My summation statement is...

SNAT for NAD is BAD

SNAT for CoA is OK.

Hi Chyps,

  Apologies I looked at the wrong pages,   I see now on page 279 the comment

NAS IP Address is correct, but not currently used for CoA

  So what do I have to do to support an enhancement request to use the NAS-IP. Where do I find details about

User Story 8601 : CoA support for NAT'edload balanced environments

Thank you

Markus

Please reach out to your Cisco sales team and ask them to add your company's name to the following enhancement.

User Story 8601 : CoA support for NAT'ed load balanced environments

Will do

Thank you

Markus