Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
1
Replies

loadbalanced ISE - sharing persistence for RADIUS auth/acct VIPs

andrewswanson
Level 7
Level 7

‎11-25-2019 04:30 AM

Hi

 

I have ISE PSNs loadbalanced with a Citrix MPX - there are 2 VIPs (same IP) for RADIUS authentication and accounting. These VIPs have the same peristence rules (calling-id with a backup of nas-ip).

 

I've noticed the following syslog messages in ISE RADIUS accounting for some clients:

 

Audit session was not found
Accounting start was received for non-existing session

 

I thought this may have something to do with some clients authenticating against one psn and the accounting traffic being sent to another. I confirmed this by modifying a NAD switch to use a particular PSN IP rather than the loadbalanced VIP for RADIUS. With this config in place, there were no more syslogs like the ones above.

 

I'm looking at the netscaler documentation below to share persistent sessions between the 2 RADIUS auth/acct VIPs so that a client's auth/acct traffic always hits the same psn for both services.

 

https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/sharing-persistent-sessions.html

 

Has anyone else come across this issue and, if so, am I on the right track?

 

Thanks
Andy

0 Helpful
1 Reply 1

andrewswanson
Level 7
Level 7

‎11-26-2019 02:20 AM

"Persistency Groups" on the Netscaler look to be the equivalent of F5's "match across services" (used in cisco's ISE and F5 documentation) for persistence sharing between VIPs.

 

I tested this on the Netscaler by:

  • Created a Persistency Group under Traffic Management > Load Balancing > Persistency Group
  • Added persistence settings to the group:
    Rule - CLIENT.UDP.RADIUS.ATTR_TYPE(31)+CLIENT.UDP.RADIUS.ATTR_TYPE(4)
  • Added the ISE RADIUS authentication and accounting VIPs to the Persistency Group.

 

This seems to have solved the issue and now RADIUS authentication and accounting traffic are sent to the same psn for a given Calling-Station-Id.

 

Cheers
Andy

 

ps to check the persistency group is working as expected on the Netscaler I used the command "show lb persistentSessions <NAME_OF_PERSISTENCY_GROUP>" - this displays the Calling-Station-Ids and the mapped psn used for both RADIUS authentication and accounting

0 Helpful
Customers Also Viewed These Support Documents