03-11-2024 11:39 AM
Hi team,
I'm currently looking into how to use nginx (open source, on prem version) as a loadbalancer together with Cisco ISE.
The switch environment is Meraki switches.
One thing that is confusing me is how to solve the transparent configuration, but still keep direct routing when it comes to CoA.
The setup is as follows:
Meraki access policy configured with RADIUS servers toward both ISE PSN node, as well as nginx load balancer.
Nginx is configured in "transparent" mode, so the real NAD IP will be kept towards ISE.
However, the return traffic from nginx toward NAD is coming from ISE directly, which Meraki switch seems to not handle great as the authentication fails as the routing is assymetric.
nginx official documentation says that i should put the default GW in real server (ISE) towards NGINX, and this should solve the routing issue. But if i do that, CoA won't work, right?
So i'm kind of in a "catch 22".
Im confident this has been solved many times but i cant find any information around it unfortunately.
Thanks in advance!
Solved! Go to Solution.
03-12-2024 02:17 PM
Yes, I meant CoA traffic initiated from the PSN (I updated the prior response, thanks).
The load balancer must be logically inline between the network device and PSN, so it would have two interfaces; one 'outside' (facing the NAD) and one 'inside' facing the PSN. The inside interface and PSN would be on the same subnet and the PSN would use that for it's gateway, so there would be no asymmetric routing. CoA traffic from the PSN would be SNATed to the outside interface.
03-11-2024 04:11 PM - edited 03-12-2024 02:13 PM
It is common to use SNAT for CoA traffic initiated by the PSN as described in the RADIUS CoA Handling section in this guide.
While the guide is written for an F5 Load Balancer, the same topics and strategies apply for all load balancers. However, some features discussed (like RADIUS/TACACS+ health checks) may not be possible with some load balancer platforms.
03-11-2024 11:39 PM - edited 03-12-2024 12:56 AM
Thanks! I think you mean CoA traffic initiated from the PSN, not the NAD?
I will try this, but then the load balancer and PSN needs to be in diffrent network so NAT can be enabled.
However, this doesnt solve the routing issue? Communication towards PSN go through LB, but return traffic goes from PSN towards NAD directly. Isnt this a problem?
03-12-2024 02:17 PM
Yes, I meant CoA traffic initiated from the PSN (I updated the prior response, thanks).
The load balancer must be logically inline between the network device and PSN, so it would have two interfaces; one 'outside' (facing the NAD) and one 'inside' facing the PSN. The inside interface and PSN would be on the same subnet and the PSN would use that for it's gateway, so there would be no asymmetric routing. CoA traffic from the PSN would be SNATed to the outside interface.
03-11-2024 08:14 PM
Have the checked the Meraki logs? I don't think that you would run into CoA issues. But I suggest checking with the Meraki Community space or logging a case with them if you see any CoA issues.
If you find this useful, please mark it helpful and accept the solution.
03-12-2024 04:36 PM
Also see
02:15 What is a proxy server?
03:10 What is a reverse proxy server?
03:49 Load Balancing to many ISE PSNs and Groups
04:44 Load Balancing Methods: Round Robin, Weighted RR, Hash, Least Connections, Least Time to Connect (first byte, last byte), Random
07:45 Health Checks / Monitoring
08:45 Session Persistence/Affinity/Stickiness and 2/3/5-tuples
11:48 Source NAT for RADIUS Change of Authorization
13:00 Run ISE on the Public Cloud Providers
13:32 Native Cloud Load Balancers Comparison
14:42 Demo Lab Topology
14:54 AWS Network Load Balancer
16:40 Demo: Using radtest to simulate 100 RADIUS sessions with ISE
18:30 Demo: Using Log Analytics (ISE 3.2+) for summarizing RADIUS authentications and sessions
20:50 Demo: AWS Console for Load Balancers & Target Groups
25:40 Azure Standard Load Balancer: https://learn.microsoft.com/en-us/azure/load-balancer/
26:44 Demo: Azure Load Balancer
28:32 Demo: Azure Portal for Load Balancer and Backend Pools
30:28 Oracle Flexible Network Load Balancer (1 free load balancer per month!)
32:25 Demo: Oracle Load Balancer
36:55 Open Source Load Balancers Comparison: NGINX & traefik
38:39 Demo: NGINX Plus with NGINX App Protect
49:48 Demo: Traefik Configuration
54:27 Demo: ISE Infrastructure Monitoring with Prometheus data from Traefik
56:04 IOS-XE Server Load Balancing (see repository)
56:10 ISEDemoLab Repository: https://github.com/ISEDemoLab/
57:17 Question: How to handle RADIUS COA traffic from very large networks?
Resources:
GitHub Repository for Configurations : https://github.com/ISEDemoLab/Cloud_Based_Load_Balancers
ISE Deployment & Load Balancing: https://cs.co/ise-lb-bp
ISE with F5: https://cs.co/ise-f5
IOS-XE RADIUS Configuration Guide: https://cs.co/ios-lb
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide