cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
992
Views
3
Helpful
7
Replies

My Devices Portal with Multiple PSNs F5 Load Balanced

Chris Terry
Level 1
Level 1

We have a 6 node ISE deployment, which includes 4 PSNs. They are load balanced via an F5 load balancer

For the My Devices Portal setup would I need to create a new F5 VIP and load balance it between the PSNs I choose?

Is there an option besides creating a new F5 VIP? I ask because with the PSNs being load balanced their default route is pointing back towards the F5 gateway.

1 Accepted Solution

Accepted Solutions

Chris Terry
Level 1
Level 1

It only worked after I had a VIP created for port 443 as well.

View solution in original post

7 Replies 7

Nancy Saini
Cisco Employee
Cisco Employee

You would need virtual IP on LB as it will serve as a catch all for these traffic flows and perform IP forwarding.

MDM being a URL-redirected web services uses ISE sessionization. It uses an Audit Session ID to track the lifecycle of an endpoint’s connection between a network access device and a specific PSN. URL Redirection with sessionization requires that endpoints are redirected to a specific PSN that “owns” the session. During RADIUS authorization, the PSN processing the connection may return a URL Redirect that includes its own FQDN and unique Audit Session ID. This tells the client exactly which PSN to attempt direct HTTPS access and informs the receiving PSN which specific RADIUS session the request pertains.

Reference : https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

Damien Miller
VIP Alumni
VIP Alumni

You don't need a new VIP for portals, they can use the same VIP as RADIUS, but you would want to define a virtual server for port 8443. Source IP persistence takes care of this use case. Your my devices portal fqdn should resolve the F5 VIP. 

So that would be using the same VIP, but configure the virtual for 8443? Would the pool members also be configured for 8443?

For the Source IP Persistence are you referring to SNAT being turned off or setting the persistence profile to use source address?

Chris Terry
Level 1
Level 1

I got a VIP set up. The URL/FQDN for the portal is reachable, but I keep getting an error: "[ 404 ] Resource Not Found. The resource requested cannot be found."

I have two interfaces on my ISE VMs. One being GigabitEthernet 0 for the management interface and the other being GigabitEthernet 1 facing the F5 load balancer. Does the portal need to be using the Gig 1 interface?

You can have portal hosted on gig1.

Are you load balancing only RADIUS traffic? The initial authentication request and the web redirection should happen on the same PSN. Check if the RADIUS request and the web redirection is happening on the same PSN.

I'm testing it out on the test deployment we have which is two nodes. We do have VIPs for RADIUS. The issue I can see is that it's just going to https://<URL>:8443/portal/ instead of https://<URL>:8443/mydevices/PortalSetup.action?portal=..........

Chris Terry
Level 1
Level 1

It only worked after I had a VIP created for port 443 as well.