06-28-2023 09:48 AM
We have a 6 node ISE deployment, which includes 4 PSNs. They are load balanced via an F5 load balancer
For the My Devices Portal setup would I need to create a new F5 VIP and load balance it between the PSNs I choose?
Is there an option besides creating a new F5 VIP? I ask because with the PSNs being load balanced their default route is pointing back towards the F5 gateway.
Solved! Go to Solution.
07-05-2023 08:03 AM
It only worked after I had a VIP created for port 443 as well.
06-28-2023 10:17 AM
You would need virtual IP on LB as it will serve as a catch all for these traffic flows and perform IP forwarding.
MDM being a URL-redirected web services uses ISE sessionization. It uses an Audit Session ID to track the lifecycle of an endpoint’s connection between a network access device and a specific PSN. URL Redirection with sessionization requires that endpoints are redirected to a specific PSN that “owns” the session. During RADIUS authorization, the PSN processing the connection may return a URL Redirect that includes its own FQDN and unique Audit Session ID. This tells the client exactly which PSN to attempt direct HTTPS access and informs the receiving PSN which specific RADIUS session the request pertains.
06-28-2023 02:08 PM
You don't need a new VIP for portals, they can use the same VIP as RADIUS, but you would want to define a virtual server for port 8443. Source IP persistence takes care of this use case. Your my devices portal fqdn should resolve the F5 VIP.
06-28-2023 02:57 PM
So that would be using the same VIP, but configure the virtual for 8443? Would the pool members also be configured for 8443?
For the Source IP Persistence are you referring to SNAT being turned off or setting the persistence profile to use source address?
06-28-2023 04:17 PM
I got a VIP set up. The URL/FQDN for the portal is reachable, but I keep getting an error: "[ 404 ] Resource Not Found. The resource requested cannot be found."
I have two interfaces on my ISE VMs. One being GigabitEthernet 0 for the management interface and the other being GigabitEthernet 1 facing the F5 load balancer. Does the portal need to be using the Gig 1 interface?
06-29-2023 11:01 AM
You can have portal hosted on gig1.
Are you load balancing only RADIUS traffic? The initial authentication request and the web redirection should happen on the same PSN. Check if the RADIUS request and the web redirection is happening on the same PSN.
06-29-2023 11:56 AM
I'm testing it out on the test deployment we have which is two nodes. We do have VIPs for RADIUS. The issue I can see is that it's just going to https://<URL>:8443/portal/ instead of https://<URL>:8443/mydevices/PortalSetup.action?portal=..........
07-05-2023 08:03 AM
It only worked after I had a VIP created for port 443 as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide