Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1507
Views
3
Helpful
7
Replies

My Devices Portal with Multiple PSNs F5 Load Balanced

Go to solution
Chris Terry
Level 1
Level 1

‎06-28-2023 09:48 AM

We have a 6 node ISE deployment, which includes 4 PSNs. They are load balanced via an F5 load balancer

For the My Devices Portal setup would I need to create a new F5 VIP and load balance it between the PSNs I choose?

Is there an option besides creating a new F5 VIP? I ask because with the PSNs being load balanced their default route is pointing back towards the F5 gateway.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Chris Terry
Level 1
Level 1

‎07-05-2023 08:03 AM

It only worked after I had a VIP created for port 443 as well.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎06-28-2023 10:17 AM

You would need virtual IP on LB as it will serve as a catch all for these traffic flows and perform IP forwarding.

MDM being a URL-redirected web services uses ISE sessionization. It uses an Audit Session ID to track the lifecycle of an endpoint’s connection between a network access device and a specific PSN. URL Redirection with sessionization requires that endpoints are redirected to a specific PSN that “owns” the session. During RADIUS authorization, the PSN processing the connection may return a URL Redirect that includes its own FQDN and unique Audit Session ID. This tells the client exactly which PSN to attempt direct HTTPS access and informs the receiving PSN which specific RADIUS session the request pertains.

Reference : https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-28-2023 02:08 PM

You don't need a new VIP for portals, they can use the same VIP as RADIUS, but you would want to define a virtual server for port 8443. Source IP persistence takes care of this use case. Your my devices portal fqdn should resolve the F5 VIP. 

Go to solution
Chris Terry
Level 1
Level 1
In response to Damien Miller

‎06-28-2023 02:57 PM

So that would be using the same VIP, but configure the virtual for 8443? Would the pool members also be configured for 8443?

For the Source IP Persistence are you referring to SNAT being turned off or setting the persistence profile to use source address?

0 Helpful

Go to solution
Chris Terry
Level 1
Level 1

‎06-28-2023 04:17 PM

I got a VIP set up. The URL/FQDN for the portal is reachable, but I keep getting an error: "[ 404 ] Resource Not Found. The resource requested cannot be found."

I have two interfaces on my ISE VMs. One being GigabitEthernet 0 for the management interface and the other being GigabitEthernet 1 facing the F5 load balancer. Does the portal need to be using the Gig 1 interface?

0 Helpful

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee
In response to Chris Terry

‎06-29-2023 11:01 AM

You can have portal hosted on gig1.

Are you load balancing only RADIUS traffic? The initial authentication request and the web redirection should happen on the same PSN. Check if the RADIUS request and the web redirection is happening on the same PSN.

Go to solution
Chris Terry
Level 1
Level 1
In response to Nancy Saini

‎06-29-2023 11:56 AM

I'm testing it out on the test deployment we have which is two nodes. We do have VIPs for RADIUS. The issue I can see is that it's just going to https://<URL>:8443/portal/ instead of https://<URL>:8443/mydevices/PortalSetup.action?portal=..........

0 Helpful

Go to solution
Chris Terry
Level 1
Level 1

‎07-05-2023 08:03 AM

It only worked after I had a VIP created for port 443 as well.

0 Helpful
Customers Also Viewed These Support Documents
Top