- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 09:48 AM
We have a 6 node ISE deployment, which includes 4 PSNs. They are load balanced via an F5 load balancer
For the My Devices Portal setup would I need to create a new F5 VIP and load balance it between the PSNs I choose?
Is there an option besides creating a new F5 VIP? I ask because with the PSNs being load balanced their default route is pointing back towards the F5 gateway.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2023 08:03 AM
It only worked after I had a VIP created for port 443 as well.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 10:17 AM
You would need virtual IP on LB as it will serve as a catch all for these traffic flows and perform IP forwarding.
MDM being a URL-redirected web services uses ISE sessionization. It uses an Audit Session ID to track the lifecycle of an endpoint’s connection between a network access device and a specific PSN. URL Redirection with sessionization requires that endpoints are redirected to a specific PSN that “owns” the session. During RADIUS authorization, the PSN processing the connection may return a URL Redirect that includes its own FQDN and unique Audit Session ID. This tells the client exactly which PSN to attempt direct HTTPS access and informs the receiving PSN which specific RADIUS session the request pertains.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 02:08 PM
You don't need a new VIP for portals, they can use the same VIP as RADIUS, but you would want to define a virtual server for port 8443. Source IP persistence takes care of this use case. Your my devices portal fqdn should resolve the F5 VIP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 02:57 PM
So that would be using the same VIP, but configure the virtual for 8443? Would the pool members also be configured for 8443?
For the Source IP Persistence are you referring to SNAT being turned off or setting the persistence profile to use source address?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023 04:17 PM
I got a VIP set up. The URL/FQDN for the portal is reachable, but I keep getting an error: "[ 404 ] Resource Not Found. The resource requested cannot be found."
I have two interfaces on my ISE VMs. One being GigabitEthernet 0 for the management interface and the other being GigabitEthernet 1 facing the F5 load balancer. Does the portal need to be using the Gig 1 interface?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2023 11:01 AM
You can have portal hosted on gig1.
Are you load balancing only RADIUS traffic? The initial authentication request and the web redirection should happen on the same PSN. Check if the RADIUS request and the web redirection is happening on the same PSN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2023 11:56 AM
I'm testing it out on the test deployment we have which is two nodes. We do have VIPs for RADIUS. The issue I can see is that it's just going to https://<URL>:8443/portal/ instead of https://<URL>:8443/mydevices/PortalSetup.action?portal=..........
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-05-2023 08:03 AM
It only worked after I had a VIP created for port 443 as well.
