Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
0
Helpful
14
Replies

PEAP/EAP RADIUS Failure Behind F5 VIP with Cisco ISE and Meraki

vishnuvardhan-gollapudi
Level 1
Level 1

‎05-09-2025 10:17 AM

Working on PEAP Authentication with PSNs behind the F5 Load Balancer

Current Setup:

  • Client Flow:
    Wireless Client → Meraki SSID (802.1X with PEAP)
    Meraki Switch → Core Switch → F5 Load Balancer (BIG-IP)
  • F5 Configuration:
    VIP (RADIUS): 10.1.1.220:1812 (No SNAT)
    F5 Internal Self-IP: 10.2.2.30
    Load balancing RADIUS traffic to:
  • Cisco ISE PAN: 10.1.1.43

Issue:

When the Meraki SSID sends RADIUS traffic to the F5 VIP, PEAP authentication fails with:

  • ISE Logs: 12930 / 5411 – "Supplicant stopped responding to ISE"
  • ISE shows the first packet lands on one PSN, but the next EAP step doesn’t come back

vishnuvardhangollapudi_0-1746810962426.png

 

However, if I configure Meraki to point directly to either PSN1 or PSN2, PEAP works flawlessly — the full EAP exchange stays on the same PSN.

Looking for Guidance:

Has anyone successfully configured F5 load balancing for PEAP RADIUS traffic from Meraki and managed to maintain EAP session persistence?

Any insights or tips are much appreciated! I'm happy to share the final working config with the community once resolved.

Preview file
71 KB
Preview file
16 KB
Preview file
10 KB
0 Helpful
14 Replies 14

Marcelo Morais
VIP
VIP

‎05-09-2025 10:13 PM

Hi @vishnuvardhan-gollapudi ,

 have you checked if the problem is " ... the next EAP step doesn’t come back ... " or if the 1st EAP Response from ISE did not reach Meraki ?

 

Regards

 

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to Marcelo Morais

‎05-12-2025 06:55 AM

I did a packet capture using Wireshark the RADIUS request from the Meraki switch is definitely reaching the F5 VIP. I also confirmed that the same request is visible between the Meraki switch and ISE directly

 However, when going through F5, the traffic doesn’t reach the PSNs (ISE nodes). I only see F5 sending health check probe pings to the PSNs, but no actual RADIUS traffic.

Appreciate any further insights.

Please go through this images

vishnuvardhangollapudi_0-1747058028715.pngvishnuvardhangollapudi_1-1747058036956.png

 

0 Helpful

andrewswanson
Level 7
Level 7
In response to vishnuvardhan-gollapudi

‎05-12-2025 07:32 AM

Hi

Have you tried changing your persistence from rule based to simple "source IP" as a test?

hth
Andy

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to andrewswanson

‎05-12-2025 11:23 AM

Yes, I did try changing the persistence to use the NAS IP address, but unfortunately, it still didn’t work. The issue with PEAP session continuity remained.

0 Helpful

Marcelo Morais
VIP
VIP
In response to vishnuvardhan-gollapudi

‎05-12-2025 09:17 AM

Hi @vishnuvardhan-gollapudi ,

 you said " ... the traffic doesn’t reach the PSNs (ISE nodes) ... ", if F5 was sending the packet to the wrong PSN, then the "Persistence Rule" would be the next step to investigate (already mentioned by @andrewswanson ), but it seems that F5 is not sending the packet to any PSN ... could you please check where F5 is sending the packet ?

 

Hope this helps !!!

 

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to Marcelo Morais

‎05-12-2025 11:26 AM

Yes, I ran a packet capture using Wireshark to trace the flow.

From what I observed:

  1. The Meraki switch (10.1.1.293) is sending the RADIUS Access-Request to the F5 VIP (10.1.1.220).

  2. Separately, I also see the Meraki switch directly hitting PSN1 (10.2.2.41)

vishnuvardhangollapudi_0-1747074376667.png

 

0 Helpful

Marcelo Morais
VIP
VIP
In response to vishnuvardhan-gollapudi

‎05-12-2025 02:44 PM

@vishnuvardhan-gollapudi ,

 OK about 1. and 2., but what about the F5 VIP sending the RADIUS Access-Request to ISE ?

 

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to Marcelo Morais

‎05-12-2025 09:40 PM

The F5 VIP is not sending the RADIUS Access-Request to ISE at all. In my setup, the F5 internal interface (10.2.2.30) is added as a NAD in ISE , so any traffic from F5 to the PSNs would appear as coming from that IP.

However, on the ISE side, I’m only seeing the health check probe traffic with the default username f5-probe. There are no actual RADIUS Access-Requests coming from the VIP to the PSNs.

0 Helpful

Marcelo Morais
VIP
VIP
In response to vishnuvardhan-gollapudi

‎05-13-2025 05:39 AM

@vishnuvardhan-gollapudi ,

 got it !!!

 What happens if you only add one PSN to your F5 setup (instead of two PSNs) ? Still the same issue ?

 

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to Marcelo Morais

‎05-13-2025 05:50 AM

Yes, I tested that as well.

I disabled one PSN in the F5 pool and even powered off the same PSN to ensure all traffic goes to a single PSN, but the issue still persists. F5 still doesn't forward the RADIUS request to the active PSN.

0 Helpful

vishnuvardhan-gollapudi
Level 1
Level 1
In response to Marcelo Morais

‎05-22-2025 03:29 AM

vishnuvardhangollapudi_0-1747909737953.png

 

 

This is what i got when i check the F5 console

 

vishnuvardhangollapudi_1-1747909758749.png

 

 

This what i got in ISE

0 Helpful

MHM Cisco World
VIP
VIP

‎05-10-2025 02:48 AM

Use either wildcard Cert. Or add SAN to cert. Of PSN1.

Issue is client dont accpet cert. Of PSN.

MHM

0 Helpful

anu-fatokun
Level 1
Level 1
In response to MHM Cisco World

‎05-10-2025 07:30 PM - edited ‎05-10-2025 07:40 PM

I'm facing similar issue....same scenario. Can you please expatiate how to do this. My setup is done as in the picture below. when I add the PSNs to the PAN, the certificates were imported to PAN. Since the PSNs are managed via the PAN, is your solution applicable in this case. Am i changing the PSNs certificate or the PAN?

anufatokun_0-1746930564416.png

 

0 Helpful
Customers Also Viewed These Support Documents