PEAP/EAP RADIUS Failure Behind F5 VIP with Cisco ISE and Meraki - Page 2

vishnuvardhan-gollapudi · ‎05-09-2025

Working on PEAP Authentication with PSNs behind the F5 Load Balancer

Current Setup:

Client Flow:
Wireless Client → Meraki SSID (802.1X with PEAP)
Meraki Switch → Core Switch → F5 Load Balancer (BIG-IP)
F5 Configuration:
VIP (RADIUS): 10.1.1.220:1812 (No SNAT)
F5 Internal Self-IP: 10.2.2.30
Load balancing RADIUS traffic to:
- PSN1: 10.2.2.41
- PSN2: 10.2.2.42
  Persistence configured via iRule (following Cisco + F5 ISE Load Balancing Guide)
Cisco ISE PAN: 10.1.1.43

Issue:

When the Meraki SSID sends RADIUS traffic to the F5 VIP, PEAP authentication fails with:

ISE Logs: 12930 / 5411 – "Supplicant stopped responding to ISE"
ISE shows the first packet lands on one PSN, but the next EAP step doesn’t come back

However, if I configure Meraki to point directly to either PSN1 or PSN2, PEAP works flawlessly — the full EAP exchange stays on the same PSN.

Looking for Guidance:

Has anyone successfully configured F5 load balancing for PEAP RADIUS traffic from Meraki and managed to maintain EAP session persistence?

Any insights or tips are much appreciated! I'm happy to share the final working config with the community once resolved.

othydojo · ‎07-10-2025

We used this guide to help set everything up, https://community.cisco.com/t5/security-knowledge-base/how-to-cisco-amp-f5-deployment-guide-ise-load-balancing-using/ta-p/3631159. We did this successfully, but forgot to set the Default Gateway to the internal F5 IP address. We dont do this now, but opted to use Static routes directly on the servers to point the traffic back to the F5.

Example: WiFi NADs are 10.10.10.0/24, F5 Vip 10.10.11.5, internal F5 is 10.10.11.200, PSNs are 10.10.11.252 and 253.

We set static routes on the PSNs to route the 10.10.10.0/24 network through the internal F5 of 10.10.11.200.