Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
5
Helpful
5
Replies

Recommended and How to Perform Sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address

Go to solution
dcurry9131
Level 1
Level 1

‎10-29-2019 09:43 AM

Hello, 

I'm coming into an environment where we are going to implement a large distributed Cisco ISE architecture with dedicated primary and secondary PAN, MTN, and several PSNs in a node group.  These devices will sit behind an A10 load balancer.  I was reading an article and it was recommended with regards to Radius and AAA traffic to perform sticky (aka:persistence) based on calling-station and framed-ip-address.

 

Can someone provide more details with regards to this, and is there any best practice and implementation guide for this using load balancers?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-29-2019 12:32 PM

You might benefit from Pauls old post which has an A10 example.
https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-loadbalancing-with-a10-loadbalancer/m-p/3424450/highlight/true#M406
The simple way would be to leverage only source ip persistence. We tend to want to avoid that since it can cause a lot of load to land on a single node if you have very large WLCs and/or stacked switches. All endpoints from a single source IP (ex. wlc) would persist to the same ISE node in that case.

This repo has an example aflex/tcl script which you may be able to build on, at least for standard radius authentication flow this would work. Because it only contains calling station ID it would cause issues with TrustSec PAC provisioning. it would need to be modified to work in that case.
https://github.com/a10networks/aflex-collection/blob/master/calling-station-persist.tcl

Reading the F5 guide nested within the link Timothy posted could be beneficial. It explains most things relevant to radius load balancing quite well.

View solution in original post

5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎10-29-2019 10:55 AM

We have design guides and presentations regarding load balancing with ISE located at the below URL:

 

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

 

Regards,

-Tim

0 Helpful

Go to solution
dcurry9131
Level 1
Level 1
In response to Timothy Abbott

‎10-30-2019 06:10 AM

Thanks for the reply Timothy!  I'll look through the design guides and presentations.  Will let you know if I have any questions.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-29-2019 12:32 PM

You might benefit from Pauls old post which has an A10 example.
https://community.cisco.com/t5/identity-services-engine-ise/cisco-ise-loadbalancing-with-a10-loadbalancer/m-p/3424450/highlight/true#M406
The simple way would be to leverage only source ip persistence. We tend to want to avoid that since it can cause a lot of load to land on a single node if you have very large WLCs and/or stacked switches. All endpoints from a single source IP (ex. wlc) would persist to the same ISE node in that case.

This repo has an example aflex/tcl script which you may be able to build on, at least for standard radius authentication flow this would work. Because it only contains calling station ID it would cause issues with TrustSec PAC provisioning. it would need to be modified to work in that case.
https://github.com/a10networks/aflex-collection/blob/master/calling-station-persist.tcl

Reading the F5 guide nested within the link Timothy posted could be beneficial. It explains most things relevant to radius load balancing quite well.

Go to solution
dcurry9131
Level 1
Level 1
In response to Damien Miller

‎10-30-2019 06:13 AM

Thanks for the reply Damien! I'll take a look at the F5 guide in Timothy's link you recommended. If I'm not understanding or grasping something, I'll hit you guys back up. Thank you!
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Damien Miller

‎10-30-2019 07:49 AM

There are also some nice slide references for this under http://cs.co/ise-training BRKSEC-3432
0 Helpful
Customers Also Viewed These Support Documents