Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
607
Views
0
Helpful
3
Replies

TrustSec AAA Servers vs. NAD defined Radius servers

Go to solution
Josh Morris
Level 3
Level 3

‎02-20-2023 08:51 AM

I use an f5 load balancer in front of my PSNs, so my NADs point radius to that VS. I had previously defined my TrustSec AAA Server as my primary admin node however (both admin nodes are assigned as dynamic-authors in the NADs). 

Based on the segmentation strategy, it looks like I should use the same PSNs that my NADs use for radius as the TrustSec AAA servers.

JoshMorris_0-1676911717473.png

 

I currently only have one PSN setup with the SXP persona. This is the device I use under a Network Device for CoA. 

How should I be setting up this workflow between the NADs and ISE nodes?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2023 12:40 PM

I use the F5 VIPs as the "TrustSec Servers"  in every ISE environment I have built behind F5's and leveraged TrustSec with. This has not done me wrong. The F5 VIPs are the only IPs that the NADs know about, the dynamic authors are also the VIPs, all traffic back to the NAD is SNAT'd to appear like it comes from the VIP. 

The CTS server list here is what the "show cts environment-data" will contain, and identifies the servers that the switch will use to request additional CTS data/policy. This list does not change anything with SXP or CoA

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2023 12:40 PM

I use the F5 VIPs as the "TrustSec Servers"  in every ISE environment I have built behind F5's and leveraged TrustSec with. This has not done me wrong. The F5 VIPs are the only IPs that the NADs know about, the dynamic authors are also the VIPs, all traffic back to the NAD is SNAT'd to appear like it comes from the VIP. 

The CTS server list here is what the "show cts environment-data" will contain, and identifies the servers that the switch will use to request additional CTS data/policy. This list does not change anything with SXP or CoA

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3
In response to Damien Miller

‎02-20-2023 12:50 PM

Thanks, so you add a single TrustSec server of the f5 VIP even though it's not actually one of the addresses of the PSNs? Of you add the addresses of the PSNs that are behind the VIP?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Josh Morris

‎02-20-2023 12:58 PM

If I have four f5 VIPs with two PSNs in a pool behind each, then I only put the four F5 VIPs in for TrustSec servers. 

0 Helpful
Customers Also Viewed These Support Documents