ISE and Load Balancing Radius using Citrix NetScaler

Mark H · ‎12-13-2015

Hi everyone,

Hopefully someone who has successfully used a Citrix NetScaler for load balancing requests for ISE can help, it seems a lot of the documentation such as Cisco Live slides are based around using F5 as a load balancer.

I have a pretty solid load balancing setup using Citrix NetScaler 10.5, however it only works correctly if I use source address translation (SNAT), which is against best practice recommended in slides and means all the radius requests within ISE appear to come from the NetScaler. If I disable source SNAT, ISE does correctly respond to radius messages (confirmed by packet capture) but the access switch (3850) doesn't appear to get anything.

If I set the switch to use the ISE policy nodes directly, it works fine so there is definitely connectivity between the ISE policy nodes and the switch.

Any ideas?

Thanks

chidex123 · ‎03-11-2016

Hello Mark,

Did you get to resolve this problem? I have exactly same problem

thanks

Mark H · ‎03-12-2016

Hi chidex123,

Unfortunately no. I did find some configuration with the NetScaler that needed to be made, but it would have an impact on the existing load balancers that were set up for other applications so I didn't move ahead with it.

I have radius failover configured on the NAD itself, I have half of my deployment favouring one policy node with the other half favouring the other policy node to imitate some form of load balancing.

Mark

Sri Harsha Dasari · ‎10-21-2022

User netscaler SNIP as default gateway on ISE server

Thanks, Sri.