General Guidelines
When using ISE with a load balancer from any vendor, you must ensure a few things :
- Each ISE Policy Service Node (PSN) must be reachable by the Policy Administration Node (PAN) and Monitoring and Troubleshooting (MNT) node directly, without NAT. RADIUS Authentication and Accounting traffic from access devices to PSNs should also pass through the load balancer without NAT.
- Each PSN must also be reachable directly by the endpoints for redirections / CWA / Posture, etc…
- You may want to generate PSN digital certificates to include the VIP fully-qualified domain name (FQDN) in the SAN field.
- Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
- The load balancer(s) virtual IP (VIP) gets listed as the RADIUS server of each network device for all 802.1X-related AAA requests.
- Each PSN gets listed individually in the Dynamic-Authorization (CoA) configuration of each network device. Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
- The load balancers must be configured as network devices in ISE so their test authentications may be answered.
- ISE uses the Layer-3 Address to identify the network device, not the NAS-IP-Address in the RADIUS packet. This is the reason to not use SNAT for inbound RADIUS traffic.
Load Balancer Configurations
Please consult your load balancer vendor's documentation for how to configure RADIUS or TACACS load balancing with their product. You may look in the ISE Ecosystem Integration Guides for possible vendor documents.
