Showing results for 
Search instead for 
Did you mean: 

ISE Load Balancing





Cisco Live BRKSEC-3699

Free video & presentation with site registration :

Designing ISE for Scale & High Availability - BRKSEC-3699

by Craig Hyps, Principal Technical Marketing Engineer, Cisco Systems


This is the definitive Cisco Live breakout session to show you how to design ISE to deliver scalable and highly available access control services for wired, wireless, and VPN from a single campus to a global deployment. Focus is on design guidance for distributed ISE architectures including high availability for all ISE nodes and their services as well as strategies for survivability and fallback during service outages. Methodologies for increasing scalability and redundancy will be covered such as load distribution with and without load balancers, optimal profiling design, and the use of Anycast. Attendees of this session will gain knowledge on how to best deploy ISE to ensure peak operational performance, stability, and to support large volumes of authentication activity. Various deployment architectures will be discussed including ISE platform selection, sizing, and network placement.


General Guidelines

When using a Load-Balancer (anyone's) you must ensure a few things.

  • Each PSN must be reachable by the PAN / MNT directly, without NAT.  RADIUS Auth and Accounting traffic from access devices to PSNs should also pass through LB without NAT.
  • Each PSN Must also be reachable directly from the Client's – for redirections / CWA / Posture, etc…
  • You may want to generate PSN certs to include the VIP fqdn in the SAN field.
  • Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
  • VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
  • Each PSN gets listed individually in the Dynamic-Authorization (CoA).  Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
  • The LoadBalancer(s) get listed as NADs in ISE so their test authentications may be answered.
  • ISE uses the Layer-3 Address to Identity the NAD, not the NAS-IP-Address in the RADIUS packet.  This is the reason to not use SNAT for inbound RADIUS traffic.



Sample Configurations

Cisco ACE


Citrix NetScaler


Great Guides! Good work! Thanks very much!

But does anybody have an idea if this limitation with Source NAT would be gone some day, when ISE is able to use the NAS IP address in the RADIUS Packet instead of the source IP in the packet itself? Is there an enhancement request open for it?

Thanks for any comment on this...

Craig Hyps

This would be an enhancement request. One has already been filed but not committed to a release.  I actually cite the User Story number (enhancement request) in the Cisco Live session to encourage customers to press for this enhancement.   There are actually two on file:

US8601  CoA support for NAT'ed load balanced environments

US10398  Ability to Send CoA to the NAS-IP-Address (Instead of To the Source IP of the RADIUS Packet)

Recommend work with Cisco account team to provide business unit with customer name and business impact for prioritization.


Now in 2017, and ISE 2.2 is available.   Has the COA + SNAT problem been solved?


Craig Hyps

Not yet.  Please work with your Cisco account team for more details on feature enhancements and roadmap.

I will restrict comments to this specific post so not lost from view of SMEs.  Questions can always be posted to main community page to ensure that any replies are readily visible by larger community: Identity Services Engine (ISE)

Regards, Craig


We have an ISE 2.2 deployment consisting of 2 PANs, 2 MnT, and 4 PSN nodes. We are using EAP authentication. All of the nodes have certificates issued by our CA. We are planning on utilizing the F5 to load balance our PSNs. We reviewed the Cisco and F5 Deployment Guide by Craig Hyps and got stuck on the part where we generate the CSRs. In ISE 2.2, it wants us to select the node that we want the CSR to be generated for. If we select all of our 4 PSNs, it will generate 4 CSRs with same CN and SANs (see below). However, In the document is says to generate one CSR then export, then import the signed certificate to the other nodes. Not sure how we can do that if we have 4 certs, one for each node. Any help will greatly be appreciated.


Hostname: ISEPSN01


Key Length: 2048

Timestamp: Thu, 20 Sep 2018

Friendly Name: isepsn01#Multi-Use

Used for: Multi-Use

Subject Alternative Names:,

Cisco Employee

@nnmcnetops, please post your configuration/how-to questions in the general ISE Community.

We prefer not to do this in doc comments since it is subject to tangents and there is no threaded responses plus you have a larger audience to view and respond to your specific issue.

Content for Community-Ad