TACACS works on TCP protocol port 49 or any customizable port in ISE. TCP is connection oriented and asynchronous.
So if you are using LB, suggest inline LB option. If not, then you need to find a way to deal with TCP property explained above.
Stickiness can be based on Source IP address ( Network device IP address).
Question: Can I use Anycast?
Anycast is used with UDP since it is connectionless. You can use this probably with HTTP since it is connection less even though the underlying protocol is TCP, may not be suitable to TACACS. It may be suitable for RADIUS.
For eg: if the Anycast instance is broken mid-way for some reason, the network devices need to open a TCP connection to PSN first before sending traffic. That means that there could be a lot of open TCP connections if the routes change. So rate limiting need to be done not to overwhelm PSN’s.
That said, TACACS+ is transactional that means that it opens a TCP connection every time it does a authentication or authorization or accounting, unlike RADIUS where these happen in the same transaction. These transactions are separate.
So this may work depending on how big is configuration request/change from a client machine when accessing CLI on the network device or browsing a UI.
In case of bursty traffic where there is a bunch of requests coming from one or many sources, you typically enable persistence(single connect mode) in TACACS configuration (in ISE Network device config) so that you can use same TCP connection.
However with Anycast, persistence may not be preferred due to the nature of Anycast if routes change.
Here is a resource related to TACACS LB in general is
BRRSEC-3699 – Cisco Live presentation – slide 192
Here is a note on Anycast LB. Note how to LB if ISE PSN is down. I think this is meant for RADIUS
I have a client at 10.81.113.11 that needs to access 172.16.3.2 over a site to site vpn tunnel...
I can ping 172.16.3.2 from this client 10.81.113.11 AND I can RDP to it....but I am wondering why its not showing up in the sa??
ASA-01# show c...
I have 3 users (that have reported the issue at least) that are periodically being blocked by NAC due to the Windows Firewall check failing. The Windows Firewall is in fact enabled and running because it's being managed by Grou...
QUESTION: What do I need to do to reliably push a new AnyConnect configuration to windows machines that have a continuously up Ethernet connection?
I'm having trouble understanding what exactly triggers evaluation of client provisioning ru...
I am trying to figure out what is wrong with my VPN tunnel and cannot quite figure it out. I can see this error but I don't knwo what it means:
IKE MM Responder FSM error history (struct &0x74547aa0) <state>, <event>: MM_DONE, ...
When executing the AnyConnect client on my Mac I receive an error "No components loaded. Quitting application" and can not do anything with the client. I have been unable to resolve this issue for the last week. Have exhausted google, my inter...