Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5057
Views
1
Helpful
0
Comments

Load balancing in a ISE TACACS deployment

kthiruve
Cisco Employee
Cisco Employee

‎02-06-2019 11:49 AM - edited ‎02-07-2019 03:06 PM

TACACS works on TCP protocol port 49 or any customizable port in ISE. TCP is connection oriented and asynchronous.

So if you are using LB, suggest inline LB option. If not, then you need to find a way to deal with TCP property explained above.

Stickiness can be based on Source IP address ( Network device IP address).

Question: Can I use Anycast?

Anycast is used with UDP since it is connectionless. You can use this probably with HTTP since it is connection less even though the underlying protocol is TCP, may not be suitable to TACACS. It may be suitable for RADIUS.

For eg: if the Anycast instance is broken mid-way for some reason, the network devices need to open a TCP connection to PSN first before sending traffic. That means that there could be a lot of open TCP connections if the routes change. So rate limiting need to be done not to overwhelm PSN’s.

 

That said, TACACS+ is transactional that means that it opens a TCP connection every time it does a authentication or authorization or accounting, unlike RADIUS where these happen in the same transaction. These transactions are separate.

So this may work depending on how big is configuration request/change from a client machine when accessing CLI on the network device or browsing a UI.

 

In case of bursty traffic where there is a bunch of requests coming from one or many sources, you typically enable persistence(single connect mode) in TACACS configuration (in ISE Network device config) so that you can use same TCP connection.

 

However with Anycast, persistence may not be preferred due to the nature of Anycast if routes change.

 

Here is a resource related to TACACS LB in general is

BRRSEC-3699 – Cisco Live presentation – slide 192

 

Here is a note on Anycast LB. Note how to LB if ISE PSN is down. I think this is meant for RADIUS

http://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2

 

Please try out your configuration in a test environment to make sure things work seamlessly.

Consider PSN failure, not-reachable scenarios etc. Here is a nice writeup by Damien what to avoid when doing

Load balancing using TACACS

https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents