Guest Load-balancing just the redirect URL and not Radius session

Madura Malwatte · ‎08-11-2022

ISE 3.0

Is it possible to use a loadbalancer to load-balance just the url portal redirect a guest user receives and not the full radius session and still work without issue?

I.e:

1. Radius session from NAD (WLC) goes direct to PSNs without using load-balancer

2. CWA portal redirect URL (guest.company.com) forwarded to guest user by the NAD

3. Guest user hits URL which is via a load-balancer > load-balancer has 2 or more PSNs in the backend.

Now issue here is if NAD sends radius session to PSN1, PSN1 returns generic FQDN guest.company.com. When URL get accessed via load-balancer it could go to PSN2 or PSN3. Will this be an issue? I want to avoid the trouble of setting up load-balancing of the radius requests, and just want the URL to be done. Is there radius session data sharing between ISE nodes? My understanding is only recently version 3.0 introduced posture session sharing.

Arne Bier · ‎08-11-2022

I don't think that would work. The URL is uniquely generated (hash) by the PSN that processes the MAB requests. Therefore, it's imperative that the client sticks to that PSN at all times - this is why load balancer setups are so tricky (session persistence).

Remember that guest portals are not a big deal in terms of traffic generation - the user's "internet surfing" doesn't go through the PSN - the whole song and dance of portal redirection and login is a very short lived thing. The RADIUS traffic is load balanced and the PSN on which the MAB lands is the PSN whose FQDN you should return to the client. The TCP session that the client then establishes to the URL does not get load balanced - client does a DNS, gets the IP of the PSN, and then builds TCP session to the PSN directly.

Madura Malwatte · ‎08-11-2022

Hmm. I wish there was some type of session sharing between PSNs then we wont be forced to make sure we hit the same PSN... There isn't anything like this right?

The part I want to load-balance is the CWA redirect url because I dont want the clients to see a specific url tied to a PSN, i.e. guest1.company (PSN1) or guest2.company (PSN2), and instead use a generic url like guest.company (which can go to any PSN). So basically to get this to work I need to make sure the radius part of the session goes via the LB and also the redirect part as well - just to make sure the LB can use some stickiness to keep it on the same PSN?

Arne Bier · ‎08-11-2022

I don’t want to say it can’t be done but for starters, the DNS resolution of the common FQDN must be the VIP. And then the virtual server (eg F5 LTM) needs to intercept the https request and rebuild the connection to the correct PSN based on the client source IP address. You might be able to do that with some iRule magic. You can install the certificate on the LTM to perform SSL termination.

Charlie Moreton · ‎08-12-2022

If you take a look at the redirect URL on the client, you'll see that the session id is part of the URL and would - in this case - also be "load-balancing of the radius request". It's not just a simple URL that is the same for every device, it's unique for every device.