Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Load Balance Cisco ISE servers

Trying to load Balance several Cisco ISE servers.  For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it.  I have documentation for the Cisco ACE, but using F5 LTM's.  Assuming this has to be done with an I-Rule as none of these are available as a default.  Not sue where to begin.  I tried attaching the Cisco PDF, but not able for whatever reason.  If anyone has any examples of knowledge of how to do this, would be appreciated.  I can send the Cisco document via e-mail if that helps.  I just am not able to attach it to this forum???

1
Rate this Question
Comments on this Question
Comment made 21-Aug-2018 by Wallace 307

I have the cisco ISE deployment guide and followed it to a tee. But what I am seeing is only half the devices connecting will log the radius AVP 31 which is the calling station ID or MAC address, and this causes the other half to persist with the IP address whish is not working. Anyone ever see this behavior before? I am on 11.5.4

Thanks,

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
e.g.
[root@ve10:Active] config # b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:1812
   ip protocol 17
   rules myrule
   profiles udp_gtm_dns {}
}
[root@ve10:Active] config # b pool foo list
pool foo {
   members 200.200.200.101:1812 {}
}
[root@ve10:Active] config # b rule myrule list
rule myrule {
   when CLIENT_ACCEPTED {
  log local0. "\[RADIUS::avp CALLING-STATION-ID\] [RADIUS::avp CALLING-STATION-ID]"
  log local0. "\[RADIUS::avp FRAMED-IP-ADDRESS\] [RADIUS::avp FRAMED-IP-ADDRESS]"
  persist uie "[RADIUS::avp CALLING-STATION-ID]:[RADIUS::avp FRAMED-IP-ADDRESS]"
}
}

[root@ve10:Active] config # tail -f /var/log/ltm
Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule <CLIENT_ACCEPTED>: [RADIUS::avp CALLING-STATION-ID] 123456
Jun 18 18:57:44 local/tmm info tmm[4950]: Rule myrule <CLIENT_ACCEPTED>: [RADIUS::avp FRAMED-IP-ADDRESS] 1.1.1.1

[root@ve10:Active] config # b persist show all
PERSISTENT CONNECTIONS
|     Mode universal   Value 123456:1.1.1.1
|        virtual 172.28.19.252:1812   node 200.200.200.101:1812   age 14sec

2
Comments on this Answer
Comment made 09-Dec-2013 by Nick Ehlers 2
Working iRule: <big thanks to Joe Martin, F5 SE for figuring this out for us> when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" }
0
Comment made 09-Apr-2015 by rangara10 1
Hi - what version of LTM was this irule working? Will this work on 11.2.1?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You'll want to ensure you load balance both your accounting and authentication packets to the same node. I did this with two VIPs, and used Match Across Services in a universal persistence profile and calling station ID in the iRule.

2
Comments on this Answer
Comment made 20-Nov-2013 by Nick Ehlers 2
Joe B, Can I perhaps get the template for the iRule syntax? Thats my problem, I can't get that correct. much appreciated!
2
Comment made 04-Dec-2013 by Nick Ehlers 2
Joe, Any chance you could grab me the syntax for the iRule for calling station ID ? I tried copy pasting the one above but it didn't work.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Few things we learn with our ISE installation :

  • Disable datagram LB : see : http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3605.html

  • Use one single VS listening on all ports. Having 2 separate VS with UIE persist across services/vs/pool does not persist 100% of the time.

  • F5 drop UDP packets. If you see failure code "12953 - Received EAP packet from the middle of conversation ..." most likely this is caused by F5 dropping packet. We see this issue happen with 6000+ users. Testing environment with 1000 users does not inherit this issue. 11.5 is the worst offender while 11.3 is somewhat better. We have up to 25% failure rates with 11.5 and only 5% with 11.3
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hey Richard. The Session-ID of what? A RADIUS 'request'?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Yes, I believe it would be Radius Request. If fyou can provide me with an e-mail, I can send you the ACE configuration document, but reading thru that, I believe it would be a Radius Request.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Yes, I believe it would be Radius Request. If fyou can provide me with an e-mail, I can send you the ACE configuration document, but reading thru that, I believe it would be a Radius Request.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Assuming this has to be done with an I-Rule as none of these are available as a default. Not sue where to begin.

have you tried "Persist Attribute" setting in radius profile?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi

Use source persistence the problem is with the Natting in theory you should create a pass though to the backend but i'm not sure how to do that on F5. if you bypass the F5 does it work or not?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
THis is a new trun-up. Testing this week and next.

Couple of bullet points that are taken from the Cisco ACE configuration PDF....

• Load Balancers get listed as NADs in ISE so their test authentications may be answered.

• ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the
RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to
VIP.

So the way I'm understanding it is that NADs or network access devices which are the end station send the request to the LTM’s. Once the packet hits the LTM, then the LTM becomes the NAD from the perspective of the ISE servers.
I don' think source persistence works because on the initial request the end device still doesn't have an IP address. The ISE servers determine who and what the client is, and then based on that assign the vlan and IP space etc.

I had never used the "Persist Attribute" setting in radius profile before. I see where that setting is, but where do you apply it once you create it?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
THis is a new trun-up. Testing this week and next.

Couple of bullet points that are taken from the Cisco ACE configuration PDF....

• Load Balancers get listed as NADs in ISE so their test authentications may be answered.

• ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the
RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to
VIP.

So the way I'm understanding it is that NADs or network access devices which are the end station send the request to the LTM’s. Once the packet hits the LTM, then the LTM becomes the NAD from the perspective of the ISE servers.
I don' think source persistence works because on the initial request the end device still doesn't have an IP address. The ISE servers determine who and what the client is, and then based on that assign the vlan and IP space etc.

I had never used the "Persist Attribute" setting in radius profile before. I see where that setting is, but where do you apply it once you create it?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I believe a RADIUS profile is assigned to a Virtual Server.

Based on your notes about the initial L3 address (it must have one) changing, is the persistence required initially? I assume the VLAN and address assignment is all done over a single connection. After that, what comes next, does it have to go to the same server? It'll be a new connection for sure as the source IP would have changed I assume. Don't the ISE servers share state in some way? It seems poor that they don't.

The operation doesn't exclude the use of SNAT btw, but to use it you'd have to use static translations (not automap etc.)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
@Richard, have you managed to get this working?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Unfortunately, I got pulled into some other stuff and this got passed onto another engineer. I'm trying to find out if he got it resolved. If so, I will post the answer.
Thanks, Rich
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I'm also in the same boat.. Persist attribute in the Radius profile only seems to take one value, which i'm currently using Calling-Station-ID and i'm getting suboptimal results. Anyone made any headway on this?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Good afternoon. New F5 user here - but I also need to use F5's to load balance my Cisco ISE servers.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Persist attribute in the Radius profile only seems to take one value, which i'm currently using Calling-Station-ID and i'm getting suboptimal results.
you do not have to use persist attribute in radius profile. you are able to use persist irule command to persist whatever avp data or any combination you want.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
I'll probably have to dig around for an example on how to do this, then. The radius load balancing irule examples I've seen seemed a little complicated and perhaps more involved than I was expecting to get. Cisco provides plenty of examples on how to do this but it's limited to ACE load balancers.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

i do not think it is going to be too complicated. i understand you just retrieve avp you want to persist on using RADIUS::avp and use it in persist uie command.

RADIUS::avp wiki https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx

sol7392: Overview of universal persistence http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I've read through that, but I think I need to persist on multiple values together (calling-station-id and framed-ip-address) and not just one.  Any tips?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Did you get this working? I need the same persistence.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How to avoid SNAT as well on top of it?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

How to avoid SNAT as well on top of it?

if return packet passes through bigip (e.g. server's default gateway is bigip), you do not need to configure snat automap under virtual server configuration.

is this what you are asking?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have tried this script and it worked as per our expectation. Thanks for sharing the script.

0
Comments on this Answer
Comment made 26-Jan-2015 by Prakash 0
Hello Amarya - What script you are referring here ? CAn you please share as I am configuring ISE with LB in our company.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Any Idea how we can change the persistence timeout in this case.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You should be able to just change the timeout wherever you've used the 'persist uie' command in your rule. See here for more information: https://devcentral.f5.com/wiki/iRules.persist.ashx

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi All

can anyone shared how they have configured there VIPs to load balance the CISCO ISE servers.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You can refer below config:

Virtual-Server:

ltm virtual vs_CISCO_ISE_xxxx { destination X.X.X.X:radius ip-protocol udp mask 255.255.255.255 pool Pool_CISCO_ISE_xxxx profiles { CISCO_ISE_UDP { } radiusLB { } } rules { ISE_Rule } }============

Profiles:

ltm profile udp CISCO_ISE_UDP { datagram-load-balancing enabled defaults-from udp }

ltm profile radius radiusLB { clients none persist-avp none }

0
Comments on this Answer
Comment made 04-Dec-2013 by Nick Ehlers 2
Amartya, Can you give me the syntax of the iRule used for this? I can't seem to get it working.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Amartya Ghosh, can you go more into what you used for the iRule as part of your solution?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Lot's of great information in this thread! To try and sum it up here is how I got this to work:

NO NAT - so put the PSN servers on their own subnet and set their default route to the BIG-IP. Create two forwarding VS for inbound to the PSN traffic and outbound--make sure to use "enabled on vlan's" to tie these to the appropriate interface.

Create two standard VS, one for 1812 and one for 1813. Use protocol UDP, use a UDP protocol profile, use a RADIUS profile -- these are important to enable the iRules use of the RADIUS command. It may be possible to get away with default profiles for UDP and RADIUS--I haven't tested that. i.e:

ltm virtual /RADIUS-AUTH {
    destination /10.10.10.113:1812
    ip-protocol udp
    mask 255.255.255.255
    persist {
        /RADIUS_STICKY {
            default yes
        }
    }
    pool /pool-1812-radius
    profiles {
        /udp-for-ise-profile { }
        /radius-profile { }
    }
    rules {
        /RADIUS-PERSIST-IRULE
    }
    vlans-disabled
}

Apply a universal persistence profile:

ltm persistence universal /RADIUS_STICKY {
    app-service none
    defaults-from /Common/universal
    match-across-pools disabled
    match-across-services enabled
    match-across-virtuals disabled
    mirror disabled
    override-connection-limit disabled
    rule none
    timeout 600

And the iRule:

ltm rule /RADIUS-PERSIST-IRULE {
# ISE persistence iRules based on MAC Address with fall-back to WLC IP address as persistence identifier
#set debug 1
#set persist_ttl 14400
when CLIENT_DATA {
    set persist_ttl 14400
    # If MAC address is present - use it as persistent identifier
    # See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
    if {[RADIUS::avp 31] ne "" }{
        set mac [RADIUS::avp 31]
        # Persist config
        persist uie $mac $persist_ttl
        set target [persist lookup uie [RADIUS::avp 31]]
        log local0.alert "Username=[RADIUS::avp 1] MAC=$mac TARGET=$target"

    } else {
        set persist_ttl 14400
        #if { $debug &amp;amp;gt; 0 } {log local0.alert "No MAC Address found - Using NAS IP as persistent identifier" }
        set nas_ip [RADIUS::avp 4]
        persist uie $nas_ip $persist_ttl
        set target [persist lookup uie $nas_ip]
        log local0.alert "Username=[RADIUS::avp 1] NAS IP=$nas_ip TARGET=$target"
    }
}
}    

Pool:

ltm pool /pool-1812-radius {
    allow-nat no
    allow-snat no
    members {
        /10.10.194.133:1812 {
            address 10.10.194.133
            session user-disabled
        }
        /10.10.194.134:1812 {
            address 10.10.194.134
        }
        /10.10.194.135:1812 {
            address 10.10.194.135
        }
    }
    monitor /radius-auth-1812
}

Monitors are straightforward--just use the RADIUS ones on the box.

ltm profile radius /radius-child-31 { app-service none clients none defaults-from /Common/radiusLB persist-avp 31 } ltm profile udp /radius-child-31-profile { app-service none defaults-from /Common/udp }

Depending on your configuration you may also need an additional std VS to send DHCP :67 traffic to the PSN servers. I've also seen where an forwarding VS from the PSN network out: UDP/0.0.0.0:1700 was needed--and to that VS assign a SNAT Pool that uses the same IP as the RADIUS server VS IP.

I'm not sure if I have made this less muddy but hopefully there is enough config examples above to get you rolling in the right direction.

Cheers!

0
Comments on this Answer
Comment made 09-Jul-2014 by LBAL 1
Could you be so kind to define your profiles on the virtual please? profiles { /udp-for-ise-profile { } /radius-profile { }
0
Comment made 18-Aug-2014 by JackF
Ended up just using this iRule: when CLIENT_ACCEPTED { set framed_ip [RADIUS::avp 8 ip4] set calling_station_id [RADIUS::avp 31 "string"] log local0. "request from $calling_station_id:$framed_ip" persist uie "$calling_station_id:$framed_ip" } Best of luck!
0
Comment made 06-Nov-2014 by tomHooper 77
Hey Jack, Which VIP did this irule get applied against.
0
Comment made 11-Apr-2015 by rangara10 1
Hi JackF - what version of LTM were you able to get this setup working? By any chance, was it earlier than 11.4.1 HF5? Thanks.
0
Comment made 13-Apr-2015 by JackF
@rangara10 It was on version 11.1 with a later hotfix. Also you may find this new document from F5/Cisco to be helpful: http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP.pdf
0
Comment made 13-Apr-2015 by JackF
@tomhooper It was: ltm virtual /RADIUS-AUTH
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
  • If you must support MSCHAP (challenge-response) authentication things get messy.
  • Apparently Datagram LB assumes a single request/response, so additional responses may get dropped or grabbed by a wildcard forwarding virtual server and incorrectly routed (with RADIUS server as source IP).
  • If you disable Datagram LB then persistence is based on the UDP "connection" and not each individual RADIUS packet.
  • It appears that you can get around this issue by setting the UDP profile's idle timeout to "Immediate" and then setting up one or more outbound forwarding virtual servers configured to SNAT using the RADIUS virtual server's IP.

  • Does anyone have experience with this?

0
Comments on this Answer
Comment made 15-Jan-2015 by iimam 0
I applied the same but I have issue Radius drops the session.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Comments on this Answer
Comment made 20-Dec-2016 by brad 375

Has anyone (Cisco, F5, user) turned this into an iApp?? Seems there are LOTS of clients of Cisco & F5 who are struggling with this same issue of getting ISE to work correctly behind F5 load balancer.

Anything since this posting on the deployment guide. We have been following this (outdated?) guide to update our ISE services on the F5 but to no success.

It is not persisting sessions correctly for accounting and authentication.

Questions such as the setting for the Datagram LB.. should it be disabled (we think it should).

0