Load Balancing Cisco ACS 5.2

I think that'll work only if you put the LTM in bridge mode between ACS and it's proper gateway. That way you can intercept and direct without manipulating L3. Radius works with one-arm because of UDP, but with tacacs being TCP-based, you'll break the 3-way handshake if you change the snat address to the source IP. Another option would be npath routing, but I doubt ACS supports it.

That makes sense. I don't see us being able to move the device behind the LTM, so to speak, since I am dealing with different geographical locations and layer 3 boundries.

I really don't want to try nPath...

Thanks, Jason.

Ken

Ken,

Did you ever figure out a solution for ACS? I'm looking at the same thing.

Josh

@Jason,

I'm sort of confused. Are you saying that this will NOT work if I disable SNAT and configure the ACS server's gateway as the BIG-IP?

Thanks,

Josh

Josh,

He's saying that the only way to preserve the source IP of an ACS request would be to make the BigIP the default gateway for the ACS servers. Then you wouldn't need SNAT.

We made load balancing work, I just couldn't use the configuration with SNAT since our security standards require me to keep the source IP of the requestor.

Ken

Ken,

Thanks for clarifying. Are you doing anything special with persistence when load balancing TACACS+ requests?

Thanks!