ISE Load Balancing



How To: Cisco & F5 Deployment Guide: ISE Load Balancing Using BIG-IP


ISE Load Balancing with F5 Deep Dive Session

From Partner Tech Talks - Security Deep Dives


Topic / Description
Presentation: Deploying F5 Load Balancers with Cisco ISE Slides [PDF, 208 slides]

ISE Load Balancing with F5: Components & Load Balancing Concepts (1 of 6)

Covers the F5 BigIP load balancer solution components and terminology, as well as definitions for: Active Monitor, iRules, and how persistence works. The section goes onto cover Dynamic Load balancing, and finishes with the benefits of the joint solution.




ISE Load Balancing with F5: ISE Components / Config Pre-Requisites (2 of 6)

Continue review and description of the ISE solution components, how ISE nodes communicate with one another, and various deployment options: Single box and distributed deployments. Also discusses are the various scenario's where a load balancer may be used: Topology and Traffic flows.




ISE Load Balancing with F5: Demo / IP Forwarding / RADIUS (3 of 6)

Deep dive into Cisco ISE solution components. Configuring the F5 BigIP on ISE, Central Web Auth configuration, F5 BigIP configurations for NAT and other scenarios, including persistence configuration. This section also covers specifics on RADIUS: Load Balancing, Attribute, and CoA with respect to F5 LB.




ISE Load Balancing with F5: Scaling Profiling (4 of 6)

Deep dive into load balancing of profiled traffic. This section discusses how to optimize Database replication in a load balanced environment. Further discussions into how information from the end point for profiling is shared and how that impacts DB replication.




ISE Load Balancing with F5: Load Balancing Web Services (5 of 6)

Deep dive in the reason web service re-direction with load balancer in the: Sponsor Portal, My Devices, Local Web-Auth where RADIUS is not in the communication in the beginning.




ISE Load Balancing with F5: Global Load Balancing Considerations / M&T (6 of 6)

This sections starts off with Global Load Balancing considerations: Optimal Address from a geographical perspective and how the decision is made by F5 GTM. Additionally, conversations on topologies of multiple load balancers in a local traffic monitor deployment. Further discussions on Monitoring and Troubleshooting using the ISE M&T nodes.






Cisco Live Breakout Session BRKSEC-3699 on ISE HA/LB

BRKSEC-3699 Designing ISE for Scale & High Availability presented by Craig Hyps : Presentation (PDF) | Reference (PDF)

Includes Working Configs for ACE and F5


General Guidelines

When using a Load-Balancer (anyone's) you must ensure a few things.

  • Each PSN must be reachable by the PAN / MNT directly, without NAT.  RADIUS Auth and Accounting traffic from access devices to PSNs should also pass through LB without NAT.
  • Each PSN Must also be reachable directly from the Client's – for redirections / CWA / Posture, etc…
  • You may want to generate PSN certs to include the VIP fqdn in the SAN field.
  • Perform sticky (aka: persistance) based on Calling-Station-ID and optionally NAS-IP-Address or Framed-IP-address
  • VIP gets listed as the RADIUS server of each NAD for all 802.1X related AAA.
  • Each PSN gets listed individually in the Dynamic-Authorization (CoA).  Use the real IP Address of the PSN, not the VIP, unless SNAT for CoA traffic is configured (the UDP/1700 traffic initiated by the PSN, NOT the RADIUS traffic initiated by NADs to PSN).
  • The LoadBalancer(s) get listed as NADs in ISE so their test authentications may be answered.
  • ISE uses the Layer-3 Address to Identity the NAD, not the NAS-IP-Address in the RADIUS packet.  This is the reason to not use SNAT for inbound RADIUS traffic.



Sample Configurations


Cisco ACE




Citrix NetScaler