cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
3
Helpful
1
Replies

Load balancing CWA to Aruba Controller

Arne Bier
VIP
VIP

Hi

The F5/Cisco interworking has been well documented and we have applied all the concepts from BRK-3699 and the famous Cisco/F5 document.

I am faced with integrating an Aruba 7210 Controller into my ISE deployment, that needs to provide access to the same Sponsored Guest access solution that we have built around the Cisco WLC and F5.  I am having a hard time wrapping my head around how Aruba do things with its static URL redirection etc.  But before I even get to that point, our F5 guys have to change the iRules to allow the Aruba radius traffic through the Virtual Server, since the current virtual server expects to see the Cisco AuditSessionID

The F5 is currently configured to create persistence based on the AuditSessionID because we want to persist across re-authentications - this is a great identifier that the F5 can leverage in Accounting Records, and also URL redirects - all with the aim of ensuring a reliable session persistence experience, including re-authentications.

Aruba doesn't support that Cisco VSA.  So I am wondering whether to

  1. Create a new F5 Virtual Server just for the Aruba Controller and use MACaddr&FramedIPaddr for persistence   or
  2. Normalise the logic on the existing F5 Virtual Server to use MACaddr&FramedIPaddr for persistence - but then how does that affect the CWA load balancing logic (i.e. how can F5 determine what PSN the URL request goes to, since it is no longer looking for the AuditSessionID)?  And is it a big deal if you don't persist across re-authentications?

Has anyone out there deployed Aruba Controllers across more than one PSN behind an F5 firewall for load balancing?

  • Radius traffic (Auth and Acct)
  • Web Services (CWA)

I would like to see the Aruba configuration for that situation, since, from what I have read/seen, the static External Captive Portal URL is hard coded with an IP address - and this surely cannot scale beyond one PSN???!!!

Any guidance appreciated.

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

In general I discourage the use of the session ID since NADs, particularly wireless, often change the session ID or new sessions get triggered from roaming.  This will cause a thrash on the backend as PSNs must address the potential replication requirements and change of ownerships.  In other words, a given client can trigger many different session IDs over time and will consequently be load balanced across many different PSNs.  For this reason I typically advocate Calling Station ID for persistence since same client will hit same PSN regardless of the session ID triggered (or not) by the Cisco or 3rd-party NAD.

One option that would work across different NADs is to persist RADIUS on Calling Station ID and to add the Framed-IP to the persistence/sticky table, then load balance HTTP based on source IP.  Example config provided here: F5 LTM loadbalancing Radius and HTTP traffic for ISE - Cisco

This will allow HTTP traffic to be sent to same PSN as used for RADIUS.

/Craig

View solution in original post

1 Reply 1

Craig Hyps
Level 10
Level 10

In general I discourage the use of the session ID since NADs, particularly wireless, often change the session ID or new sessions get triggered from roaming.  This will cause a thrash on the backend as PSNs must address the potential replication requirements and change of ownerships.  In other words, a given client can trigger many different session IDs over time and will consequently be load balanced across many different PSNs.  For this reason I typically advocate Calling Station ID for persistence since same client will hit same PSN regardless of the session ID triggered (or not) by the Cisco or 3rd-party NAD.

One option that would work across different NADs is to persist RADIUS on Calling Station ID and to add the Framed-IP to the persistence/sticky table, then load balance HTTP based on source IP.  Example config provided here: F5 LTM loadbalancing Radius and HTTP traffic for ISE - Cisco

This will allow HTTP traffic to be sent to same PSN as used for RADIUS.

/Craig

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: