ISE 1.3 F5-ISE Load Balancing
Deep Dive
•
Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer
•
Faraz Siddiqui, F5 Networks, Solution Architect
Introducing F5 BIG-IP and Cisco ISE Solution Components
Joint Solution Overview – Deployment Model, Topology, and Traffic Flow
Configuration Prerequisites (Starting Point for LB Deployment)
Forwarding Non-LB Traffic
Load Balancing RADIUS
Load Balancing Profiling Services
Load Balancing Web Services
Global Load Balancing Considerations
Monitoring and Troubleshooting
Summary
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
F5 BIG-IP Solution
Components
4000 series
5000 Series
7000 Series
10000 Series
Good, Better, Best Platforms
11000 Series
F5 BIG-IP Product
5Gbps
3Gbps
1Gbps
200M
25M
VIPRION 2400
VIPRION 4480
VIPRION 4800
F5 physical ADCs
High-performance with specialized and
dedicated hardware
Physical ADC is best for:
•
Fastest performance
•
Highest scale
•
SSL offload, compression, and DoS mitigation
•
An all F5 solution: integrated HW+SW
•
Edge and front door services
•
Purpose-built isolation for application delivery
Physical + virtual =
hybrid ADC infrastructure
Ultimate flexibility and performance
Hybrid ADC is best for:
•
Transitioning from physical to
virtual and private data center to
cloud
•
Cloud bursting
•
Splitting large workloads
•
Tiered levels of service
F5 virtual editions
Provide flexible deployment options for
virtual environments and the cloud
Virtual ADC is best for:
•
Accelerated deployment
•
Maximizing data center efficiency
•
Private and public cloud deployments
•
Application or tenant-based pods
•
Keeping security close to the app
•
Lab, test, and QA deployments
Physical
Hybrid
Virtual
2000 series*
Understanding F5 BIG-IP
Components
Understanding F5 Components
Virtual Edition
Appliance
Chassis
BIG-IP
BIG
-IP is the name of the platform produced by
F5, provide Application Delivery Controller (ADC)
functionality. F5 BIG-IP offers virtual, appliance
or chassis form factor
LTM
LTM is the Local Traffic Manager, it is a licensed
software module run inside a F5 BIG-IP. LTM
handles server load balancing function.
Virtual Server is the traffic management object
on the BIG-IP system that represented by an IP
address and a service. VIP is configured in the
virtual server
BIG-IP LTM Components: Nodes
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.4
A node is a physical or logical
(for example, VMWare) server
in the internal network
A node is represented by the
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.4
BIG-IP LTM Components: Pool Members
A pool member is a service running on a node,
represented by the IP address of the node and
service (port) number
A node can host multiple pool
members
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:80
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.4
BIG-IP LTM Components: Pools
A node can be a member of
multiple pools
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443
172.20.10.4:443
A pool is a logical grouping of pool
members that represents an
application
Each pool has its own load
balancing method
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.4
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443
172.20.10.4:443
BIG-IP LTM Components: Virtual Servers
Each virtual server will uniquely process
client request that match its IP address and
port
10.2.2.100:80
10.2.2.100:443
A virtual server is an IP address and service
(port) combination that listens for client
requests
NOTE: BIG-IP LTM is a default deny device; the virtual server
is the most common way allow client requests to pass
through
Each virtual server then directs the
traffic, usually to an application pool
NOTE: Multiple virtual servers can
reference the same pools, pool members,
and/or nodes
10.2.2.225:8080
The virtual server translates the
destination IP address and port to the
Monitors
•
A monitor is a test;
•
Of a specific application. For an expected response. Within a given
time
•
All BIG-IP have to things in common
•
Interval
•
The time between each check
•
Timeout
•
The time required for a successful check to be received before BIG-IP
marks the node as unavailable
•
BIG-IP LTM can use composite monitors, so it can apply multiple checks
•
It can use all or some of the monitors to determine member status
•
Monitors can also use reverse logic
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.4
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443 172.20.10.4:443
How Active Monitors Work
10.2.2.100:80 10.2.2.100:443
Monitors check the status of
a pool member or node on
an ongoing basis, at a set
interval
If a pool member or node being
monitored does not respond
within the set interval, BIG-IP
LTM marks it offline
BIG-IP LTM continues to
direct traffic to the remaining
pool members while
continuing to monitor the
offline pool member or node
When the pool member or
node responds, BIG-IP LTM
marks it as available and starts
directing traffic to the pool
member
Are you up?
What are iRules?
•
The programming language integrated into
the TMOS® architecture
•
iRules work at wire-speed
•
Based on the industry standard Tool
Command Language (TCL)
•
Provide the ability to intercept, inspect,
transform, direct, and track inbound or
outbound application traffic
•
Core of the F5 “secret sauce” and key
How do iRules Work?
•
Respond to events, such as:
•
HTTP_REQUEST
•
HTTP_RESPONSE
•
CLIENT_ACCEPTED
•
Enable you to perform deep packet inspection (entire
header and payload)
•
Provide a full scripting language that enables
bidirectional and granular control of:
•
Inspection
•
Alteration
•
Delivery of application traffic on a packet-by-packet
basis
HTTP_REQUEST
iRule triggered
HTTP events fired
Requests
Modified
Request
Response
Modified
Response
Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect,
modify, and route traffic at nearly any point in the traffic flow, regardless of
direction
HTTP_RESPONSE
iRule triggered
HTTP events fired
Key Elements of an iRule
when HTTP_REQUEST {
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
}
Event Declarations
•
Define when the code executes
•
Every iRule has an event
Operators
•
Define under which conditions BIG-IP LTM
performs an action
Commands
iRules Events
•
Events are actions that trigger the processing of the iRule
•
Examples
•
HTTP_REQUEST
•
HTTP_RESPONSE
•
CLIENT_ACCEPTED
•
LB_FAILED
when
HTTP_REQUEST
{
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
}
Persistence
•
Persistence
•
Directs a client back to the same server after the
initial load balancing decision has been made
•
Is required for stateful applications
•
such as e-commerce shopping carts
•
May skew load balancing statistics
•
Universal Persistence
•
iRules can create persistence records based on
anything in the clients request
Radius Persistence
Using Persistence Profiles
•
Persist Attribute
•
Default Persistence Profile
•
Fallback Persistence Profile
Using iRules for Radius Persistence
•
iRules form the crucial pillar behind the
operational and configurational flexibility for
enabling load balancing of any device, in
this case, the Cisco ISE
•
Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN
which includes additional RADIUS transactions that may occur during the initial connection phase
such as re-authentication following CoA.
•
It is advantageous for this persistence to continue after initial session establishment to allow
re-authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN
BIG-IP Listeners
Traffic Flow
How Does Traffic Enter a BIG-IP?
•
Routing to a listener on the BIG-IP
•
Listeners are
•
Self IPs
•
SNATs
•
NATs
•
Virtual Servers
10.2.2.100:80
10.2.2.1
External VLAN
Internet
10.2.2.50
NAT to 192.168.4.8
Packet Processing Priority
1.
Existing connection in connection table
2.
Packet filter rule
3.
Virtual server
4.
SNAT
5.
NAT
6.
Self-IP
7.
Drop
Load Balancing
•
A load balancing method is an algorithm or formula used to determine which pool member to send
traffic to
•
Load balancing is connection based
•
Static load balancing methods distribute connections in a fixed manner
•
Round Robin (RR)
•
Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/ nodes whose ratio has not been met
•
Dynamic load balancing methods take into account one or more factors, such as the current
connection count
•
It is important to experiment with different load balancing methods and select the one that offers
the best performance in your particular environment
Dynamic Load Balancing Methods
•
Least Connections
•
Fewest L4 connections when load balancing decision is being made
•
Recommended when servers have similar capabilities
•
Very commonly used
•
Fastest
•
Balances based upon the number of outstanding L7 requests and then L4 connections
•
Requires a L7 profile on the virtual server, else its just Least Connection
•
Recommended when servers have similar capabilities
•
Observed
•
Calculates a ratio each second based on the number of L4 connections
secure_pool
http_pool
Load Balancing a Service (Member)
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443
10.2.2.100:80
18.200.150.10
Current connection counts for
each pool member are
displayed in red
45
42
36
22
12
BIG-IP LTM directs the request to the
pool member with the least number of
connections
In this example, the HTTP pool is
configured with the
Least Connections
(member) method
With each new client request, BIG-IP
LTM verifies which pool member has
the fewest active connections
Internet
F5 BIG-IP and Cisco ISE
F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
Integrating F5 BIG-IP load balancing solutions with ISE can:
•
Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
•
Provide Bring Your Own Device (BYOD) endpoint scalability
•
Deliver customizable policies for identity management of enterprise users and user devices
•
Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
•
Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers
References
•
BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
•
BIG-IP LTM Configuration Guide
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
•
BIG-IP LTM Support forum
https://support.f5.com/kb/en-us/products/big-ip_ltm.html
•
DevCentral Forum
https://devcentral.f5.com/
•
iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
•
F5 University – LTM Training
https://login.f5.com/resource/login.jsp?ctx=719748&referral=university
Load Balancing
•
A load balancing method is an algorithm or formula used to determine which pool
member to send traffic to
•
Load balancing is connection based
•
Static load balancing methods distribute connections in a fixed manner
•
Round Robin (RR)
•
Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/nodes whose ratio has not been met
•
Dynamic load balancing methods take into account one or more factors, such as the
current connection count
•
It is important to experiment with different load balancing methods and select the one that
Dynamic Load Balancing Methods
•
Least Connections
•
Fewest L4 connections when load balancing decision is being made
•
Recommended when servers have similar capabilities
•
Very commonly used
•
Fastest
•
Balances based upon the number of outstanding L7 requests and then L4 connections
•
Requires an L7 profile on the virtual server, else its just Least Connections
•
Recommended when servers have similar capabilities
•
Observed
•
Calculates a ratio each second based on the number of L4 connections
secure_pool
http_pool
Load Balancing a Service (Member)
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443
10.2.2.100:80
18.200.150.10
Current connection counts
for each pool member are
displayed in red
45
42
36
22
12
BIG-IP LTM directs the request to
the pool member with the least
number of connections
In this example, the HTTP pool is
configured with the
Least Connections
(member)
method
With each new client request,
BIG-IP LTM verifies which
pool
member
has the fewest active
connections
Internet
172.20.10.1
172.20.10.2
172.20.10.3
172.20.10.1:80
172.20.10.2:80
172.20.10.2:443
172.20.10.3:8080
172.20.10.3:443
Load Balancing an IP Address (Node)
10.2.2.100:80
Current connection counts
for each pool member are
displayed in red
In this example, the HTTP pool is
configured with the
Least Connections
(node)
method
45
42
36
22
12
BIG-IP LTM directs the request to
the node with the least number of
connections
45
54
58
This takes into account all
services running on the node
With each new end-user request,
BIG-IP LTM verifies which node
has the fewest active connections
With each new client request,
BIG-IP LTM verifies which
node
has the
fewest active connections
18.200.150.10
Internet
secure_pool
http_pool
Pool Failure Mechanisms
•
Fallback Host (for HTTP and HTTPS applications)
•
Is the server of last resort if all pool members are unavailable
•
Returns HTTP redirect (http 302) to client
•
Configured in the HTTP profile, the fallback host is not monitored
•
Priority Group Activation
•
Can dynamically pull in new members into the pool
•
Pulls lower priority groups into higher priority groups
•
Pulls in all members of a priority group together
Backup Servers
Running WWW and FTP
Priority = 1
Priority = 5
Activation < 2
Priority = 5
Activation < 3
web_pool
ftp_pool
F5 BIG-IP and Cisco ISE
•
F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
•
Integrating F5 BIG-IP load balancing solutions with ISE can:
•
Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
•
Provide Bring Your Own Device (BYOD) endpoint scalability
•
Deliver customizable policies for identity management of enterprise users and user devices
•
Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
•
Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers
References
•
BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
•
BIG-IP LTM Configuration Guide
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
•
BIG-IP LTM Support forum
https://support.f5.com/kb/en-us/products/big-ip_ltm.html
•
DevCentral Forum
https://devcentral.f5.com/
•
iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
•
F5 University – LTM Training
https://login.f5.com/resource/login.jsp?ctx=719748&referral=university
DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
•
Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco ISE Solution
Components
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Who
What
Where
When
How
Virtual machine client, IP device, guest, employee, and remote user
Cisco
®
ISE
Wired
Wireless
VPN
Business-Relevant
Policies
Security Policy Attributes
Identity
Context
ISE Node Types
Policy Service Node (PSN)
–
Makes policy decisions
–
RADIUS server & provides endpoint/user services
Policy Administration Node (PAN)
–
Interface to configure policies and manage ISE deployment
–
Writeable access to the database
Monitoring & Troubleshooting Node (MnT)
–
Interface to reporting and logging
–
Destination for syslog from other ISE nodes and NADs
Inline Posture Node (IPN)
–
Enforces posture policy for legacy or 3
rd
-party NADs
ISE Communications
NAD
PAN
Policy Sync
RADIUS from NAD to PSN
RADIUS reply from PSN to NAD
RADIUS Accounting
syslog
syslog
PSN
MnT
PSN queries
external database
directly
Policy Service Node
The “Work-Horse”:
RADIUS, Profiling,
WebAuth, Posture, Sponsor
Portal Client Provisioning
Monitoring and
Troubleshooting
Logging and
Reporting Data
Network Access
Device
Access-Layer Devices
Enforcement Point for
all Policy
User
Admin
Policy Administration
Node
: All Management
UI Activities &
synchronizing all ISE
Nodes
Data
Center A
DC B
Branch A
Branch B
AP AP AP WLC 802.1X AP Non-CoA ASA VPN Switch 802.1X Switch 802.1X Switch 802.1X WLC 802.1X Switch 802.1XAdmin (P)
Admin (S)
Monitor (P)
Monitor (S)
Policy Services Cluster
HA Inline
Posture Nodes
Distributed
Policy Services
AD/LDAP
(External ID/
Attribute Store)
AD/LDAP
(External ID/
Attribute Store)
Example ISE Deployment
MnT
PAN
PAN
MnT
PSN
PSN
PSN
PSN
PSN
PSN
IPN
IPN
Scaling by Deployment, Platform, and Persona
•
Max Concurrent Endpoint Counts by Deployment Model and Platform
Deployment Model
Platform
Max # Endpoints
per Deployment
Max # Dedicated
PSNs
Standalone (all personas on
same node)
(2 nodes redundant)
33xx
2,000
0
3415
5,000
0
3495
10,000
0
Admin + MnT on same node;
Dedicated PSN
(Minimum 4 nodes redundant)
3355 as Admin+MNT
5,000
5
3395 as Admin+MNT
10,000
5
3415 as Admin+MNT
5,000
5
3495 as Admin+MNT
10,000
5
Dedicated Admin and MnT nodes
(Minimum 6 nodes redundant)
3395 as Admin and MNT
100,000
40
3495 as Admin and MNT
250,000
40
Scaling per PSN
Platform
Max # Endpoints
per PSN
Dedicated Policy nodes
(Max Endpoints Gated by Total
Deployment Size)
ISE-3315
3,000
ISE-3355
6,000
ISE-3395
10,000
Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Joint Solution Overview –
Deployment Model,
Scaling RADIUS, Web, and Profiling with BIG-IP LTM
•
Policy Service nodes can be configured in a cluster behind a load balancer (LB).
•
Access Devices send RADIUS AAA requests to LB virtual IP.
F5 BIG-IP
LTM (Load
Balancers)
Network
Access
Devices
PSN PSN PSN PSN PSN PSN PSN PSN PSNISE PSNs
(RADIUS
Servers)
Virtual IP
Scaling Global Sponsor / MyDevices with BIG-IP GTM
PSN
PSN
PSN
PAN
PAN
MnT
MnT
PSN
PSN
PSN
PSN
PSN
PSN
10.1.0.100
10.2.0.100
10.3.0.100
Use Global Load Balancing (GTM) to direct traffic to closest VIP.
Local Web Load-balancing (LTM) distributes request to single PSN.
Load Balancing simplifies and scales ISE Web Portal Services
F5 BIG-IP GTM
(Global LB)
F5 BIG-IP LTM
(Local LB)
F5 BIG-IP
LTM
(Local LB)
DNS SERVER: DOMAIN =
COMPANY.COM
SPONSOR
10.1.0.100, 10.2.0.100, 10.3.0.100
MYDEVICES
10.1.0.100, 10.2.0.100, 10.3.0.100
ISE-PSN-1
10.1.1.1
ISE-PSN-2
10.1.1.2
ISE-PSN-3
10.1.1.3
ISE-PSN-4
10.2.1.4
ISE-PSN-5
10.2.1.5
ISE-PSN-6
10.2.1.6
ISE-PSN-7
10.3.1.7
ISE-PSN-8
10.3.1.8
ISE-PSN-9
10.3.1.9
F5 BIG-IP
LTM
(Local LB)
Load Balancing ISE Policy Services
•
RADIUS Authentication and Accounting Services
Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky
algorithm determines method to ensure same Policy Service node services same endpoint.
•
URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native
Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name
substituted for ‘ip’ variable in URL.
•
Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
•
Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS
LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than
one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS
Load Balancing RADIUS
Sample Flow
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
F5 LTM
RADIUS AUTH response from 10.1.99.7
RADIUS AUTH request to 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)
VLAN 98 (10.1.98.0/24)
Access
Device
RADIUS ACCTG response from 10.1.99.7
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based
on RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS Response received from real server ise-psn-3 @ 10.1.99.7
5. RADIUS Accounting sent to/from same PSN based on sticky
2
4 5
1
radius-server host 10.1.98.8
Load Balancing with URL-Redirection
Sample Flow
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
RADIUS response from ise-psn-3.company.com
DNS Lookup = ise-psn-3.company.com
DNS Response = 10.1.99.7
RADIUS request to psn-cluster.company.com
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Server
Access
Device
1. RADIUS Authentication requests sent to VIP 10.1.98.8.
2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to
https://ise-psn-3.company.com:8443/...
4. Client browser redirected and resolves FQDN in URL to real server address.
ISE Certificate
Subject CN =
ise-psn-3.company.com
https://ise-psn-3.company.com:8443/...
HTTPS response from ise-psn-3.company.com
1
2
3
4
5
F5 LTM
Load Balancing Non-Redirected Web Services
Sample Flow
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
Sponsor
https response from ise-psn-3 @ 10.1.99.7
DNS Lookup = sponsor.company.com
DNS Response = 10.1.98.8
https://sponsor. company.com @ 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
DNS
Server
Access
Device
https://sponsor.company.com
ISE Certificate
Subject =
ise-psn-3.company.com
SAN=
ise-psn-3.company.com
Certificate OK!
Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com
1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8
2. Web request sent to https://sponsor.company.com @ 10.1.98.8
3. ACE load balances request to PSN based on IP or HTTP sticky
4. HTTPS response received from ise-psn-3 @ 10.1.99.7
5. Certificate SAN includes FQDN for both sponsor and ise-psn-3.
1
2
3
4
5
F5 LTM
Load Balancing Profiling Services
Sample Flow
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
DHCP Request to Helper IP 10.1.98.8
VIP: 10.1.98.8
PSN-CLUSTER
10.1.99.5
10.1.99.6
10.1.99.7
Access
Device
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.
2
DHCP
Server
DHCP Request to Helper IP 10.1.1.10
2
DHCP Response returned from DHCP Server
3
4
1
VLAN 99
(10.1.99.0/24)
VLAN 98
(10.1.98.0/24)
High-Level Load Balancing Diagram
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network Access
Device
54NAS IP: 10.1.50.2
ISE-PAN-1
ISE-MNT-1
LB: 10.1.99.1
ISE-PAN-2
ISE-MNT-2
External
Logger
AD/LDAP
DNS
NTP
SMTP
MDM
F5 LTM
•
BIG-IP LTM is directly inline between ISE PSNs and rest of network
•
All traffic flows through Load Balancer including RADIUS, PAN/MnT,
Profiling, Web Services, Management, Feed
Services, MDM, AD, LDAP…
VLAN 99
(Internal)
VLAN 98
(External)
Traffic Flow—Fully Inline: Physically Separation
Physical Network Separation Using Separate LB Interfaces
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
Network
Switch
F5 LTM
10.1.98.1
10.1.98.2
10.1.99.1
10.1.99.5
10.1.99.6
10.1.99.7
NAS IP: 10.1.50.2
Fully Inline Traffic
Flow recommended—
•
BIG-IP LTM is directly inline between ISE PSNs
and rest of network.
•
All traffic flows through LB including RADIUS,
PAN/MnT, Profiling, Web Services, Management,
Feed Services, MDM, AD, LDAP…
F5 LTM
10.1.98.1
10.1.98.2
10.1.99.1
VLAN 99
(Internal)
VLAN 98
(External)
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network
Switch
End User/Device
Network Access
Device
NAS IP: 10.1.50.2
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
•
All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LTM VIP
•
Other inbound non-LB traffic bypasses LTM
including redirected Web Services, PAN/MnT,
Management, Feed Services, MDM, AD, LDAP…
•
All outbound traffic from PSNs
sent to LTM as DFGW.
•
LTM must be configured
to allow Asymmetric traffic
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
F5 LTM
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 98
10.1.98.2
VIP: 10.1.98.8
10.1.98.1
10.1.98.7
10.1.98.5
10.1.98.6
NAS IP: 10.1.50.2
Generally NOT RECOMMENDED due to
traffic flow complexity—must fully
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
F5 LTM
Partially Inline: Layer 3/Different VLANs (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
•
All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LTM VIP
•
Other inbound non-LB traffic bypasses LTM
including redirected Web Services, PAN/MnT,
Management, Feed Services, MDM, AD, LDAP…
•
All outbound traffic from PSNs
sent to LTM as DFGW.
•
LTM must be configured
to allow Asymmetric traffic
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal)
VLAN 98
(External)
10.1.98.2
10.1.99.2
10.1.98.1
VIP: 10.1.98.8
10.1.99.1
10.1.99.7
10.1.99.5
10.1.99.6
NAS IP:
10.1.50.2
Generally NOT RECOMMENDED due to
traffic flow complexity—must fully
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
•
All LB traffic sent to LTM VIP including
RADIUS, Profiling (except SPAN data),
and directed Web Services
•
All traffic initiated by PSNs sent to
F5 LTM as global default gateway
•
Redirected Web
Services traffic
bypasses LTM
•
For ISE 1.2,
recommend SNAT redirected
HTTPS traffic at L3 switch
•
ISE 1.3+ supports symmetric
traffic responses (set default
gateway per interface)
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
10.1.91.7
10.1.91.5
10.1.91.6
10.1.99.7
10.1.98.2
10.1.99.2
10.1.98.1
VIP:
10.1.98.8
10.1.91.1
F5 LTM
Partially Inline: Multiple PSN Interfaces
Separate PSN Connections to LB and Rest of Network
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal)
VLAN 98
(External)
VLAN 91
(Web Portals)
10.1.99.5
10.1.99.6
NAS IP:
10.1.50.2
ISE-PAN
ISE-MNT
External
Logger
AD
LDAP
MDM
DNS
NTP
SMTP
F5 LTM
Fully Inline – Multiple PSN Interfaces
Network Separation Using Separate LB Interfaces
•
All traffic sent to LTM including
RADIUS, Profiling (except SPAN data),
and directed Web Services
•
All traffic initiated by PSNs sent to
F5 LTM as global default gateway
•
LTM sends Web
Services traffic
on separate PSN
interface.
•
For ISE 1.2 (and optionally 1.3),
SNAT Web Services at LTM
•
ISE 1.3+ supports symmetric
traffic responses (set default
gateway per interface)
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal)
VLAN 98
(External)
10.1.98.2
10.1.99.1
10.1.98.1
VIP: 10.1.98.8
10.1.99.7
10.1.99.5
10.1.99.6
10.1.91.7
10.1.91.5
10.1.91.6
VLAN 91
(Web Portals)
10.1.91.1
NAS IP:
10.1.50.2
10.1.98.1
10.1.98.2
10.1.99.1
VLAN 99
(10.1.99.0/24)
VLAN 98
(10.1.98.0/24)
Verify Routing Configuration in Overall Topology
L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network Access
Device
NAS IP: 10.1.50.2
ISE-PAN
ISE-MNT
External
Logger
AD/
LDAP
DNS
NTP
SMTP
MDM
Network
Switch
Network
Next Hop
10.1.99.0/24
10.1.98.2
Network
Next Hop
0.0.0.0/0
10.1.99.1
10.1.100.3
10.1.100.4
Network
Next Hop
0.0.0.0/0
10.1.98.1
10.1.100.1
10.1.50.1
Recommended Software Versions
•
F5 BIG-IP LTM: 11.4.1 hotfix HF5 or 11.4.0 hotfix HF6
Additionally, 11.6.0 HF2 incorporates performance enhancements that can improve
RADIUS load balancing performance.
Main > Network Self IPs
Validate Correct VLAN Assignments
Main > Network > VLANs > VLAN List
•
Separate Physical Interfaces Example
Verify LTM Routing Configuration
Main > Network > Routes
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Optional: Verify LTM High Availability
•
F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes
•
Configuration of LTM high availability is beyond the scope of this session.
•
Refer to F5 product documentation for additional details:
•
Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility
•
Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility
•
When configured for high availability, default gateways and next hop routes will point to the
floating IP address on the F5 appliance
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
•
Administration > System > Deployment
•
Node group members can be L2 or L3
•
Multicast no longer a requirements in ISE 1.3
Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group
1) Create node group
2) Assign name (and multicast address if ISE 1.2)
Load Balancer General RADIUS Guidelines
RADIUS Servers and Clients – Where Defined
PSN PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
VIP: 10.1.98.8
Access Device
NAS IP: 10.1.50.2
MnT
PAN
ISE-PAN-1
ISE-MNT-1
10.1.99.1
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123
(RADIUS Clients)
Name
PSN-Probe
Type
RADIUS
Interval
15
Timeout
46
User Name
radprobe
Password cisco123
Alias Service Port 1812
Load Balancer VIP is RADIUS Server
PSNs are RADIUS Servers for
Health Probes
PSN
ISE Admin Node > Network Devices
Add LTM(s) as NAD(s) for RADIUS Health Monitoring
Administration > Network Resources > Network Devices
•
Configure Self IP address of LTM Internal
interface connected to PSN RADIUS
interfaces.
•
Enable Authentication and set RADIUS
shared secret.
PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
10.1.99.1
PSNF5 LTM
10.1.99.1
Configure Internal User for RADIUS Health Monitoring
Administration > Identity Management > Identities > Users
•
This step optional if plan to use external ID store for health monitoring account. Still
recommended for testing and troubleshooting.
•
User authorization for this account should be granted no network access.
Configure DNS and Certs to Support PSN Load Balancing
•
Configure DNS entry for PSN cluster(s) and assign VIP IP address.
Example: psn-cluster.company.com
•
Configure ISE PSN server certs with Subject Alternative
Name configured for other FQDNs to be used by LB VIP
or optionally use wildcards (available in ISE 1.2).
Example certificate SAN:
ise-psn-1.company.com
psn-cluster.company.com
sponsor.company.com
guest.company.com
DNS SERVER: DOMAIN = COMPANY.COM
PSN-CLUSTER IN
A
10.1.98.8
SPONSOR
IN
A
10.1.98.8
MYDEVICES
IN
A
10.1.98.8
ISE-PSN-1
IN
A
10.1.99.5
ISE-PSN-2
IN
A
10.1.99.6
ISE-PSN-3
IN
A
10.1.99.7
Example
certificate with
multiple FQDN
values in SAN.
ISE Certificate without SAN
Certificate Warning - Name Mismatch
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
SPONSOR
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.98.8
http://sponsor.company.com
ISE Certificate
Subject =
ise-psn-3.company.com
10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Name Mismatch!
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com
DNS
Server
10.1.98.8
F5 LTM
ISE Certificate with SAN
No Certificate Warning
PSN
PSN
PSN
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
http://sponsor.company.com
https://sponsor.company.com:8443/sponsorportal
DNS Lookup = sponsor.company.com
DNS Response = 10.1.98.8
http://sponsor.company.com
10.1.99.5
10.1.99.6
10.1.99.7
Certificate OK!
Requested URL = sponsor.company.com
Certificate SAN = sponsor.company.com
DNS
Server
SPONSOR
ISE Certificate
Subject =
ise-psn.company.com
SAN=
ise-psn-1.company.com
ise-psn-2.company.com
ise-psn-3.company.com
sponsor.company.com
General Best Practices for Universal Certificates
•
Use a common FQDN for Subject CN:
Examples: ise.company.com
aaa.company.com
•
If Subject CN contains FQDN, add same
FQDN to SAN
•
Multi-Domain/UCC* Certificate:
Update
SAN with all FQDNs serviced by PSN
•
OR
Wildcard Certificate:
Update SAN with
wildcard domain using syntax
*.company.local
•
If required for static IP hosting, add IP
addresses as both DNS and IP entries
(increases device compatibility)
Cisco Confidential 79 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
VLAN 99
(10.1.99.0/24)
VLAN 98
(10.1.98.0/24)
High-Level Load Balancing Diagram
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Network Access
Device
NAS IP: 10.1.50.2
ISE-PAN-1
ISE-MNT-1
LB: 10.1.99.1
ISE-PAN-2
ISE-MNT-2
External
Logger
AD/LDAP
DNS
NTP
SMTP
MDM
F5 LTM
Non-LB Traffic that Requires IP Forwarding
Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA
•
PAN/MnT node communications
•
All management traffic to/from the PSN real IP addresses such as HTTPS, SSH, SNMP, NTP,
DNS, SMTP, and Syslog.
•
Repository and file management access initiated from PSN including FTP, SCP, SFTP, TFTP,
NFS, HTTP, and HTTPS.
•
All external AAA-related traffic to/from the PSN real IP addresses such as AD, LDAP, RSA,
external RADIUS servers (token or foreign proxy), and external CA communications (CRL
downloads, OCSP checks, SCEP proxy).
•
All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed
Services, partner MDM integration, pxGrid, and REST/ERS API communications.
•
Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP, SNMP queries) and
URL-Redirection such as CWA, DRW/Hotspot, MDM, Posture, and Client Provisioning.
Virtual Server to Forward General Inbound IP Traffic
General Properties
•
Applies to connections initiated from
outside (external) network
•
Type = Forwarding (IP)
•
Source = All traffic (0.0.0.0/0) or limit to
specific network.
•
Destination = PSN Network Addresses
•
Service Port = 0 (All Ports)
•
Availability = Unknown (No service
validation via health monitors)
Virtual Server to Forward General Inbound IP Traffic
Configuration (Advanced)
•
Protocol = All Protocols
•
Protocol Profile = fastL4
•
Optionally limit to specific
ingress VLAN(s).
Virtual Server to Forward General Outbound IP Traffic
General Properties
•
Applies to connections initiated from
PSN (internal) network
•
Type = Forwarding (IP)
•
Source = PSN Network Addresses
•
Destination = All traffic (0.0.0.0/0.0.0.0) or
limit to specific network.
•
Service Port = 0 (All Ports)
•
Availability = Unknown (No service
validation via health monitors)
Virtual Server to Forward General Outbound IP Traffic
Configuration (Advanced)
•
Protocol = All Protocols
•
Protocol Profile = fastL4
•
Optionally limit to specific
ingress VLAN(s).
F5 LTM
Inbound IP Forwarding for 2
nd
PSN Interface
2
nd
PSN Interface for Web Services
•
LTM sends Web Services traffic
on separate PSN interface.
•
For ISE 1.2 (and optionally 1.3), LTM can perform SNAT on Web Services traffic
•
ISE 1.3+ supports symmetric traffic responses, so SNAT not required
(Set default gateway per interface)
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
End User/Device
Network Access
Device
L3
Switch
VLAN 99
(Internal)
VLAN 98
(External)
10.1.98.2
10.1.99.1
10.1.98.1
VIP: 10.1.98.8
10.1.99.7
10.1.99.5
10.1.99.6
10.1.91.7
10.1.91.5
10.1.91.6
VLAN 91
(Web Portals)
10.1.91.1
NAS IP:
10.1.50.2
Virtual Server to Forward Inbound Redirected Web Traffic
General Properties
•
Applies to connections initiated from
URL-redirected clients on outside
(external) network to 2nd PSN
interface
•
Type = Forwarding (IP)
•
Source = All traffic (0.0.0.0/0)
or limit to specific client networks.
•
Destination = PSN Network Addresses
for Web Portals
•
Service Port = 8443 (configurable)
Optionally set wildcard value of 0 for
multiple portal ports or services.
(NSP and Posture work on port 8905)
Virtual Server to Forward Inbound Redirected Web Traffic
Configuration (Advanced)
•
Protocol = TCP
Optionally set to * (All Protocols) for
multiple services.
•
NSP requires TCP/8905, but
Posture requires both TCP and
UDP/8905.
•
Protocol Profile = fastL4
•
Optionally limit to specific ingress
VLAN(s).
•
For ISE 1.2, enable SNAT
•
For ISE 1.3, SNAT optional if
enabled symmetric traffic routing
(default route per interface).
Policy Service Node Scaling and Redundancy
•
NADs can be configured with sequence of redundant RADIUS servers (PSNs).
•
Policy Service nodes can also be configured in a cluster, or “node group”, behind a
load balancer. NADs send requests to LB virtual IP for Policy Services.
•
Policy Service nodes in node group maintain heartbeat to verify member health.
Administration
Node (Primary)
Policy Services Node
Group (Same
multicast domain)
F5 BIG-IP
LTM Load
Balancers
Network
Access
Devices
Administration
Node (Secondary)
Policy
Replication
AAA connection
PSN
PAN
PAN
PSN
PSN
PSN
N+1 node redundancy
assumed to support total
endpoints during:
• Unexpected single
server outage
• Scheduled server
maintenance
Also provides additional
scaling buffer.
Virtual
IP
Load Balancing RADIUS
Sample Flow
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
RADIUS AUTH response from 10.1.99.7
RADIUS AUTH request to 10.1.98.8
VIP:
10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
VLAN 99 (10.1.99.0/24)
VLAN 98 (10.1.98.0/24)
RADIUS ACCTG response from 10.1.99.7
RADIUS ACCTG request to 10.1.98.8
1. NAD has single RADIUS server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP @ 10.1.98.8
3. Requests for same endpoint load balanced to same PSN via sticky based
on RADIUS Calling-Station-ID, Framed-IP-Address, or NAS-IP-Address
4. RADIUS Auth Response received from real server ise-psn-3 @ 10.1.99.7
5. Successive RADIUS Accounting sent to VIP @ 10.1.98.8
6. RADIUS Accounting Response received from same PSN based on sticky.
2
4
5
radius-server host 10.1.98.8
3
NAD
1
6
F5 LTM
NAT Restrictions for RADIUS Load Balancing
Why Source NAT Fails for NADs
•
With SNAT, LB appears as the Network
Access Device (NAD) to PSN.
•
CoA sent to wrong IP address
NAS IP Address is correct,
but not currently used for CoA
SNAT also results in less visibility as all requests appear
sourced from LB – makes troubleshooting more difficult.
SNAT of NAD Traffic: Live Log Example
Allow Source NAT for PSN CoA Requests
Simplifying Switch CoA Configuration
•
Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.
•
Access switch config:
•
Before:
•
After:
PSN PSN PSNISE-PSN-3
ISE-PSN-2
ISE-PSN-1
10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
CoA SRC=
10.1.99.5
CoA SRC=
10.1.98.8
aaa server radius dynamic-author
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123
client 10.1.99.7 server-key cisco123
client 10.1.99.8 server-key cisco123
client 10.1.99.9 server-key cisco123
client 10.1.99.10 server-key cisco123
<…one entry per PSN…>
aaa server radius dynamic-author
client 10.1.98.8 server-key cisco123
PSN
ISE-PSN-X
10.1.99.x
Access
Allow NAT for PSN CoA Requests
Simplifying WLC CoA Configuration
•
Before:
•
After
One RADIUS Server entry
required
per PSN
that may send
CoA from behind load balancer
One RADIUS Server entry
required per load balancer VIP.
VLAN 99
(10.1.99.0/24)
VLAN 98
(10.1.98.0/24)
Load Balancer General NAT Guidelines
To NAT or Not To NAT?
That is the Question!
PSN PSN
NAD is
Source
NATted
PSNRemove
Source
NAT
ISE-PSN-3
ISE-PSN-2
ISE-PSN-1
User
F5 LTM
VIP: 10.1.98.8
10.1.99.5
10.1.99.6
10.1.99.7
Access Device
NAS IP: 10.1.50.2
MnT
PAN
ISE-PAN-1
ISE-MNT-1
RADIUS AUTH
NAS-IP =10.1.50.2
SRC-IP =10.1.50.2
DST-IP =10.1.98.8
LB: 10.1.99.1
RADIUS COA
SRC-IP =10.1.99.7
DST-IP =10.1.50.2
RADIUS AUTH
NAS-IP =10.1.50.2
SRC-IP =10.1.99.1
DST-IP =10.1.99.7
RADIUS COA
SRC-IP =10.1.98.8
DST-IP =10.1.50.2
SNAT for
CoA is Okay!
SNAT for
NAD is BAD!
No NAT
COA
RADIUS AUTH
NAS-IP =10.1.50.2
SRC-IP =10.1.50.2
DST-IP =10.1.99.7
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
•
Common RADIUS Sticky Attributes
o
Client Address
Calling-Station-ID
Framed-IP-Address
o
NAD Address
NAS-IP-Address
Source IP Address
o
Session ID
RADIUS Session ID
Cisco Audit Session ID
•
Best Practice Recommendations (depends on LB support and design)
1.
Calling-Station-ID for persistence across NADs and sessions
2.
Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD
3.
Audit Session ID for persistence across re-authentications
PSN PSN PSN
ISE-PSN-2
ISE-PSN-1
Username=jdoe@company.com
F5 LTM
VIP: 10.1.98.8
Network Access
Device
10.1.50.2
Session: 00aa…99ff
ISE-PSN-3
MAC Address=00:C0:FF:1A:2B:3C
IP Address=10.1.10.101
User
Device
Configuring RADIUS Persistence
•
RADIUS Sticky on Calling-Station-ID (client
MAC address)
•
Simple option but does not support advanced
logging and other enhanced parsing options like
iRule
•
Profile must be applied to Standard Virtual
Server based on UDP Protocol
RADIUS Profile Example
ltm profile radius /Common/radiusLB {
app-service none
clients none
persist-avp 31
subscriber-aware disabled
subscriber-id-type 3gpp-imsi
iRule for RADIUS Persistence Based on Client MAC (1of2)
Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address
•
iRule assigned to Persistence Profile
•
Persistence Profile assigned to Virtual Server under Resources section
when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600
if {$debug} {set access_media "Wireless"}
} else {
set persist_ttl 28800
if {$debug} {set access_media "Wired"}
}
• Optional debug logging
• Enable for troubleshooting only to
reduce processing load
• Configurable persistence timeout
based on media type
o
Wireless Default = 1 hour
iRule for RADIUS Persistence Based on Client MAC (2of2)
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
iRule for RADIUS Persistence – Sample Debug Output
Sat Sep 27 13:55:43 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc
MAC=6C-20-56-13-E9-FC Normal MAC=6C-20-MAC=6C-20-56-13-E9-FC MEDIA=Wired
TARGET=/Common/radius_auth_pool 10.1.99.6 1812
Sat Sep 27 13:55:40 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1
MAC=7c-6d-62-e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless
TARGET=/Common/radius_acct_pool 10.1.99.7 1813
Sat Sep 27 13:55:38 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A
MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET=
Sat Sep 27 13:55:37 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found - Using NAS
IP as persist id. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS
IP=10.1.50.2 MEDIA=Wired TARGET=
Sat Sep 27 13:55:43 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc
MAC=6C-20-56-13-E9-FC
Normal MAC=6C-20-56-13-E9-FC
MEDIA=Wired
TARGET=/Common/radius_auth_pool 10.1.99.6 1812
Sat Sep 27 13:55:40 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1
MAC=7c-6d-62-e3-d5-05
Normal MAC=7C-6D-62-E3-D5-05
MEDIA=Wireless
TARGET=/Common/radius_acct_pool 10.1.99.7 1813
Sat Sep 27 13:55:38 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A
MAC=00-50-56-A0-0B-3A
Normal MAC=00-50-56-A0-0B-3A
MEDIA=Wired TARGET=
Sat Sep 27 13:55:37 EDT 2014 alert
f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>:
No MAC Address found - Using NAS
IP as persist id.
Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS
Ensure NAD Populates RADIUS Attributes
Catalyst Switch Example
Cisco Catalyst IOS Command
Description
radius-server attribute 8 include-in-access-req
Include Framed-IP-Address
(if available) in RADIUS
Access Requests
radius-server attribute 31 send nas-port-detail
Include client IP address for
remote console (vty)
connections to the switch
radius-server attribute 31 mac format ietf upper-case
Set the MAC address format
to 00-00-40-96-3E-4A
(all upper case letters)