ISE 1.3 F5-ISE Load Balancing Deep Dive

ISE 1.3 F5-ISE Load Balancing

Deep Dive

•

Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer

•

Faraz Siddiqui, F5 Networks, Solution Architect



Introducing F5 BIG-IP and Cisco ISE Solution Components



Joint Solution Overview – Deployment Model, Topology, and Traffic Flow



Configuration Prerequisites (Starting Point for LB Deployment)



Forwarding Non-LB Traffic



Load Balancing RADIUS



Load Balancing Profiling Services



Load Balancing Web Services



Global Load Balancing Considerations



Monitoring and Troubleshooting



Summary

Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

F5 BIG-IP Solution

Components

4000 series

5000 Series

7000 Series

10000 Series

Good, Better, Best Platforms

11000 Series

F5 BIG-IP Product

5Gbps

3Gbps

1Gbps

200M

25M

VIPRION 2400

VIPRION 4480

VIPRION 4800

F5 physical ADCs

High-performance with specialized and

dedicated hardware

Physical ADC is best for:

•

Fastest performance

•

Highest scale

•

SSL offload, compression, and DoS mitigation

•

An all F5 solution: integrated HW+SW

•

Edge and front door services

•

Purpose-built isolation for application delivery

Physical + virtual =

hybrid ADC infrastructure

Ultimate flexibility and performance

Hybrid ADC is best for:

•

Transitioning from physical to

virtual and private data center to

cloud

•

Cloud bursting

•

Splitting large workloads

•

Tiered levels of service

F5 virtual editions

Provide flexible deployment options for

virtual environments and the cloud

Virtual ADC is best for:

•

Accelerated deployment

•

Maximizing data center efficiency

•

Private and public cloud deployments

•

Application or tenant-based pods

•

Keeping security close to the app

•

Lab, test, and QA deployments

Physical

Hybrid

Virtual

2000 series*

Understanding F5 BIG-IP

Components

Understanding F5 Components

Virtual Edition

Appliance

Chassis

BIG-IP

BIG

-IP is the name of the platform produced by

F5, provide Application Delivery Controller (ADC)

functionality. F5 BIG-IP offers virtual, appliance

or chassis form factor

LTM

LTM is the Local Traffic Manager, it is a licensed

software module run inside a F5 BIG-IP. LTM

handles server load balancing function.

Virtual Server is the traffic management object

on the BIG-IP system that represented by an IP

address and a service. VIP is configured in the

virtual server

BIG-IP LTM Components: Nodes

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.4

A node is a physical or logical

(for example, VMWare) server

in the internal network

A node is represented by the

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.4

BIG-IP LTM Components: Pool Members

A pool member is a service running on a node,

represented by the IP address of the node and

service (port) number

A node can host multiple pool

members

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:80

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.4

BIG-IP LTM Components: Pools

A node can be a member of

multiple pools

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443

172.20.10.4:443

A pool is a logical grouping of pool

members that represents an

application

Each pool has its own load

balancing method

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.4

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443

172.20.10.4:443

BIG-IP LTM Components: Virtual Servers

Each virtual server will uniquely process

client request that match its IP address and

port

10.2.2.100:80

10.2.2.100:443

A virtual server is an IP address and service

(port) combination that listens for client

requests

NOTE: BIG-IP LTM is a default deny device; the virtual server

is the most common way allow client requests to pass

through

Each virtual server then directs the

traffic, usually to an application pool

NOTE: Multiple virtual servers can

reference the same pools, pool members,

and/or nodes

10.2.2.225:8080

The virtual server translates the

destination IP address and port to the

Monitors

•

A monitor is a test;

•

Of a specific application. For an expected response. Within a given

time

•

All BIG-IP have to things in common

•

Interval

•

The time between each check

•

Timeout

•

The time required for a successful check to be received before BIG-IP

marks the node as unavailable

•

BIG-IP LTM can use composite monitors, so it can apply multiple checks

•

It can use all or some of the monitors to determine member status

•

Monitors can also use reverse logic

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.4

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443 172.20.10.4:443

How Active Monitors Work

10.2.2.100:80 10.2.2.100:443

Monitors check the status of

a pool member or node on

an ongoing basis, at a set

interval

If a pool member or node being

monitored does not respond

within the set interval, BIG-IP

LTM marks it offline

BIG-IP LTM continues to

direct traffic to the remaining

pool members while

continuing to monitor the

offline pool member or node

When the pool member or

node responds, BIG-IP LTM

marks it as available and starts

directing traffic to the pool

member

Are you up?

What are iRules?

•

The programming language integrated into

the TMOS® architecture

•

iRules work at wire-speed

•

Based on the industry standard Tool

Command Language (TCL)

•

Provide the ability to intercept, inspect,

transform, direct, and track inbound or

outbound application traffic

•

Core of the F5 “secret sauce” and key

How do iRules Work?

•

Respond to events, such as:

•

HTTP_REQUEST

•

HTTP_RESPONSE

•

CLIENT_ACCEPTED

•

Enable you to perform deep packet inspection (entire

header and payload)

•

Provide a full scripting language that enables

bidirectional and granular control of:

•

Inspection

•

Alteration

•

Delivery of application traffic on a packet-by-packet

basis

HTTP_REQUEST

iRule triggered

HTTP events fired

Requests

Modified

Request

Response

Modified

Response

Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect,

modify, and route traffic at nearly any point in the traffic flow, regardless of

direction

HTTP_RESPONSE

iRule triggered

HTTP events fired

Key Elements of an iRule

when HTTP_REQUEST {

if{[HTTP::host] ends_with “bob.com”}{

pool http_pool1

}

}

Event Declarations

•

Define when the code executes

•

Every iRule has an event

Operators

•

Define under which conditions BIG-IP LTM

performs an action

Commands

iRules Events

•

Events are actions that trigger the processing of the iRule

•

Examples

•

HTTP_REQUEST

•

HTTP_RESPONSE

•

CLIENT_ACCEPTED

•

LB_FAILED

when

HTTP_REQUEST

{

if{[HTTP::host] ends_with “bob.com”}{

pool http_pool1

}

}

Persistence

•

Persistence

•

Directs a client back to the same server after the

initial load balancing decision has been made

•

Is required for stateful applications

•

such as e-commerce shopping carts

•

May skew load balancing statistics

•

Universal Persistence

•

iRules can create persistence records based on

anything in the clients request

Radius Persistence

Using Persistence Profiles

•

Persist Attribute

•

Default Persistence Profile

•

Fallback Persistence Profile

Using iRules for Radius Persistence

•

iRules form the crucial pillar behind the

operational and configurational flexibility for

enabling load balancing of any device, in

this case, the Cisco ISE

•

Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN

which includes additional RADIUS transactions that may occur during the initial connection phase

such as re-authentication following CoA.

•

It is advantageous for this persistence to continue after initial session establishment to allow

re-authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN

BIG-IP Listeners

Traffic Flow

How Does Traffic Enter a BIG-IP?

•

Routing to a listener on the BIG-IP

•

Listeners are

•

Self IPs

•

SNATs

•

NATs

•

Virtual Servers

10.2.2.100:80

10.2.2.1

External VLAN

Internet

10.2.2.50

NAT to 192.168.4.8

Packet Processing Priority

1.

Existing connection in connection table

2.

Packet filter rule

3.

Virtual server

4.

SNAT

5.

NAT

6.

Self-IP

7.

Drop

Load Balancing

•

A load balancing method is an algorithm or formula used to determine which pool member to send

traffic to

•

Load balancing is connection based

•

Static load balancing methods distribute connections in a fixed manner

•

Round Robin (RR)

•

Ratio (Weighted Round Robin)

• Distributes in a RR fashion for members/ nodes whose ratio has not been met

•

Dynamic load balancing methods take into account one or more factors, such as the current

connection count

•

It is important to experiment with different load balancing methods and select the one that offers

the best performance in your particular environment

Dynamic Load Balancing Methods

•

Least Connections

•

Fewest L4 connections when load balancing decision is being made

•

Recommended when servers have similar capabilities

•

Very commonly used

•

Fastest

•

Balances based upon the number of outstanding L7 requests and then L4 connections

•

Requires a L7 profile on the virtual server, else its just Least Connection

•

Recommended when servers have similar capabilities

•

Observed

•

Calculates a ratio each second based on the number of L4 connections

secure_pool

http_pool

Load Balancing a Service (Member)

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443

10.2.2.100:80

18.200.150.10

Current connection counts for

each pool member are

displayed in red

45

42

36

22

12

BIG-IP LTM directs the request to the

pool member with the least number of

connections

In this example, the HTTP pool is

configured with the

Least Connections

(member) method

With each new client request, BIG-IP

LTM verifies which pool member has

the fewest active connections

Internet

F5 BIG-IP and Cisco ISE

F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that

incorporates many advanced security and traffic optimization features.

Integrating F5 BIG-IP load balancing solutions with ISE can:

•

Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and

availability

•

Provide Bring Your Own Device (BYOD) endpoint scalability

•

Deliver customizable policies for identity management of enterprise users and user devices

•

Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users

•

Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers

References

•

BIG-IP LTM Product Overview

http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf

•

BIG-IP LTM Configuration Guide

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html

•

BIG-IP LTM Support forum

https://support.f5.com/kb/en-us/products/big-ip_ltm.html

•

DevCentral Forum

https://devcentral.f5.com/

•

iRules on F5 DevCentral

https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx

•

F5 University – LTM Training

https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Load Balancing

•

A load balancing method is an algorithm or formula used to determine which pool

member to send traffic to

•

Load balancing is connection based

•

Static load balancing methods distribute connections in a fixed manner

•

Round Robin (RR)

•

Ratio (Weighted Round Robin)

• Distributes in a RR fashion for members/nodes whose ratio has not been met

•

Dynamic load balancing methods take into account one or more factors, such as the

current connection count

•

It is important to experiment with different load balancing methods and select the one that

Dynamic Load Balancing Methods

•

Least Connections

•

Fewest L4 connections when load balancing decision is being made

•

Recommended when servers have similar capabilities

•

Very commonly used

•

Fastest

•

Balances based upon the number of outstanding L7 requests and then L4 connections

•

Requires an L7 profile on the virtual server, else its just Least Connections

•

Recommended when servers have similar capabilities

•

Observed

•

Calculates a ratio each second based on the number of L4 connections

secure_pool

http_pool

Load Balancing a Service (Member)

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443

10.2.2.100:80

18.200.150.10

Current connection counts

for each pool member are

displayed in red

45

42

36

22

12

BIG-IP LTM directs the request to

the pool member with the least

number of connections

In this example, the HTTP pool is

configured with the

Least Connections

(member)

method

With each new client request,

BIG-IP LTM verifies which

pool

member

has the fewest active

connections

Internet

172.20.10.1

172.20.10.2

172.20.10.3

172.20.10.1:80

172.20.10.2:80

172.20.10.2:443

172.20.10.3:8080

172.20.10.3:443

Load Balancing an IP Address (Node)

10.2.2.100:80

Current connection counts

for each pool member are

displayed in red

In this example, the HTTP pool is

configured with the

Least Connections

(node)

method

45

42

36

22

12

BIG-IP LTM directs the request to

the node with the least number of

connections

45

54

58

This takes into account all

services running on the node

With each new end-user request,

BIG-IP LTM verifies which node

has the fewest active connections

With each new client request,

BIG-IP LTM verifies which

node

has the

fewest active connections

18.200.150.10

Internet

secure_pool

http_pool

Pool Failure Mechanisms

•

Fallback Host (for HTTP and HTTPS applications)

•

Is the server of last resort if all pool members are unavailable

•

Returns HTTP redirect (http 302) to client

•

Configured in the HTTP profile, the fallback host is not monitored

•

Priority Group Activation

•

Can dynamically pull in new members into the pool

•

Pulls lower priority groups into higher priority groups

•

Pulls in all members of a priority group together

Backup Servers

Running WWW and FTP

Priority = 1

Priority = 5

Activation < 2

Priority = 5

Activation < 3

web_pool

ftp_pool

F5 BIG-IP and Cisco ISE

•

F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that

incorporates many advanced security and traffic optimization features.

•

Integrating F5 BIG-IP load balancing solutions with ISE can:

•

Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and

availability

•

Provide Bring Your Own Device (BYOD) endpoint scalability

•

Deliver customizable policies for identity management of enterprise users and user devices

•

Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users

•

Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers

References

•

BIG-IP LTM Product Overview

http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf

•

BIG-IP LTM Configuration Guide

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html

•

BIG-IP LTM Support forum

https://support.f5.com/kb/en-us/products/big-ip_ltm.html

•

DevCentral Forum

https://devcentral.f5.com/

•

iRules on F5 DevCentral

https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx

•

F5 University – LTM Training

https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

DevCentral F5 User Community

Over 105,000 Members in 191 Countries and Growing!

References

• Wikis

• API/SDK Documentation

Resources

•

Sample Code

• Tech Tips

• Forums

• Podcasts

• Blogs

Tools and Frameworks

• iRule Editor

• iControl SDK

• .NET, Java, Python,

Powershell, ...

• VMware vSphere Management

Plug-in

Cisco Confidential 39 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco ISE Solution

Components

Cisco Identity Services Engine (ISE)

All-in-One Enterprise Policy Control

Who

What

Where

When

How

Virtual machine client, IP device, guest, employee, and remote user

Cisco

®

ISE

Wired

Wireless

VPN

Business-Relevant

Policies

Security Policy Attributes

Identity

Context

ISE Node Types



Policy Service Node (PSN)

–

Makes policy decisions

–

RADIUS server & provides endpoint/user services



Policy Administration Node (PAN)

–

Interface to configure policies and manage ISE deployment

–

Writeable access to the database



Monitoring & Troubleshooting Node (MnT)

–

Interface to reporting and logging

–

Destination for syslog from other ISE nodes and NADs



Inline Posture Node (IPN)

–

Enforces posture policy for legacy or 3

rd

-party NADs

ISE Communications

NAD

PAN

Policy Sync

RADIUS from NAD to PSN

RADIUS reply from PSN to NAD

RADIUS Accounting

syslog

syslog

PSN

MnT

PSN queries

external database

directly

Policy Service Node

The “Work-Horse”:

RADIUS, Profiling,

WebAuth, Posture, Sponsor

Portal Client Provisioning

Monitoring and

Troubleshooting

Logging and

Reporting Data

Network Access

Device

Access-Layer Devices

Enforcement Point for

all Policy

User

Admin

Policy Administration

Node

: All Management

UI Activities &

synchronizing all ISE

Nodes

Data

Center A

DC B

Branch A

Branch B

Admin (P)

Admin (S)

Monitor (P)

Monitor (S)

Policy Services Cluster

HA Inline

Posture Nodes

Distributed

Policy Services

AD/LDAP

(External ID/

Attribute Store)

AD/LDAP

(External ID/

Attribute Store)

Example ISE Deployment

MnT

PAN

PAN

MnT

PSN

PSN

PSN

PSN

PSN

PSN

IPN

IPN

Scaling by Deployment, Platform, and Persona

•

Max Concurrent Endpoint Counts by Deployment Model and Platform

Deployment Model

Platform

Max # Endpoints

per Deployment

Max # Dedicated

PSNs

Standalone (all personas on

same node)

(2 nodes redundant)

33xx

2,000

0

3415

5,000

0

3495

10,000

0

Admin + MnT on same node;

Dedicated PSN

(Minimum 4 nodes redundant)

3355 as Admin+MNT

5,000

5

3395 as Admin+MNT

10,000

5

3415 as Admin+MNT

5,000

5

3495 as Admin+MNT

10,000

5

Dedicated Admin and MnT nodes

(Minimum 6 nodes redundant)

3395 as Admin and MNT

100,000

40

3495 as Admin and MNT

250,000

40

Scaling per PSN

Platform

Max # Endpoints

per PSN

Dedicated Policy nodes

(Max Endpoints Gated by Total

Deployment Size)

ISE-3315

3,000

ISE-3355

6,000

ISE-3395

10,000

Cisco Confidential 45 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Joint Solution Overview –

Deployment Model,

Scaling RADIUS, Web, and Profiling with BIG-IP LTM

•

Policy Service nodes can be configured in a cluster behind a load balancer (LB).

•

Access Devices send RADIUS AAA requests to LB virtual IP.

F5 BIG-IP

LTM (Load

Balancers)

Network

Access

Devices

ISE PSNs

(RADIUS

Servers)

Virtual IP

Scaling Global Sponsor / MyDevices with BIG-IP GTM

PSN

PSN

PSN

PAN

PAN

MnT

MnT

PSN

PSN

PSN

PSN

PSN

PSN

10.1.0.100

10.2.0.100

10.3.0.100

Use Global Load Balancing (GTM) to direct traffic to closest VIP.

Local Web Load-balancing (LTM) distributes request to single PSN.

Load Balancing simplifies and scales ISE Web Portal Services

F5 BIG-IP GTM

(Global LB)

F5 BIG-IP LTM

(Local LB)

F5 BIG-IP

LTM

(Local LB)

DNS SERVER: DOMAIN =

COMPANY.COM

SPONSOR

10.1.0.100, 10.2.0.100, 10.3.0.100

MYDEVICES

10.1.0.100, 10.2.0.100, 10.3.0.100

ISE-PSN-1

10.1.1.1

ISE-PSN-2

10.1.1.2

ISE-PSN-3

10.1.1.3

ISE-PSN-4

10.2.1.4

ISE-PSN-5

10.2.1.5

ISE-PSN-6

10.2.1.6

ISE-PSN-7

10.3.1.7

ISE-PSN-8

10.3.1.8

ISE-PSN-9

10.3.1.9

F5 BIG-IP

LTM

(Local LB)

Load Balancing ISE Policy Services

•

RADIUS Authentication and Accounting Services

Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky

algorithm determines method to ensure same Policy Service node services same endpoint.

•

URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native

Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot

No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name

substituted for ‘ip’ variable in URL.

•

Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal

Single web portal domain name should resolve to LB virtual IP for http/s load balancing.

•

Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS

LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than

one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS

Load Balancing RADIUS

Sample Flow

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

F5 LTM

RADIUS AUTH response from 10.1.99.7

RADIUS AUTH request to 10.1.98.8

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

VLAN 99 (10.1.99.0/24)

VLAN 98 (10.1.98.0/24)

Access

Device

RADIUS ACCTG response from 10.1.99.7

RADIUS ACCTG request to 10.1.98.8

1. NAD has single RADIUS Server defined (10.1.98.8)

2. RADIUS Auth requests sent to VIP 10.1.98.8

3. Requests for same endpoint load balanced to same PSN via sticky based

on RADIUS Calling-Station-ID and Framed-IP-Address

4. RADIUS Response received from real server ise-psn-3 @ 10.1.99.7

5. RADIUS Accounting sent to/from same PSN based on sticky

2

4 5

1

radius-server host 10.1.98.8

Load Balancing with URL-Redirection

Sample Flow

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

RADIUS response from ise-psn-3.company.com

DNS Lookup = ise-psn-3.company.com

DNS Response = 10.1.99.7

RADIUS request to psn-cluster.company.com

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Server

Access

Device

1. RADIUS Authentication requests sent to VIP 10.1.98.8.

2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.

3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to

https://ise-psn-3.company.com:8443/...

4. Client browser redirected and resolves FQDN in URL to real server address.

ISE Certificate

Subject CN =

ise-psn-3.company.com

https://ise-psn-3.company.com:8443/...

HTTPS response from ise-psn-3.company.com

1

2

3

4

5

F5 LTM

Load Balancing Non-Redirected Web Services

Sample Flow

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

Sponsor

https response from ise-psn-3 @ 10.1.99.7

DNS Lookup = sponsor.company.com

DNS Response = 10.1.98.8

https://sponsor. company.com @ 10.1.98.8

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

DNS

Server

Access

Device

https://sponsor.company.com

ISE Certificate

Subject =

ise-psn-3.company.com

SAN=

ise-psn-3.company.com

Certificate OK!

Requested URL = sponsor.company.com

Certificate SAN = sponsor.company.com

1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8

2. Web request sent to https://sponsor.company.com @ 10.1.98.8

3. ACE load balances request to PSN based on IP or HTTP sticky

4. HTTPS response received from ise-psn-3 @ 10.1.99.7

5. Certificate SAN includes FQDN for both sponsor and ise-psn-3.

1

2

3

4

5

F5 LTM

Load Balancing Profiling Services

Sample Flow

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

DHCP Request to Helper IP 10.1.98.8

VIP: 10.1.98.8

PSN-CLUSTER

10.1.99.5

10.1.99.6

10.1.99.7

Access

Device

1. Client OS sends DHCP Request

2. Next hop router with IP Helper configured forwards DHCP request to

real DHCP server and to secondary entry = LB VIP

3. Real DHCP server responds and provide client a valid IP address

4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on

source IP stick (L3 gateway) or DHCP field parsed from request.

2

DHCP

Server

DHCP Request to Helper IP 10.1.1.10

2

DHCP Response returned from DHCP Server

3

4

1

VLAN 99

(10.1.99.0/24)

VLAN 98

(10.1.98.0/24)

High-Level Load Balancing Diagram

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network Access

Device

NAS IP: 10.1.50.2

ISE-PAN-1

ISE-MNT-1

LB: 10.1.99.1

ISE-PAN-2

ISE-MNT-2

External

Logger

AD/LDAP

DNS

NTP

SMTP

MDM

F5 LTM

•

BIG-IP LTM is directly inline between ISE PSNs and rest of network

•

All traffic flows through Load Balancer including RADIUS, PAN/MnT,

Profiling, Web Services, Management, Feed

Services, MDM, AD, LDAP…

VLAN 99

(Internal)

VLAN 98

(External)

Traffic Flow—Fully Inline: Physically Separation

Physical Network Separation Using Separate LB Interfaces

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

Network

Switch

F5 LTM

10.1.98.1

10.1.98.2

10.1.99.1

10.1.99.5

10.1.99.6

10.1.99.7

NAS IP: 10.1.50.2

Fully Inline Traffic

Flow recommended—

•

BIG-IP LTM is directly inline between ISE PSNs

and rest of network.

•

All traffic flows through LB including RADIUS,

PAN/MnT, Profiling, Web Services, Management,

Feed Services, MDM, AD, LDAP…

F5 LTM

10.1.98.1

10.1.98.2

10.1.99.1

VLAN 99

(Internal)

VLAN 98

(External)

Traffic Flow—Fully Inline: VLAN Separation

Logical Network Separation Using Single LB Interface and VLAN Trunking

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network

Switch

End User/Device

Network Access

Device

NAS IP: 10.1.50.2

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

•

All inbound LB traffic such RADIUS, Profiling,

and directed Web Services sent to LTM VIP

•

Other inbound non-LB traffic bypasses LTM

including redirected Web Services, PAN/MnT,

Management, Feed Services, MDM, AD, LDAP…

•

All outbound traffic from PSNs

sent to LTM as DFGW.

•

LTM must be configured

to allow Asymmetric traffic

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

F5 LTM

Partially Inline: Layer 2/Same VLAN (One PSN Interface)

Direct PSN Connections to LB and Rest of Network

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 98

10.1.98.2

VIP: 10.1.98.8

10.1.98.1

10.1.98.7

10.1.98.5

10.1.98.6

NAS IP: 10.1.50.2

Generally NOT RECOMMENDED due to

traffic flow complexity—must fully

understand path of each flow to ensure

proper handling by routing, LB, and

end stations.

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

F5 LTM

Partially Inline: Layer 3/Different VLANs (One PSN Interface)

Direct PSN Connections to LB and Rest of Network

•

All inbound LB traffic such RADIUS, Profiling,

and directed Web Services sent to LTM VIP

•

Other inbound non-LB traffic bypasses LTM

including redirected Web Services, PAN/MnT,

Management, Feed Services, MDM, AD, LDAP…

•

All outbound traffic from PSNs

sent to LTM as DFGW.

•

LTM must be configured

to allow Asymmetric traffic

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal)

VLAN 98

(External)

10.1.98.2

10.1.99.2

10.1.98.1

VIP: 10.1.98.8

10.1.99.1

10.1.99.7

10.1.99.5

10.1.99.6

NAS IP:

10.1.50.2

Generally NOT RECOMMENDED due to

traffic flow complexity—must fully

understand path of each flow to ensure

proper handling by routing, LB, and

end stations.

•

All LB traffic sent to LTM VIP including

RADIUS, Profiling (except SPAN data),

and directed Web Services

•

All traffic initiated by PSNs sent to

F5 LTM as global default gateway

•

Redirected Web

Services traffic

bypasses LTM

•

For ISE 1.2,

recommend SNAT redirected

HTTPS traffic at L3 switch

•

ISE 1.3+ supports symmetric

traffic responses (set default

gateway per interface)

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

10.1.91.7

10.1.91.5

10.1.91.6

10.1.99.7

10.1.98.2

10.1.99.2

10.1.98.1

VIP:

10.1.98.8

10.1.91.1

F5 LTM

Partially Inline: Multiple PSN Interfaces

Separate PSN Connections to LB and Rest of Network

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal)

VLAN 98

(External)

VLAN 91

(Web Portals)

10.1.99.5

10.1.99.6

NAS IP:

10.1.50.2

ISE-PAN

ISE-MNT

External

Logger

AD

LDAP

MDM

DNS

NTP

SMTP

F5 LTM

Fully Inline – Multiple PSN Interfaces

Network Separation Using Separate LB Interfaces

•

All traffic sent to LTM including

RADIUS, Profiling (except SPAN data),

and directed Web Services

•

All traffic initiated by PSNs sent to

F5 LTM as global default gateway

•

LTM sends Web

Services traffic

on separate PSN

interface.

•

For ISE 1.2 (and optionally 1.3),

SNAT Web Services at LTM

•

ISE 1.3+ supports symmetric

traffic responses (set default

gateway per interface)

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal)

VLAN 98

(External)

10.1.98.2

10.1.99.1

10.1.98.1

VIP: 10.1.98.8

10.1.99.7

10.1.99.5

10.1.99.6

10.1.91.7

10.1.91.5

10.1.91.6

VLAN 91

(Web Portals)

10.1.91.1

NAS IP:

10.1.50.2

10.1.98.1

10.1.98.2

10.1.99.1

VLAN 99

(10.1.99.0/24)

VLAN 98

(10.1.98.0/24)

Verify Routing Configuration in Overall Topology

L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network Access

Device

NAS IP: 10.1.50.2

ISE-PAN

ISE-MNT

External

Logger

AD/

LDAP

DNS

NTP

SMTP

MDM

Network

Switch

Network

Next Hop

10.1.99.0/24

10.1.98.2

Network

Next Hop

0.0.0.0/0

10.1.99.1

10.1.100.3

10.1.100.4

Network

Next Hop

0.0.0.0/0

10.1.98.1

10.1.100.1

10.1.50.1

Recommended Software Versions

•

F5 BIG-IP LTM: 11.4.1 hotfix HF5 or 11.4.0 hotfix HF6

Additionally, 11.6.0 HF2 incorporates performance enhancements that can improve

RADIUS load balancing performance.



Main > Network Self IPs

Validate Correct VLAN Assignments

Main > Network > VLANs > VLAN List

•

Separate Physical Interfaces Example

Verify LTM Routing Configuration

Main > Network > Routes

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69

Optional: Verify LTM High Availability

•

F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes

•

Configuration of LTM high availability is beyond the scope of this session.

•

Refer to F5 product documentation for additional details:

•

Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility

•

Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility

•

When configured for high availability, default gateways and next hop routes will point to the

floating IP address on the F5 appliance

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71

•

Administration > System > Deployment

•

Node group members can be L2 or L3

•

Multicast no longer a requirements in ISE 1.3

Configure Node Groups for LB Cluster

All PSNs in LB Cluster in Same Node Group

1) Create node group

2) Assign name (and multicast address if ISE 1.2)

Load Balancer General RADIUS Guidelines

RADIUS Servers and Clients – Where Defined

PSN PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

VIP: 10.1.98.8

Access Device

NAS IP: 10.1.50.2

MnT

PAN

ISE-PAN-1

ISE-MNT-1

10.1.99.1

radius-server host 10.1.98.8 auth-port 1812 acct-port

1813 test username radtest ignore-acct-port key cisco123

(RADIUS Clients)

Name

PSN-Probe

Type

RADIUS

Interval

15

Timeout

46

User Name

radprobe

Password cisco123

Alias Service Port 1812

Load Balancer VIP is RADIUS Server

PSNs are RADIUS Servers for

Health Probes

PSN

ISE Admin Node > Network Devices

Add LTM(s) as NAD(s) for RADIUS Health Monitoring

Administration > Network Resources > Network Devices

•

Configure Self IP address of LTM Internal

interface connected to PSN RADIUS

interfaces.

•

Enable Authentication and set RADIUS

shared secret.

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

10.1.99.1

F5 LTM

10.1.99.1

Configure Internal User for RADIUS Health Monitoring

Administration > Identity Management > Identities > Users

•

This step optional if plan to use external ID store for health monitoring account. Still

recommended for testing and troubleshooting.

•

User authorization for this account should be granted no network access.

Configure DNS and Certs to Support PSN Load Balancing

•

Configure DNS entry for PSN cluster(s) and assign VIP IP address.

Example: psn-cluster.company.com

•

Configure ISE PSN server certs with Subject Alternative

Name configured for other FQDNs to be used by LB VIP

or optionally use wildcards (available in ISE 1.2).

Example certificate SAN:

ise-psn-1.company.com

psn-cluster.company.com

sponsor.company.com

guest.company.com

DNS SERVER: DOMAIN = COMPANY.COM

PSN-CLUSTER IN

A

10.1.98.8

SPONSOR

IN

A

10.1.98.8

MYDEVICES

IN

A

10.1.98.8

ISE-PSN-1

IN

A

10.1.99.5

ISE-PSN-2

IN

A

10.1.99.6

ISE-PSN-3

IN

A

10.1.99.7

Example

certificate with

multiple FQDN

values in SAN.

ISE Certificate without SAN

Certificate Warning - Name Mismatch

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

SPONSOR

http://sponsor.company.com

https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com

DNS Response = 10.1.98.8

http://sponsor.company.com

ISE Certificate

Subject =

ise-psn-3.company.com

10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Name Mismatch!

Requested URL = sponsor.company.com

Certificate Subject = ise-psn-3.company.com

DNS

Server

10.1.98.8

F5 LTM

ISE Certificate with SAN

No Certificate Warning

PSN

PSN

PSN

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

http://sponsor.company.com

https://sponsor.company.com:8443/sponsorportal

DNS Lookup = sponsor.company.com

DNS Response = 10.1.98.8

http://sponsor.company.com

10.1.99.5

10.1.99.6

10.1.99.7

Certificate OK!

Requested URL = sponsor.company.com

Certificate SAN = sponsor.company.com

DNS

Server

SPONSOR

ISE Certificate

Subject =

ise-psn.company.com

SAN=

ise-psn-1.company.com

ise-psn-2.company.com

ise-psn-3.company.com

sponsor.company.com

General Best Practices for Universal Certificates

•

Use a common FQDN for Subject CN:

Examples: ise.company.com

aaa.company.com

•

If Subject CN contains FQDN, add same

FQDN to SAN

•

Multi-Domain/UCC* Certificate:

Update

SAN with all FQDNs serviced by PSN

•

OR

Wildcard Certificate:

Update SAN with

wildcard domain using syntax

*.company.local

•

If required for static IP hosting, add IP

addresses as both DNS and IP entries

(increases device compatibility)

Cisco Confidential 79 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

VLAN 99

(10.1.99.0/24)

VLAN 98

(10.1.98.0/24)

High-Level Load Balancing Diagram

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Network Access

Device

NAS IP: 10.1.50.2

ISE-PAN-1

ISE-MNT-1

LB: 10.1.99.1

ISE-PAN-2

ISE-MNT-2

External

Logger

AD/LDAP

DNS

NTP

SMTP

MDM

F5 LTM

Non-LB Traffic that Requires IP Forwarding

Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA

•

PAN/MnT node communications

•

All management traffic to/from the PSN real IP addresses such as HTTPS, SSH, SNMP, NTP,

DNS, SMTP, and Syslog.

•

Repository and file management access initiated from PSN including FTP, SCP, SFTP, TFTP,

NFS, HTTP, and HTTPS.

•

All external AAA-related traffic to/from the PSN real IP addresses such as AD, LDAP, RSA,

external RADIUS servers (token or foreign proxy), and external CA communications (CRL

downloads, OCSP checks, SCEP proxy).

•

All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed

Services, partner MDM integration, pxGrid, and REST/ERS API communications.

•

Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP, SNMP queries) and

URL-Redirection such as CWA, DRW/Hotspot, MDM, Posture, and Client Provisioning.

Virtual Server to Forward General Inbound IP Traffic

General Properties

•

Applies to connections initiated from

outside (external) network

•

Type = Forwarding (IP)

•

Source = All traffic (0.0.0.0/0) or limit to

specific network.

•

Destination = PSN Network Addresses

•

Service Port = 0 (All Ports)

•

Availability = Unknown (No service

validation via health monitors)

Virtual Server to Forward General Inbound IP Traffic

Configuration (Advanced)

•

Protocol = All Protocols

•

Protocol Profile = fastL4

•

Optionally limit to specific

ingress VLAN(s).

Virtual Server to Forward General Outbound IP Traffic

General Properties

•

Applies to connections initiated from

PSN (internal) network

•

Type = Forwarding (IP)

•

Source = PSN Network Addresses

•

Destination = All traffic (0.0.0.0/0.0.0.0) or

limit to specific network.

•

Service Port = 0 (All Ports)

•

Availability = Unknown (No service

validation via health monitors)

Virtual Server to Forward General Outbound IP Traffic

Configuration (Advanced)

•

Protocol = All Protocols

•

Protocol Profile = fastL4

•

Optionally limit to specific

ingress VLAN(s).

F5 LTM

Inbound IP Forwarding for 2

nd

PSN Interface

2

nd

PSN Interface for Web Services

•

LTM sends Web Services traffic

on separate PSN interface.

•

For ISE 1.2 (and optionally 1.3), LTM can perform SNAT on Web Services traffic

•

ISE 1.3+ supports symmetric traffic responses, so SNAT not required

(Set default gateway per interface)

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

End User/Device

Network Access

Device

L3

Switch

VLAN 99

(Internal)

VLAN 98

(External)

10.1.98.2

10.1.99.1

10.1.98.1

VIP: 10.1.98.8

10.1.99.7

10.1.99.5

10.1.99.6

10.1.91.7

10.1.91.5

10.1.91.6

VLAN 91

(Web Portals)

10.1.91.1

NAS IP:

10.1.50.2

Virtual Server to Forward Inbound Redirected Web Traffic

General Properties

•

Applies to connections initiated from

URL-redirected clients on outside

(external) network to 2nd PSN

interface

•

Type = Forwarding (IP)

•

Source = All traffic (0.0.0.0/0)

or limit to specific client networks.

•

Destination = PSN Network Addresses

for Web Portals

•

Service Port = 8443 (configurable)

Optionally set wildcard value of 0 for

multiple portal ports or services.

(NSP and Posture work on port 8905)

Virtual Server to Forward Inbound Redirected Web Traffic

Configuration (Advanced)

•

Protocol = TCP

Optionally set to * (All Protocols) for

multiple services.

•

NSP requires TCP/8905, but

Posture requires both TCP and

UDP/8905.

•

Protocol Profile = fastL4

•

Optionally limit to specific ingress

VLAN(s).

•

For ISE 1.2, enable SNAT

•

For ISE 1.3, SNAT optional if

enabled symmetric traffic routing

(default route per interface).

Policy Service Node Scaling and Redundancy

•

NADs can be configured with sequence of redundant RADIUS servers (PSNs).

•

Policy Service nodes can also be configured in a cluster, or “node group”, behind a

load balancer. NADs send requests to LB virtual IP for Policy Services.

•

Policy Service nodes in node group maintain heartbeat to verify member health.

Administration

Node (Primary)

Policy Services Node

Group (Same

multicast domain)

F5 BIG-IP

LTM Load

Balancers

Network

Access

Devices

Administration

Node (Secondary)

Policy

Replication

AAA connection

PSN

PAN

PAN

PSN

PSN

PSN

N+1 node redundancy

assumed to support total

endpoints during:

• Unexpected single

server outage

• Scheduled server

maintenance

Also provides additional

scaling buffer.

Virtual

IP

Load Balancing RADIUS

Sample Flow

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

RADIUS AUTH response from 10.1.99.7

RADIUS AUTH request to 10.1.98.8

VIP:

10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

VLAN 99 (10.1.99.0/24)

VLAN 98 (10.1.98.0/24)

RADIUS ACCTG response from 10.1.99.7

RADIUS ACCTG request to 10.1.98.8

1. NAD has single RADIUS server defined (10.1.98.8)

2. RADIUS Auth requests sent to VIP @ 10.1.98.8

3. Requests for same endpoint load balanced to same PSN via sticky based

on RADIUS Calling-Station-ID, Framed-IP-Address, or NAS-IP-Address

4. RADIUS Auth Response received from real server ise-psn-3 @ 10.1.99.7

5. Successive RADIUS Accounting sent to VIP @ 10.1.98.8

6. RADIUS Accounting Response received from same PSN based on sticky.

2

4

5

radius-server host 10.1.98.8

3

NAD

1

6

F5 LTM

NAT Restrictions for RADIUS Load Balancing

Why Source NAT Fails for NADs

•

With SNAT, LB appears as the Network

Access Device (NAD) to PSN.

•

CoA sent to wrong IP address

NAS IP Address is correct,

but not currently used for CoA

SNAT also results in less visibility as all requests appear

sourced from LB – makes troubleshooting more difficult.

SNAT of NAD Traffic: Live Log Example

Allow Source NAT for PSN CoA Requests

Simplifying Switch CoA Configuration

•

Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.

•

Access switch config:

•

Before:

•

After:

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

CoA SRC=

10.1.99.5

CoA SRC=

10.1.98.8

aaa server radius dynamic-author

client 10.1.99.5 server-key cisco123

client 10.1.99.6 server-key cisco123

client 10.1.99.7 server-key cisco123

client 10.1.99.8 server-key cisco123

client 10.1.99.9 server-key cisco123

client 10.1.99.10 server-key cisco123

<…one entry per PSN…>

aaa server radius dynamic-author

client 10.1.98.8 server-key cisco123

PSN

ISE-PSN-X

10.1.99.x

Access

Allow NAT for PSN CoA Requests

Simplifying WLC CoA Configuration

•

Before:

•

After

One RADIUS Server entry

required

per PSN

that may send

CoA from behind load balancer

One RADIUS Server entry

required per load balancer VIP.

VLAN 99

(10.1.99.0/24)

VLAN 98

(10.1.98.0/24)

Load Balancer General NAT Guidelines

To NAT or Not To NAT?

That is the Question!

PSN PSN

NAD is

Source



NATted

Remove

Source



NAT

ISE-PSN-3

ISE-PSN-2

ISE-PSN-1

User

F5 LTM

VIP: 10.1.98.8

10.1.99.5

10.1.99.6

10.1.99.7

Access Device

NAS IP: 10.1.50.2

MnT

PAN

ISE-PAN-1

ISE-MNT-1

RADIUS AUTH

NAS-IP =10.1.50.2

SRC-IP =10.1.50.2

DST-IP =10.1.98.8

LB: 10.1.99.1

RADIUS COA

SRC-IP =10.1.99.7

DST-IP =10.1.50.2

RADIUS AUTH

NAS-IP =10.1.50.2

SRC-IP =10.1.99.1

DST-IP =10.1.99.7

RADIUS COA

SRC-IP =10.1.98.8

DST-IP =10.1.50.2

SNAT for

CoA is Okay!

SNAT for

NAD is BAD!

No NAT

COA

RADIUS AUTH

NAS-IP =10.1.50.2

SRC-IP =10.1.50.2

DST-IP =10.1.99.7

Load Balancer Persistence (Stickiness) Guidelines

Persistence Attributes

•

Common RADIUS Sticky Attributes

o

Client Address

Calling-Station-ID

Framed-IP-Address

o

NAD Address

NAS-IP-Address

Source IP Address

o

Session ID

RADIUS Session ID

Cisco Audit Session ID

•

Best Practice Recommendations (depends on LB support and design)

1.

Calling-Station-ID for persistence across NADs and sessions

2.

Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD

3.

Audit Session ID for persistence across re-authentications

PSN PSN PSN

ISE-PSN-2

ISE-PSN-1

Username=jdoe@company.com

F5 LTM

VIP: 10.1.98.8

Network Access

Device

10.1.50.2

Session: 00aa…99ff

ISE-PSN-3

MAC Address=00:C0:FF:1A:2B:3C

IP Address=10.1.10.101

User

Device

Configuring RADIUS Persistence

•

RADIUS Sticky on Calling-Station-ID (client

MAC address)

•

Simple option but does not support advanced

logging and other enhanced parsing options like

iRule

•

Profile must be applied to Standard Virtual

Server based on UDP Protocol

RADIUS Profile Example

ltm profile radius /Common/radiusLB {

app-service none

clients none

persist-avp 31

subscriber-aware disabled

subscriber-id-type 3gpp-imsi

iRule for RADIUS Persistence Based on Client MAC (1of2)

Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address

•

iRule assigned to Persistence Profile

•

Persistence Profile assigned to Virtual Server under Resources section

when CLIENT_DATA {

# 0: No Debug Logging 1: Debug Logging

set debug 0

# Persist timeout (seconds)

set nas_port_type [RADIUS::avp 61 "integer"]

if {$nas_port_type equals "19"}{

set persist_ttl 3600

if {$debug} {set access_media "Wireless"}

} else {

set persist_ttl 28800

if {$debug} {set access_media "Wired"}

}

• Optional debug logging

• Enable for troubleshooting only to

reduce processing load

• Configurable persistence timeout

based on media type

o

Wireless Default = 1 hour

iRule for RADIUS Persistence Based on Client MAC (2of2)

if {[RADIUS::avp 31] ne "" }{

set mac [RADIUS::avp 31 "string"]

# Normalize MAC address to upper case

set mac_up [string toupper $mac]

persist uie $mac_up $persist_ttl

if {$debug} {

set target [persist lookup uie $mac_up]

log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal

MAC=$mac_up MEDIA=$access_media TARGET=$target"

}

} else {

set nas_ip [RADIUS::avp 4 ip4]

persist uie $nas_ip $persist_ttl

if {$debug} {

set target [persist lookup uie $nas_ip]

log local0.alert "No MAC Address found - Using NAS IP as persist

id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"

}

}

}

if {[RADIUS::avp 31] ne "" }{

set mac [RADIUS::avp 31 "string"]

# Normalize MAC address to upper case

set mac_up [string toupper $mac]

persist uie $mac_up $persist_ttl

if {$debug} {

set target [persist lookup uie $mac_up]

log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal

MAC=$mac_up MEDIA=$access_media TARGET=$target"

}

} else {

set nas_ip [RADIUS::avp 4 ip4]

persist uie $nas_ip $persist_ttl

if {$debug} {

set target [persist lookup uie $nas_ip]

log local0.alert "No MAC Address found - Using NAS IP as persist

id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"

}

}

}

if {[RADIUS::avp 31] ne "" }{

set mac [RADIUS::avp 31 "string"]

# Normalize MAC address to upper case

set mac_up [string toupper $mac]

persist uie $mac_up $persist_ttl

if {$debug} {

set target [persist lookup uie $mac_up]

log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal

MAC=$mac_up MEDIA=$access_media TARGET=$target"

}

} else {

set nas_ip [RADIUS::avp 4 ip4]

persist uie $nas_ip $persist_ttl

if {$debug} {

set target [persist lookup uie $nas_ip]

log local0.alert "No MAC Address found - Using NAS IP as persist

id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"

}

}

iRule for RADIUS Persistence – Sample Debug Output

Sat Sep 27 13:55:43 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc

MAC=6C-20-56-13-E9-FC Normal MAC=6C-20-MAC=6C-20-56-13-E9-FC MEDIA=Wired

TARGET=/Common/radius_auth_pool 10.1.99.6 1812

Sat Sep 27 13:55:40 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1

MAC=7c-6d-62-e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless

TARGET=/Common/radius_acct_pool 10.1.99.7 1813

Sat Sep 27 13:55:38 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A

MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET=

Sat Sep 27 13:55:37 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found - Using NAS

IP as persist id. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS

IP=10.1.50.2 MEDIA=Wired TARGET=

Sat Sep 27 13:55:43 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc

MAC=6C-20-56-13-E9-FC

Normal MAC=6C-20-56-13-E9-FC

MEDIA=Wired

TARGET=/Common/radius_auth_pool 10.1.99.6 1812

Sat Sep 27 13:55:40 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1

MAC=7c-6d-62-e3-d5-05

Normal MAC=7C-6D-62-E3-D5-05

MEDIA=Wireless

TARGET=/Common/radius_acct_pool 10.1.99.7 1813

Sat Sep 27 13:55:38 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A

MAC=00-50-56-A0-0B-3A

Normal MAC=00-50-56-A0-0B-3A

MEDIA=Wired TARGET=

Sat Sep 27 13:55:37 EDT 2014 alert

f5 tmm[9443]

Rule /Common/radius_mac_sticky <CLIENT_DATA>:

No MAC Address found - Using NAS

IP as persist id.

Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS

Ensure NAD Populates RADIUS Attributes

Catalyst Switch Example

Cisco Catalyst IOS Command

Description

radius-server attribute 8 include-in-access-req

Include Framed-IP-Address

(if available) in RADIUS

Access Requests

radius-server attribute 31 send nas-port-detail

Include client IP address for

remote console (vty)

connections to the switch

radius-server attribute 31 mac format ietf upper-case

Set the MAC address format

to 00-00-40-96-3E-4A

(all upper case letters)