You are on page 1of 208

ISE 1.

3 F5-ISE Load Balancing
Deep Dive
• Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer
• Faraz Siddiqui, F5 Networks, Solution Architect

• December 4, 2014

Agenda

 Introducing F5 BIG-IP and Cisco ISE Solution Components
 Joint Solution Overview – Deployment Model, Topology, and Traffic Flow
 Configuration Prerequisites (Starting Point for LB Deployment)
 Forwarding Non-LB Traffic
 Load Balancing RADIUS
 Load Balancing Profiling Services
 Load Balancing Web Services
 Global Load Balancing Considerations
 Monitoring and Troubleshooting
 Summary

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

F5 BIG-IP Solution
Components

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

F5 BIG-IP Product
Good, Better, Best Platforms

New VIPRION 2200 VIPRION 2400
25M 200M 1Gbps 3Gbps 5Gbps New 10Gbps

2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800

Virtual Physical Hybrid
F5 virtual editions F5 physical ADCs Physical + virtual =
Provide flexible deployment options for High-performance with specialized and hybrid ADC infrastructure
virtual environments and the cloud dedicated hardware Ultimate flexibility and performance
Virtual ADC is best for: Physical ADC is best for: Hybrid ADC is best for:
• Accelerated deployment • Fastest performance • Transitioning from physical to
• Maximizing data center efficiency • Highest scale virtual and private data center to
• Private and public cloud deployments • SSL offload, compression, and DoS mitigation cloud
• Application or tenant-based pods • An all F5 solution: integrated HW+SW • Cloud bursting
• Keeping security close to the app • Edge and front door services • Splitting large workloads
• Lab, test, and QA deployments • Purpose-built isolation for application delivery • Tiered levels of service
workloads
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Cisco Confidential 5 . Understanding F5 BIG-IP Components © 2013-2014 Cisco and/or its affiliates. All rights reserved.

it is a licensed LTM software module run inside a F5 BIG-IP.Understanding F5 Components BIG-IP BIG-IP is the name of the platform produced by F5. VIP is configured in the virtual server © 2013-2014 Cisco and/or its affiliates. F5 BIG-IP offers virtual. LTM handles server load balancing function. appliance Virtual Edition Appliance Chassis or chassis form factor LTM is the Local Traffic Manager. Cisco Confidential 6 . provide Application Delivery Controller (ADC) functionality. All rights reserved. Virtual Server is the traffic management object on the BIG-IP system that represented by an IP address and a service.

1 1 7 2 .2 0 .1 0 .2 0 .1 0 .3 1 7 2 .2 0 . All rights reserved.4 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 7 .BIG-IP LTM Components: Nodes A node is a physical or logical (for example.10.2 1 7 2 . VMWare) server in the internal network A node is represented by the IP address of the server 172.20.1 0 .

2 0 .1 :8 0 1 7 2 .2 :8 0 1 7 2 . A node can host multiple pool represented by the IP address of the node and members service (port) number 172.1 0 .2 0 .1 0 .2 0 .BIG-IP LTM Components: Pool Members A pool member is a service running on a node.3 1 7 2 .2 :4 4 3 1 7 2 .2 0 .4 1 7 2 . Cisco Confidential 8 .2 0 .2 0 .1 0 .10. All rights reserved.20.1 0 .1 0 .3 :4 4 3 1 7 2 .1 0 .2 1 7 2 .1 1 7 2 .2 0 .2 0 .3 :8 0 1 7 2 .4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.1 0 .1 0 .2 0 .1 0 .

2 :4 4 3 1 7 2 .2 0 .2 0 .3 :8 0 8 0 1 7 2 . Cisco Confidential 9 .2 0 .20.2 0 .1 0 .2 0 .1 1 7 2 .3 :4 4 3 1 7 2 .1 :8 0 1 7 2 .1 0 .2 :8 0 1 7 2 .10.4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.1 0 .BIG-IP LTM Components: Pools Each pool has its own load balancing method A pool is a logical grouping of pool A node can be a member of members that represents an multiple pools application 172.2 0 .3 1 7 2 .1 0 .1 0 .2 0 .1 0 .2 0 . All rights reserved.2 0 .1 0 .2 1 7 2 .1 0 .1 0 .4 1 7 2 .

3 :4 4 3 1 7 2 .2 :4 4 3 1 7 2 .2 .1 0 .2 .2 0 .2 0 . Cisco Confidential 10 .1 0 .1 1 7 2 . virtual server is an IP address and to pass service client request that match its IP address and and/ or nodes through (port) combination that listens for client port requests 10 .2 0 .20. usually to an application pool The virtual server translates the destination IP address and port to the selected pool member 172.2 0 .2 2 5 :80 80 traffic.2 .1 :8 0 1 7 2 .2 0 . pool members.10 0 :80 10 .4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.3 :8 0 8 0 1 7 2 .1 0 . the virtual server Each virtual server will uniquely process is the most common way allow Arequests client reference the same pools.10.2 .1 0 . All rights reserved.10 0 :4 43 Each virtual server then directs the 10 .1 0 .1 0 .2 0 .2 .2 0 .BIG-IP LTM Components: Virtual Servers NOTE: BIG-IP NOTE: LTM isvirtual Multiple a default denycan servers device.1 0 .2 1 7 2 .1 0 .2 0 .2 0 .3 1 7 2 .2 .1 0 .2 :8 0 1 7 2 .4 1 7 2 .

• Of a specific application. Cisco Confidential 11 . Within a given time • All BIG-IP have to things in common • Interval • The time between each check • Timeout • The time required for a successful check to be received before BIG-IP marks the node as unavailable • BIG-IP LTM can use composite monitors. All rights reserved. so it can apply multiple checks • It can use all or some of the monitors to determine member status • Monitors can also use reverse logic • Monitors are served from the Self IP addresses © 2013-2014 Cisco and/or its affiliates. Monitors • A monitor is a test. For an expected response.

2.1:80 172. BIG-IP LTMmember marks it offline 172.2. at a set Ifnode responds.4 172. a pool memberBIG-IP LTMbeing or node interval marks it as available monitored andrespond does not starts directing traffic within the to the pool set interval.20.2 Yes 172. How Active Monitors Work BIG-IP LTM continues to direct traffic to the remaining pool members while continuing to monitor the 10. Cisco Confidential 12 .10.2.10.20.20. All rights reserved.3:8080 172.20.10.10.10.20.10.2:80 172.4:443 © 2013-2014 Cisco and/or its affiliates.20.3:443 172.10.20.20.2.10.2:443 172.10.100:80 10.20.20.10.1 Yes 172.3 Yes 172.100:443 offline pool member or node Monitors check the status of a pool member or node on Are you up? When the pool member or an ongoing basis.

What is an iRule? © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 13 . All rights reserved.

Cisco Confidential 14 . All rights reserved. direct. and track inbound or outbound application traffic • Core of the F5 “secret sauce” and key differentiator © 2013-2014 Cisco and/or its affiliates. What are iRules? • The programming language integrated into the TMOS® architecture • iRules work at wire-speed • Based on the industry standard Tool Command Language (TCL) • Provide the ability to intercept. inspect. transform.

Cisco Confidential 15 . All rights reserved.How do iRules Work? • Respond to events. regardless of direction © 2013-2014 Cisco and/or its affiliates. and route traffic at nearly any point in the traffic flow. such as: • HTTP_REQUEST • HTTP_RESPONSE • CLIENT_ACCEPTED Modified Requests HTTP_RESPONSE HTTP_REQUEST Response • Enable you to perform deep packet inspection (entire iRule triggered header and payload) HTTP events fired • Provide a full scripting language that enables bidirectional and granular control of: Response Modified • Inspection Request • Alteration • Delivery of application traffic on a packet-by-packet basis Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect. modify.

Key Elements of an iRule Event Declarations • Define when the code executes • Every iRule has an event when HTTP_REQUEST { if{[HTTP::host] ends_with “bob. Cisco Confidential 16 . All rights reserved.com”}{ pool http_pool1 } } Operators Commands • Define under which conditions BIG-IP LTM • Define the action to perform performs an action © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 17 .com”}{ pool http_pool1 } } © 2013-2014 Cisco and/or its affiliates. All rights reserved.iRules Events • Events are actions that trigger the processing of the iRule • Examples • HTTP_REQUEST • HTTP_RESPONSE • CLIENT_ACCEPTED • LB_FAILED when HTTP_REQUEST { if{[HTTP::host] ends_with “bob.

Persistence • Persistence • Directs a client back to the same server after the initial load balancing decision has been made • Is required for stateful applications • such as e-commerce shopping carts • May skew load balancing statistics • Universal Persistence • iRules can create persistence records based on anything in the clients request • Such as. All rights reserved. Cisco Confidential 19 . etc. username. sessionid. © 2013-2014 Cisco and/or its affiliates.

All rights reserved. the Cisco ISE © 2013-2014 Cisco and/or its affiliates. in this case. • It is advantageous for this persistence to continue after initial session establishment to allow re- authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN Using Persistence Profiles Using iRules for Radius Persistence • Persist Attribute • iRules form the crucial pillar behind the • Default Persistence Profile operational and configurational flexibility for • Fallback Persistence Profile enabling load balancing of any device. Radius Persistence • Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN which includes additional RADIUS transactions that may occur during the initial connection phase such as re-authentication following CoA. Cisco Confidential 20 .

All rights reserved. BIG-IP Listeners Traffic Flow © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 21 .

2.How Does Traffic Enter a BIG-IP? • Routing to a listener on the BIG-IP • Listeners are • Self IPs Internet • SNATs • NATs • Virtual Servers 10.2.2.2.8 © 2013-2014 Cisco and/or its affiliates.2.100:80 External VLAN 10.50 NAT to 192.2.1 10.4. All rights reserved.168. Cisco Confidential 22 .

Packet filter rule 3. Existing connection in connection table 2. Virtual server 4. All rights reserved. Cisco Confidential 23 . Drop © 2013-2014 Cisco and/or its affiliates. SNAT 5. NAT 6. Self-IP 7.Packet Processing Priority 1.

All rights reserved.Load Balancing • A load balancing method is an algorithm or formula used to determine which pool member to send traffic to • Load balancing is connection based • Static load balancing methods distribute connections in a fixed manner • Round Robin (RR) • Ratio (Weighted Round Robin) • Distributes in a RR fashion for members/ nodes whose ratio has not been met • Dynamic load balancing methods take into account one or more factors. such as the current connection count • It is important to experiment with different load balancing methods and select the one that offers the best performance in your particular environment © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 25 .

Cisco Confidential 26 . else its just Least Connection • Recommended when servers have similar capabilities • Observed • Calculates a ratio each second based on the number of L4 connections • Not recommended for large pools © 2013-2014 Cisco and/or its affiliates.Dynamic Load Balancing Methods • Least Connections • Fewest L4 connections when load balancing decision is being made • Recommended when servers have similar capabilities • Very commonly used • Fastest • Balances based upon the number of outstanding L7 requests and then L4 connections • Requires a L7 profile on the virtual server. All rights reserved.

1 0 .1 1 7 2 .2 :8 0 42 1 7 2 .1 0 .2 0 .2 :4 4 3 12 1 7 2 .1 5 0 .1 0 In this example.2 .1 0 .3 :8 0 8 0 36 secure_pool 1 7 2 .1 0 .2 0 . Cisco Confidential 27 . BIG-IP Internet LTM verifies which pool member has the fewest active connections 1 8 . Load Balancing a Service (Member) With each new client request.3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates.2 0 . the HTTP pool is configured with the Least Connections (member) method 10 .10 0 :80 BIG-IP LTM directs the request to the pool member with the least number of connections Current connection counts for each pool member are displayed in red 1 7 2 .1 0 . All rights reserved.1 0 .2 1 7 2 .2 0 .2 0 .1 :8 0 45 1 7 2 .2 0 .2 0 .2 0 0 .3 http_pool 1 7 2 .2 0 .1 0 .2 .1 0 .

All rights reserved. Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS. scalability. Cisco Confidential 28 . F5 BIG-IP and Cisco ISE Joint Solution Benefits F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. and Web Service performance. Profiling. and availability • Provide Bring Your Own Device (BYOD) endpoint scalability • Deliver customizable policies for identity management of enterprise users and user devices • Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users • Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers © 2013-2014 Cisco and/or its affiliates.

com/resource/login.f5.com/kb/en-us/products/big- ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.jsp?ctx=719748&referral=university Follow us on Twitter @f5Networks  Official F5 Networks Channel © 2013-2014 Cisco and/or its affiliates.com/kb/en-us/products/big-ip_ltm. References • BIG-IP LTM Product Overview http://www.html • BIG-IP LTM Support forum https://support.com/wiki/irules.ashx • F5 University – LTM Training https://login.pdf • BIG-IP LTM Configuration Guide https://support.com/pdf/products/big-ip-local-traffic-manager-overview.html • DevCentral Forum https://devcentral.f5.ltmmaintenancepage.com/ • iRules on F5 DevCentral https://devcentral. All rights reserved.f5.f5.f5. Cisco Confidential 29 .f5.

Load Balancing .101 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 .

such as the current connection count • It is important to experiment with different load balancing methods and select the one that offers the best performance in your particular environment © 2013-2014 Cisco and/or its affiliates. All rights reserved.Load Balancing • A load balancing method is an algorithm or formula used to determine which pool member to send traffic to • Load balancing is connection based • Static load balancing methods distribute connections in a fixed manner • Round Robin (RR) • Ratio (Weighted Round Robin) • Distributes in a RR fashion for members/nodes whose ratio has not been met • Dynamic load balancing methods take into account one or more factors. Cisco Confidential 31 .

Cisco Confidential 32 .Dynamic Load Balancing Methods • Least Connections • Fewest L4 connections when load balancing decision is being made • Recommended when servers have similar capabilities • Very commonly used • Fastest • Balances based upon the number of outstanding L7 requests and then L4 connections • Requires an L7 profile on the virtual server. All rights reserved. else its just Least Connections • Recommended when servers have similar capabilities • Observed • Calculates a ratio each second based on the number of L4 connections • Not recommended for large pools © 2013-2014 Cisco and/or its affiliates.

3 http_pool 1 7 2 .2 0 .150.2 0 . All rights reserved.3 :8 0 8 0 36 secure_pool 1 7 2 .1 0 .10 In connections this example.1 0 . BIG- Internet IP LTM verifies which pool member has the fewest active 18. Cisco Confidential 33 .1 :8 0 45 1 7 2 .2.2 :4 4 3 12 1 7 2 .1 0 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates. Load Balancing a Service (Member) With each new client request.1 0 .2 1 7 2 .100:80 BIG-IP LTM directs the request to the pool member with the least number of connections Current connection counts for each pool member are displayed in red 1 7 2 .2. the HTTP pool is configured with the Least Connections (member) method 10.2 0 .1 1 7 2 .2 0 .2 0 .200.2 0 .1 0 .1 0 .

All rights reserved. 10.3 http_pool 1 7 2 .1 0 .2 0 . Load Balancing an IP Address (Node) Internet 18.1 0 .1 0 .2 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 0 .2.100:80 IPBIG-IP LTM BIG-IP verifies LTM LTM verifies which directs node which has the request node to the has fewest the fewest active active connections connections the node with the least number of connections This takes into account all Current connection counts services running on the node for each pool member are displayed in red 45 54 58 172.2 0 . BIG.3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates.150.1 0 .1 1 7 2 . Cisco Confidential 34 .1 0 .2 0 .10.2.20.2 0 .2 1 7 2 .10 In this example.3 :8 0 8 0 36 secure_pool 1 7 2 .2 :8 0 42 1 7 2 . the HTTP pool is configured with the Least Connections (node) method With Witheach eachnew newclient end-user request.2 :4 4 3 12 1 7 2 .200. request.1 0 .

All rights reserved.Pool Failure Mechanisms • Fallback Host (for HTTP and HTTPS applications) • Is the server of last resort if all pool members are unavailable • Returns HTTP redirect (http 302) to client • Configured in the HTTP profile. the fallback host is not monitored • Priority Group Activation • Can dynamically pull in new members into the pool • Pulls lower priority groups into higher priority groups Backup Servers Running WWW and FTP • Pulls in all members of a priority group together Priority = 1 web_pool ftp_pool Priority = 5 Priority = 5 Activation < 2 Activation < 3 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 35 .

scalability. Profiling. and availability • Provide Bring Your Own Device (BYOD) endpoint scalability • Deliver customizable policies for identity management of enterprise users and user devices • Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users • Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 . • Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS. F5 BIG-IP and Cisco ISE Joint Solution Benefits • F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. and Web Service performance.

f5. References • BIG-IP LTM Product Overview http://www.com/wiki/irules.f5. Cisco Confidential 37 .jsp?ctx=719748&referral=university Follow us on Twitter @f5Networks  Official F5 Networks Channel © 2013-2014 Cisco and/or its affiliates.html • DevCentral Forum https://devcentral. All rights reserved.f5.f5.ltmmaintenancepage.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.com/resource/login.pdf • BIG-IP LTM Configuration Guide https://support.f5.html • BIG-IP LTM Support forum https://support.com/pdf/products/big-ip-local-traffic-manager-overview.f5.ashx • F5 University – LTM Training https://login.com/kb/en-us/products/big-ip_ltm.com/ • iRules on F5 DevCentral https://devcentral.

Powershell. Java.000 Members in 191 Countries and Growing! References • Wikis • API/SDK Documentation Resources • Sample Code • Tech Tips • Forums • Podcasts • Blogs Tools and Frameworks • iRule Editor • iControl SDK • . Python. Cisco Confidential 38 . DevCentral F5 User Community Over 105. • VMware vSphere Management Plug-in • Microsoft SCOM Monitoring Pack © 2013-2014 Cisco and/or its affiliates.NET. All rights reserved. ...

All rights reserved.Cisco ISE Solution Components © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 39 .

Cisco Confidential 40 . NAC. guest. IP device. Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control Who What Where When How Security Policy Attributes Identity Context Cisco® ISE Business-Relevant Policies Wired Wireless VPN Virtual machine client. and remote user Replaces AAA and RADIUS. guest management. and device identity servers © 2013-2014 Cisco and/or its affiliates. employee. All rights reserved.

Cisco Confidential 41 .ISE Node Types  Policy Service Node (PSN) Can run in a single host – Makes policy decisions – RADIUS server & provides endpoint/user services  Policy Administration Node (PAN) – Interface to configure policies and manage ISE deployment – Writeable access to the database  Monitoring & Troubleshooting Node (MnT) – Interface to reporting and logging – Destination for syslog from other ISE nodes and NADs  Inline Posture Node (IPN) – Enforces posture policy for legacy or 3rd-party NADs © 2013-2014 Cisco and/or its affiliates. All rights reserved.

UI Activities & Logging and Enforcement Point for WebAuth. All rights reserved. Sponsor synchronizing all ISE Reporting Data all Policy Portal Client Provisioning Nodes NAD PSN PAN MnT Policy Sync RADIUS from NAD to PSN PSN queries RADIUS reply from PSN to NAD external database User directly RADIUS Accounting syslog syslog syslog © 2013-2014 Cisco and/or its affiliates. Posture. Profiling. Cisco Confidential 42 . Admin ISE Communications Network Access Policy Service Node Policy Administration Monitoring and Device The “Work-Horse”: Node: All Management Troubleshooting Access-Layer Devices RADIUS.

1X ASA VPN Switch 802.1X Branch B Branch A Switch Switch AP 802.1X © 2013-2014 Cisco and/or its affiliates. All rights reserved. Example ISE Deployment Admin (P) Monitor (P) Policy Services Cluster Distributed Admin (S) Monitor (S) Policy Services PAN MnT PSN PSN PSN PSN PAN MnT PSN PSN HA Inline AD/LDAP Posture Nodes (External ID/ AD/LDAP Attribute Store) (External ID/ Data DC B Attribute Store) IPN IPN Center A WLC Non-CoA 802. Cisco Confidential 43 .1X AP 802.1X AP WLC 802.1X Switch AP 802.

000 © 2013-2014 Cisco and/or its affiliates.000 (Max Endpoints Gated by Total ISE-3395 10.000 5 Admin + MnT on same node. and Persona • Max Concurrent Endpoint Counts by Deployment Model and Platform Max # Dedicated Deployment Model Platform Max # Endpoints per Deployment PSNs Standalone (all personas on 33xx 2.000 40 (Minimum 6 nodes redundant) 3495 as Admin and MNT 250.000 0 3355 as Admin+MNT 5. Platform.000 0 (2 nodes redundant) 3495 10. All rights reserved.Scaling by Deployment.000 5 3495 as Admin+MNT 10.000 40 Scaling per PSN Platform Max # Endpoints per PSN ISE-3315 3.000 5 Dedicated Admin and MnT nodes 3395 as Admin and MNT 100.000 Deployment Size) SNS-3415 5.000 5 Dedicated PSN (Minimum 4 nodes redundant) 3415 as Admin+MNT 5.000 SNS-3495 20.000 Dedicated Policy nodes ISE-3355 6.000 0 same node) 3415 5. Cisco Confidential 44 . 3395 as Admin+MNT 10.

Joint Solution Overview – Deployment Model. Cisco Confidential 45 . and Traffic Flow © 2013-2014 Cisco and/or its affiliates. Topology. All rights reserved.

• Access Devices send RADIUS AAA requests to LB virtual IP. Web. ISE PSNs PSN PSN PSN PSN PSN PSN PSN PSN PSN (RADIUS Servers) F5 BIG-IP LTM (Load Balancers) Virtual IP Network Access Devices © 2013-2014 Cisco and/or its affiliates. and Profiling with BIG-IP LTM • Policy Service nodes can be configured in a cluster behind a load balancer (LB). Cisco Confidential 46 . All rights reserved. Scaling RADIUS.

100 MYDEVICES 10.4 ISE-PSN-5 10.2.100.0.2.1 ISE-PSN-2 10.7 10.1.0. Cisco Confidential 47 .0.2 PSN PSN PSN ISE-PSN-3 10.1. F5 BIG-IP LTM Load Balancing simplifies and scales ISE Web Portal Services 10.3. All rights reserved.100 LTM ISE-PSN-8 10.3.2. 10.1. 10.6 (Local LB) F5 BIG-IP ISE-PSN-7 10. Scaling Global Sponsor / MyDevices with BIG-IP GTM DNS SERVER: DOMAIN = COMPANY.100.0. 10. Local Web Load-balancing (LTM) distributes request to single PSN.3.1.0.0.3.1. 10.5 F5 BIG-IP LTM ISE-PSN-6 10.3 PSN PSN PSN ISE-PSN-4 10.1.2.100.2.3.2.3.1.0.1.1.1.100.100 (Local LB) © 2013-2014 Cisco and/or its affiliates.100 ISE-PSN-1 10.1.0.100 (Local LB) ISE-PSN-9 10.1.1.1.COM F5 BIG-IP GTM MnT MnT (Global LB) SPONSOR PAN PAN 10.1.0.9 PSN PSN PSN Use Global Load Balancing (GTM) to direct traffic to closest VIP.8 10.

• URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL. Cisco Confidential 49 . VIP can be same or different than one used by RADIUS LB. • Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal Single web portal domain name should resolve to LB virtual IP for http/s load balancing. All rights reserved. Sticky algorithm determines method to ensure same Policy Service node services same endpoint. • Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS LB VIP is the target for one-way Profile Data (no response required). Load Balancing ISE Policy Services • RADIUS Authentication and Accounting Services Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Real server interface can be same or different than one used by RADIUS © 2013-2014 Cisco and/or its affiliates.

Requests for same endpoint load balanced to same PSN via sticky based on RADIUS Calling-Station-ID and Framed-IP-Address 4. RADIUS Response received from real server ise-psn-3 @ 10. Cisco Confidential 50 .8 ISE-PSN-3 3 3. NAD has single RADIUS Server defined (10.1.1. RADIUS Accounting sent to/from same PSN based on sticky © 2013-2014 Cisco and/or its affiliates.1.1.99.8 10.99.0/24) VLAN 99 (10.1.1.1.98.1.1.1.99.99.98.7 Access VIP: 10.98.98.99.1.8 ISE-PSN-2 User Device 4 5 PSN-CLUSTER PSN 10.5 1 radius-server host 10.99.7 1.99.1.0/24) PSN 10.98. All rights reserved.7 5.7 from 10.98.8 ISE-PSN-1 F5 LTM 2 AUTH request RADIUS ACCTG requesttoto10. RADIUS Auth requests sent to VIP 10.8) 2.1.6 AUTH response RADIUS ACCTG from response 10.98.1. Load Balancing RADIUS Sample Flow VLAN 98 (10.8 PSN 10.

. Requests for same endpoint load balanced to same PSN via RADIUS sticky. All rights reserved...1.1.com PSN 10.company.1. © 2013-2014 Cisco and/or its affiliates. PSN-CLUSTER User 2 5 HTTPS response from ise-psn-3.7 Server PSN 10.6 RADIUS response from ise-psn-3.com 3 Access VIP: 10..company.98.5 ISE-PSN-1 F5 LTM 1 RADIUS request to psn-cluster.7 1.99. ise-psn-3. 3.7 with URL Redirect to ISE Certificate https://ise-psn-3.99. Cisco Confidential 51 .company.com DNS 4 DNS Response = 10.99. RADIUS Authentication requests sent to VIP 10.com:8443/.company.1.1.8.company.99. User sends web request directly to same PSN that serviced RADIUS request.com:8443/.1. Load Balancing with URL-Redirection Sample Flow DNS Lookup = ise-psn-3. ISE-PSN-3 2.98. RADIUS Authorization received from ise-psn-3 @ 10.com 5.8 ISE-PSN-2 Device https://ise-psn-3.1. Client browser redirected and resolves FQDN in URL to real server address.99.company.com PSN 10.company. Subject CN = 4.

99.com @ 10.company.com 3.98.company. Certificate SAN includes FQDN for both sponsor and ise-psn-3. Web request sent to https://sponsor.8 PSN 10.99. All rights reserved.8 ise-psn-3.99. sponsor. Load Balancing Non-Redirected Web Services Sample Flow DNS Lookup = sponsor.8 Server 10.company.1.1.99.1.com @ 10.com 5.1.1.8 Subject = 2.com ISE-PSN-1 F5 LTM 2 https://sponsor.company.1.company.98.7 Access VIP: 10. ACE load balances request to PSN based on IP or HTTP sticky SAN= 4.1.1.7 Certificate SAN = sponsor.company. Browser resolves sponsor.7 ise-psn-3.99. Cisco Confidential 52 .com to VIP @ 10.1.98.com © 2013-2014 Cisco and/or its affiliates. company.company.1.company.98.8 ISE-PSN-2 Sponsor 4 Device PSN-CLUSTER Certificate OK! 5 PSN Requested URL = sponsor.5 https://sponsor.com 10.company.com ISE-PSN-3 3 ISE Certificate 1.98.com DNS PSN 1 DNS Response = 10. HTTPS response received from ise-psn-3 @ 10.6 https response from ise-psn-3 @ 10.

1.98.99. Client OS sends DHCP Request 2.7 1.98.10 2 DHCP PSN 10. © 2013-2014 Cisco and/or its affiliates.1.8 Access PSN-CLUSTER ISE-PSN-2 Device User 4 PSN 10.6 VIP: 10.1.8 1 2 PSN 10.7 based on source IP stick (L3 gateway) or DHCP field parsed from request. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3 real DHCP server and to secondary entry = LB VIP 3.1.99.1. Load Balancing Profiling Services Sample Flow DHCP Request to Helper IP 10.99.1.99. All rights reserved. DHCP request to VIP is load balanced to PSN @ 10. Real DHCP server responds and provide client a valid IP address 4.5 DHCP Response returned from DHCP Server Server 3 ISE-PSN-1 F5 LTM DHCP Request to Helper IP 10.1.1. 53 Cisco Confidential 53 .

98. Cisco Confidential 54 .99.99.1.1.50.5 (10. All rights reserved.8 LB: 10.99.2 VIP: 10.1.99.99. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.0/24) ISE-PSN-1 NAS IP: 10.1.1.98.1.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10.0/24) (10.1.1 10.1.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 54 © 2013-2014 Cisco and/or its affiliates.

1.7 External NTP LDAP ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3 MDM © 2013-2014 Cisco and/or its affiliates.1.1. Traffic Flow—Fully Inline: Physically Separation Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic Flow recommended— • BIG-IP LTM is directly inline between ISE PSNs and rest of network physical or logical • All traffic flows through Load Balancer including RADIUS.2 10.1. All rights reserved. Management.1 10.99. MDM. LDAP… VLAN 98 VLAN 99 10. PAN/MnT.1.99.1 10. Profiling.2 10.5 (External) (Internal) ISE-PSN-1 Network Switch NAS IP: 10. AD. Cisco Confidential 56 . Web Services.1.98.99.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM DNS AD 10.99.50. Feed Services.1.98.

5 Feed Services.99.1.6 Network Access ISE-PSN-2 End User/Device Device Network Switch DNS AD 10.98.98.8 • All traffic flows through LB including RADIUS.50.2 10.1.1. VLAN 98 VLAN 99 10.98.1.1 PAN/MnT.1.99. Traffic Flow—Fully Inline: VLAN Separation Logical Network Separation Using Single LB Interface and VLAN Trunking F5 LTM • BIG-IP LTM is directly inline between ISE PSNs and rest of network. Management.7 External NTP LDAP ISE-PAN ISE-MNT Logger ISE-PSN-3 SMTP MDM © 2013-2014 Cisco and/or its affiliates.99.1.99. All rights reserved. Web Services. 10. VIP: 10.1. Cisco Confidential 57 . AD.2 10.1. Profiling.1 NAS IP: 10. MDM. LDAP… (External) (Internal) ISE-PSN-1 10.

VLAN 98 Management. LDAP… 10.1. 10. PAN/MnT.2 ISE-PSN-2 10.6 • All outbound traffic from PSNs NAS IP: 10.98. LB. and directed Web Services sent to LTM VIP 10. All rights reserved.2 • All inbound LB traffic such RADIUS.98. Feed Services.98.98.1.1.5 VIP: 10. Partially Inline: Layer 2/Same VLAN (One PSN Interface) Direct PSN Connections to LB and Rest of Network F5 LTM 10.1.98. AD. Profiling. MDM.1. Cisco Confidential 58 .1 sent to LTM as DFGW.50. and end stations.1.1. © 2013-2014 Cisco and/or its affiliates.7 • LTM must be configured Network Access L3 Device Switch to allow Asymmetric traffic End User/Device ISE-PSN-3 Generally NOT RECOMMENDED due to DNS AD traffic flow complexity—must fully External NTP LDAP ISE-PAN ISE-MNT Logger SMTP MDM understand path of each flow to ensure proper handling by routing.98.8 • Other inbound non-LB traffic bypasses LTM ISE-PSN-1 including redirected Web Services.

99.1. (External) (Internal) Management.98.1 10. Cisco Confidential 59 .1.1. PAN/MnT.1.98.98. MDM. Profiling.1. and end stations.50.2 • All inbound LB traffic such RADIUS.1.99. 10.1.99.2 • Other inbound non-LB traffic bypasses LTM ISE-PSN-1 VLAN 98 VLAN 99 including redirected Web Services.5 10. Feed Services.1 • All outbound traffic from PSNs ISE-PSN-2 10.99.2 sent to LTM as DFGW.7 • LTM must be configured Network Access L3 to allow Asymmetric traffic End User/Device Device Switch ISE-PSN-3 Generally NOT RECOMMENDED due to DNS AD traffic flow complexity—must fully External NTP LDAP ISE-PAN ISE-MNT Logger SMTP MDM understand path of each flow to ensure proper handling by routing. VIP: 10. All rights reserved. LDAP… 10.1. LB.1.6 NAS IP: 10.99. Partially Inline: Layer 3/Different VLANs (One PSN Interface) Direct PSN Connections to LB and Rest of Network F5 LTM 10. © 2013-2014 Cisco and/or its affiliates.8 and directed Web Services sent to LTM VIP 10. AD.

91. All rights reserved.7 10.1.5 Separate PSN Connections to LB and Rest of Network F5 LTM ISE-PSN-1 VIP: • All LB traffic sent to LTM VIP including 10.7 NAS IP: 10.1.8 RADIUS.1 bypasses LTM Network Access L3 VLAN 91 • For ISE 1.98. Profiling (except SPAN data).1. Cisco Confidential 60 .91.91.1.2 10.1.1.2 ISE-PSN-2 VLAN 98 VLAN 99 • All traffic initiated by PSNs sent to (Internal) (External) F5 LTM as global default gateway 10.6 10.1.1 • Redirected Web 10.2.1.91.1.99.99.6 and directed Web Services 10.98.1.2 ISE-PSN-3 Services traffic 10.1.98.1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM traffic responses (set default gateway per interface) © 2013-2014 Cisco and/or its affiliates. End User/Device Device Switch (Web Portals) recommend SNAT redirected HTTPS traffic at L3 switch DNS AD External NTP LDAP • ISE 1.99.50.5 10. 10.99. Partially Inline: Multiple PSN Interfaces 10.

50.1 • LTM sends Web ISE-PSN-2 10.98.1.91. Network Access End User/Device Device ISE-PSN-3 • For ISE 1.2 (and optionally 1.2 Services traffic L3 on separate PSN Switch 10.98. Profiling (except SPAN data).1. SNAT Web Services at LTM DNS AD External NTP LDAP • ISE 1.91. 10.7 interface.1.99.98.1 • All traffic sent to LTM including F5 LTM RADIUS.91.1.3).5 10.1.5 10.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM traffic responses (set default gateway per interface) © 2013-2014 Cisco and/or its affiliates.6 NAS IP: 10.1.6 10.99.91.99.1.1.1 10. 61 Cisco Confidential 61 .99.7 10. All rights reserved.1. Fully Inline – Multiple PSN Interfaces VLAN 91 (Web Portals) Network Separation Using Separate LB Interfaces 10.2 and directed Web Services VIP: 10.8 ISE-PSN-1 • All traffic initiated by PSNs sent to VLAN 98 VLAN 99 F5 LTM as global default gateway (External) (Internal) 10.1.1.1.

Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 62 . All rights reserved.

7 10.1.1.1.0.99.1.3 NTP 10.0/0 10.1.5 10.0.99.1.1.100.99.4 External AD/ SMTP ISE-PAN ISE-MNT Logger MDM LDAP ISE-PSN-3 Network Next Hop 0.1.99.8 10. All rights reserved.98.1 10.1.2 (10.98.98.98.100.1.99.0/24) (10.1.0/24 10.0/0 10.1.99.1 Network Access ISE-PSN-2 End User/Device Device 10.2 VIP: 10.1.99. 63 Cisco Confidential 63 .1 Network Next Hop VLAN 98 VLAN 99 10.50.6 10.1.1.98.98.50.1.1 F5 LTM DNS 10.0.1 © 2013-2014 Cisco and/or its affiliates.1.1. Verify Routing Configuration in Overall Topology L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network Network Next Hop 0.0.0/24) ISE-PSN-1 Network Switch NAS IP: 10.2 10.100.1 10.

or 1.2.4.1. © 2013-2014 Cisco and/or its affiliates. 1.2. • Cisco ISE: 1.0 hotfix HF6 Additionally.4.1 hotfix HF5 or 11.3.6. All rights reserved. Recommended Software Versions • F5 BIG-IP LTM: 11.0 with current patches installed.0 HF2 incorporates performance enhancements that can improve RADIUS load balancing performance. 11.0. Cisco Confidential 64 .

Cisco Confidential 65 . All rights reserved.F5 Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates.

Validate IP Addressing for Internal and External Interfaces  Main > Network Self IPs © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66 .

Cisco Confidential 67 . Validate Correct VLAN Assignments Main > Network > VLANs > VLAN List • Separate Physical Interfaces Example • Single Physical Interfaces—VLAN Trunking Example © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 68 . Verify LTM Routing Configuration Main > Network > Routes • Default route for LTM appliance set to external interface next hop gateway © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Optional: Verify LTM High Availability • F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes • Configuration of LTM high availability is beyond the scope of this session. © 2013-2014 Cisco and/or its affiliates. All rights reserved. default gateways and next hop routes will point to the floating IP address on the F5 appliance • Health monitors will be sourced from the locally-assigned IP addresses. • Refer to F5 product documentation for additional details: • Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility • Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility • When configured for high availability. Cisco Confidential 69 .

ISE Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 70 . All rights reserved.

Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group

• Administration > System > Deployment
2) Assign name (and multicast address if ISE 1.2)
1) Create node group

3) Add individual PSNs to node group

• Node group members can be L2 or L3
• Multicast no longer a requirements in ISE 1.3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71

Load Balancer General RADIUS Guidelines
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
Interval 15
ISE-PAN-1 ISE-MNT-1
Timeout 46
PAN MnT
User Name radprobe
Password cisco123
Alias Service Port 1812
PSN

ISE-PSN-1
VIP: 10.1.98.8
NAS IP: 10.1.50.2 10.1.99.1
PSN

Access Device
F5 LTM ISE-PSN-2
User
PSN
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72

Add LTM(s) as NAD(s) for RADIUS Health Monitoring
Administration > Network Resources > Network Devices

• Configure Self IP address of LTM Internal
interface connected to PSN RADIUS
interfaces.
10.1.99.1
• Enable Authentication and set RADIUS
shared secret.
PSN

ISE-PSN-1

10.1.99.1
PSN

F5 LTM ISE-PSN-2

PSN

ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73

Configure Internal User for RADIUS Health Monitoring
Administration > Identity Management > Identities > Users

• This step optional if plan to use external ID store for health monitoring account. Still
recommended for testing and troubleshooting.
• User authorization for this account should be granted no network access.

• F5 LTM monitor accepts both Access-Accept and Access-Reject as healthy responses

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74

6 ISE-PSN-3 IN A 10.8 SPONSOR IN A 10.1.company.8 ISE-PSN-1 IN A 10.company.1.1. Cisco Confidential 75 .7 • Configure ISE PSN server certs with Subject Alternative Name configured for other FQDNs to be used by LB VIP or optionally use wildcards (available in ISE 1.1.com © 2013-2014 Cisco and/or its affiliates.COM PSN-CLUSTER IN A 10.company. guest.5 ISE-PSN-2 IN A 10. Example Example certificate SAN: ise-psn-1.99.2).1.8 MYDEVICES IN A 10.98.com values in SAN. All rights reserved.company.98.com multiple FQDN sponsor.99.1.99.com certificate with psn-cluster. Example: psn-cluster.98.company. Configure DNS and Certs to Support PSN Load Balancing • Configure DNS entry for PSN cluster(s) and assign VIP IP address.com DNS SERVER: DOMAIN = COMPANY.

company.5 ISE-PSN-1 10.1.com Certificate Subject = ise-psn-3.1.8 10.1.99.company.6 https://sponsor.com ISE-PSN-3 © 2013-2014 Cisco and/or its affiliates.company.com Server PSN DNS Response = 10.com:8443/sponsorportal ISE Certificate ISE-PSN-2 F5 LTM Subject = ise-psn-3.1.7 Requested URL = sponsor.company.com PSN 10. ISE Certificate without SAN Certificate Warning .company.98.com PSN Name Mismatch! 10.company.company.Name Mismatch DNS http://sponsor.8 SPONSOR http://sponsor.99. Cisco Confidential 76 .1.99.98. All rights reserved.com DNS Lookup = sponsor.

com PSN 10.1.com ISE-PSN-3 ise-psn-3.company.98.com:8443/sponsorportal ISE-PSN-2 ISE Certificate F5 LTM Subject = ise-psn.company.com © 2013-2014 Cisco and/or its affiliates.com Server PSN DNS Response = 10.com PSN SAN= Certificate OK! 10.company.company.company.8 SPONSOR http://sponsor.1.com Certificate SAN = sponsor.company.company.6 https://sponsor.1.company.99.com ise-psn-2. All rights reserved.1.com DNS Lookup = sponsor.company.com sponsor.company.7 ise-psn-1.98.company.8 10.99.99.com Requested URL = sponsor.5 ISE-PSN-1 10. ISE Certificate with SAN No Certificate Warning DNS http://sponsor. Cisco Confidential 77 .1.

add IP addresses as both DNS and IP entries (increases device compatibility) *UCC = Unified Communications Certificate © 2013-2014 Cisco and/or its affiliates. add same FQDN to SAN • Multi-Domain/UCC* Certificate: Update SAN with all FQDNs serviced by PSN • OR Wildcard Certificate: Update SAN with wildcard domain using syntax *. All rights reserved. General Best Practices for Universal Certificates • Use a common FQDN for Subject CN: Examples: ise.com • If Subject CN contains FQDN.com aaa.local • If required for static IP hosting.company. Cisco Confidential 78 .company.company.

Cisco Confidential 79 . All rights reserved.Forwarding Non-LB Traffic © 2013-2014 Cisco and/or its affiliates.

2 VIP: 10.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10. Cisco Confidential 80 .98.1.1.99. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.1.8 LB: 10.99.1. All rights reserved.99.1.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 80 © 2013-2014 Cisco and/or its affiliates.1.99.50.1 10.99.1.0/24) (10.1.0/24) ISE-PSN-1 NAS IP: 10.98.5 (10.

LDAP. • All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed Services. and REST/ERS API communications. Posture. OCSP checks. external RADIUS servers (token or foreign proxy). • All external AAA-related traffic to/from the PSN real IP addresses such as AD. DRW/Hotspot. RSA. DNS. partner MDM integration. • RADIUS CoA from PSNs to network access devices. SSH. Cisco Confidential 81 . NTP. and Client Provisioning. and external CA communications (CRL downloads. MDM. SCEP proxy). • Repository and file management access initiated from PSN including FTP. NFS. SFTP. TFTP. and Syslog. SNMP queries) and URL-Redirection such as CWA. All rights reserved. pxGrid. • Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP. SNMP. SCP. SMTP. Non-LB Traffic that Requires IP Forwarding Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA • PAN/MnT node communications • All management traffic to/from the PSN real IP addresses such as HTTPS. © 2013-2014 Cisco and/or its affiliates. and HTTPS. HTTP.

0.0. • Destination = PSN Network Addresses • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 82 . All rights reserved.0/0) or limit to specific network. Virtual Server to Forward General Inbound IP Traffic General Properties • Applies to connections initiated from outside (external) network • Type = Forwarding (IP) • Source = All traffic (0.

Cisco Confidential 83 . • No SNAT © 2013-2014 Cisco and/or its affiliates. Virtual Server to Forward General Inbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). All rights reserved.

0.0.0.0. All rights reserved. • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates.0) or limit to specific network.0/0. Cisco Confidential 84 . Virtual Server to Forward General Outbound IP Traffic General Properties • Applies to connections initiated from PSN (internal) network • Type = Forwarding (IP) • Source = PSN Network Addresses • Destination = All traffic (0.

All rights reserved. Virtual Server to Forward General Outbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). • No SNAT © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 85 .

All rights reserved. Cisco Confidential 86 . Example Inbound / Outbound IP Forwarding Servers © 2013-2014 Cisco and/or its affiliates.

87 Cisco Confidential 87 .2 (and optionally 1. so SNAT not required (Set default gateway per interface) © 2013-2014 Cisco and/or its affiliates.7 Network Access End User/Device Device ISE-PSN-3 • For ISE 1.8 ISE-PSN-1 VLAN 98 VLAN 99 (External) (Internal) 10.5 10.1.98.1.1.3+ supports symmetric traffic responses.99.99. 10.98.3).6 NAS IP: 10.99.1.1 ISE-PSN-2 10.91. LTM can perform SNAT on Web Services traffic • ISE 1.91.1.91.1.6 10.1.1.1 • LTM sends Web Services traffic F5 LTM on separate PSN interface.98.50.2 L3 Switch 10.1.99.1. Inbound IP Forwarding for 2nd PSN Interface VLAN 91 (Web Portals) 2nd PSN Interface for Web Services 10.2 VIP: 10.91. All rights reserved.7 10.1.1.5 10.1 10.

All rights reserved. • Destination = PSN Network Addresses for Web Portals • Service Port = 8443 (configurable) Optionally set wildcard value of 0 for multiple portal ports or services.0.0.0/0) or limit to specific client networks. (NSP and Posture work on port 8905) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 88 . Virtual Server to Forward Inbound Redirected Web Traffic General Properties • Applies to connections initiated from URL-redirected clients on outside (external) network to 2nd PSN interface • Type = Forwarding (IP) • Source = All traffic (0.

• For ISE 1. SNAT optional if enabled symmetric traffic routing (default route per interface). enable SNAT • For ISE 1. Cisco Confidential 89 .3. • NSP requires TCP/8905.2. • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). but Posture requires both TCP and UDP/8905. Virtual Server to Forward Inbound Redirected Web Traffic Configuration (Advanced) • Protocol = TCP Optionally set to * (All Protocols) for multiple services. All rights reserved. © 2013-2014 Cisco and/or its affiliates.

Load Balancing RADIUS © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 90 . All rights reserved.

behind a load balancer. Cisco Confidential 91 . Network Access Devices © 2013-2014 Cisco and/or its affiliates. Administration PAN PAN Administration Node (Primary) Node (Secondary) N+1 node redundancy Policy Services Node assumed to support total Policy PSN PSN PSN PSN endpoints during: Group (Same Replication • Unexpected single multicast domain) server outage AAA connection F5 BIG-IP • Scheduled server LTM Load maintenance Virtual Balancers IP Also provides additional scaling buffer. Policy Service Node Scaling and Redundancy • NADs can be configured with sequence of redundant RADIUS servers (PSNs). or “node group”. • Policy Service nodes can also be configured in a cluster. NADs send requests to LB virtual IP for Policy Services. • Policy Service nodes in node group maintain heartbeat to verify member health. All rights reserved.

Framed-IP-Address. RADIUS Auth requests sent to VIP @ 10.8 3 3.7 4 User RADIUS ACCTG response from 10.8 10.0/24) VLAN 99 (10.6 NAD RADIUS AUTH response from 10.1.7 6 F5 LTM ISE-PSN-2 1.1.98. Successive RADIUS Accounting sent to VIP @ 10. Requests for same endpoint load balanced to same PSN via sticky based ISE-PSN-3 on RADIUS Calling-Station-ID.7 5.98.8 RADIUS ACCTG request to 10. Cisco Confidential 92 .1. RADIUS Auth Response received from real server ise-psn-3 @ 10.1. Load Balancing RADIUS Sample Flow VLAN 98 (10.1.8 5 PSN 10.98.5 1 radius-server host 10.1.99.98.99.1.8) PSN 10.98.0/24) PSN 10.98.98.1.7 2.1.1.1. All rights reserved. RADIUS Accounting Response received from same PSN based on sticky.1. NAD has single RADIUS server defined (10. or NAS-IP-Address 4.99.1.98.1.8 6. © 2013-2014 Cisco and/or its affiliates.99.1.99.8 VIP: ISE-PSN-1 2 RADIUS AUTH request to 10.99.99.

• With SNAT. • CoA sent to wrong IP address NAS IP Address is correct. Cisco Confidential 93 . NAT Restrictions for RADIUS Load Balancing Why Source NAT Fails for NADs SNAT also results in less visibility as all requests appear sourced from LB – makes troubleshooting more difficult. All rights reserved. but not currently used for CoA © 2013-2014 Cisco and/or its affiliates. LB appears as the Network Access Device (NAD) to PSN.

Cisco Confidential 94 . All rights reserved. SNAT of NAD Traffic: Live Log Example Auth Succeeds/CoA Fails: CoA Sent to BIG-IP LTM and Dropped © 2013-2014 Cisco and/or its affiliates.

99.x client 10.1.8 client 10.1.1.98.1.99.5 server-key cisco123 client 10.99.99.1.1.1.5 aaa server radius dynamic-author ISE-PSN-1 CoA SRC=10.1.8 server-key cisco123 Access ISE-PSN-2 F5 LTM client 10. • Access switch config: CoA SRC=10.99.98.99.99.99.5 PSN • Before: 10.8 server-key cisco123 ISE-PSN-X © 2013-2014 Cisco and/or its affiliates.1.10 server-key cisco123 PSN 10.1.6 client 10. All rights reserved.1. Cisco Confidential 95 .99.1.7 <…one entry per PSN…> • After: ISE-PSN-3 aaa server radius dynamic-author PSN 10.8 client 10.7 server-key cisco123 10.9 server-key cisco123 Switch client 10.1.1.98. Allow Source NAT for PSN CoA Requests Simplifying Switch CoA Configuration • Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.99.6 server-key cisco123 PSN 10.99.

All rights reserved. CoA from behind load balancer © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 96 . Allow NAT for PSN CoA Requests Simplifying WLC CoA Configuration • Before: • After One RADIUS Server entry One RADIUS Server entry required per PSN that may send required per load balancer VIP.

6 Access Device ISE-PSN-2 User RADIUS AUTH RADIUS AUTH COA NAS-IP =10.99.1. All rights reserved.1 SRC-IP =10.99.98.50.1.1.1.1.7 CoA is Okay! DST-IP =10.1.1.50.5 VLAN 98 VLAN 99 (10.1.1.0/24) ISE-PSN-1 F5 LTM NAS IP: 10.50.2 Source Source =10.1.7 DST-IP =10.1 PSN 10.50.98.8 NAT NATted DST-IP =10.1.99.2 Remove NAD is SNAT for NAS-IP =10.50.8 LB: 10.2 © 2013-2014 Cisco and/or its affiliates.99. Cisco Confidential 97 .0/24) (10.1.1.99.99.1.7 ISE-PSN-3 RADIUS COA RADIUS COA SNAT for SRC-IP =10.98.2 VIP: 10.1.1.1.50.98.1.8 SRC-IP =10.2 SRC-IP =10.99. Load Balancer General NAT Guidelines To NAT or Not To NAT? ISE-PAN-1 ISE-MNT-1 No NAT That is the Question! PAN MnT PSN 10.99.50.2 PSN NAD is BAD! 10.2 DST-IP =10.1.

Cisco Confidential 98 .50. Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD 3.com  Cisco Audit Session ID PSN • Best Practice Recommendations (depends on LB support and design) 1. All rights reserved.98. Audit Session ID for persistence across re-authentications © 2013-2014 Cisco and/or its affiliates.1. Load Balancer Persistence (Stickiness) Guidelines Persistence Attributes • Common RADIUS Sticky Attributes o Client Address MAC Address=00:C0:FF:1A:2B:3C  Calling-Station-ID IP Address=10.1.8 ISE-PSN-1  NAS-IP-Address Session: 00aa…99ff  Source IP Address PSN o Session ID Network Access Device F5 LTM ISE-PSN-2  RADIUS Session ID User Username=jdoe@company.2 VIP: 10.101 PSN  Framed-IP-Address Device o NAD Address 10.10. Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3 2.1.

Cisco Confidential 99 . Configuring RADIUS Persistence RADIUS Profile Example • RADIUS Sticky on Calling-Station-ID (client MAC address) • Simple option but does not support advanced logging and other enhanced parsing options like iRule • Profile must be applied to Standard Virtual Server based on UDP Protocol ltm profile radius /Common/radiusLB { app-service none clients none persist-avp 31 subscriber-aware disabled subscriber-id-type 3gpp-imsi © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All rights reserved. iRule for RADIUS Persistence Based on Client MAC (1of2) Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_DATA { # 0: No Debug Logging 1: Debug Logging set debug 0 • Optional debug logging • Enable for troubleshooting only to reduce processing load # Persist timeout (seconds) set nas_port_type [RADIUS::avp 61 "integer"] if {$nas_port_type equals "19"}{ set persist_ttl 3600 • Configurable persistence timeout if {$debug} {set access_media "Wireless"} based on media type } else { oWireless Default = 1 hour set persist_ttl 28800 oWired Default = 8 hours if {$debug} {set access_media "Wired"} } © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 100 .

alert "No MAC Address found . All rights reserved. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target" } } } © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 101 .Using NAS IP as persist id.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target" } } else { set nas_ip [RADIUS::avp 4 ip4] persist uie $nas_ip $persist_ttl if {$debug} { set target [persist lookup uie $nas_ip] log local0. iRule for RADIUS Persistence Based on Client MAC (2of2) if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31 "string"] # Normalize MAC address to upper case set mac_up [string toupper $mac] persist uie $mac_up $persist_ttl if {$debug} { set target [persist lookup uie $mac_up] log local0.

2 MEDIA=Wired TARGET= © 2013-2014 Cisco and/or its affiliates.1.50. iRule for RADIUS Persistence – Sample Debug Output Sat Sep 27 13:55:43 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc MAC=6C-20- 56-13-E9-FC Normal MAC=6C-20-56-13-E9-FC MEDIA=Wired TARGET=/Common/radius_auth_pool 10.99.7 1813 Sat Sep 27 13:55:38 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET= Sat Sep 27 13:55:37 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found .99. Cisco Confidential 102 .Using NAS IP as persist id.1. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS IP=10.6 1812 Sat Sep 27 13:55:40 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1 MAC=7c-6d-62- e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless TARGET=/Common/radius_acct_pool 10. All rights reserved.1.

Cisco Confidential 103 . All rights reserved. Ensure NAD Populates RADIUS Attributes Catalyst Switch Example Cisco Catalyst IOS Command Description radius-server attribute 8 include-in-access-req Include Framed-IP-Address (if available) in RADIUS Access Requests radius-server attribute 31 send nas-port-detail Include client IP address for remote console (vty) connections to the switch radius-server attribute 31 mac format ietf upper-case Set the MAC address format to 00-00-40-96-3E-4A (all upper case letters) © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 104 . Ensure NAD Populates RADIUS Attributes Cisco WLC Example • WLC sets Calling- Station-ID to MAC Address for RADIUS NAC- enabled WLANs • General recommendation is to set Acct Call Station ID to System MAC Address • Auth Call Station ID Type may not be present in earlier software versions © 2013-2014 Cisco and/or its affiliates. All rights reserved.

be sure to configure timeout 31 user in ISE or external ID store with username f5-probe limited/no network access privileges. Cisco Confidential 105 . secret P@$$w0rd • User Account: If valid user account to be time-until-up 0 used for monitor. RADIUS Health Monitors Load Balancer Probes Determine RADIUS Server Health Status • BIG-IP LTM RADIUS monitor has two key timer settings: o Interval = probe frequency (default = 10 sec) o Timeout = total time before monitor fails (default = 31 seconds) Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config: (Four health checks are attempted ltm monitor radius /Common/radius_1812 { before declaring a node failure) debug no defaults-from /Common/radius • Timers: Set low enough to ensure destination *:1812 efficient failover but long enough interval 10 to avoid excessive probing (AAA load). All rights reserved. } © 2013-2014 Cisco and/or its affiliates. password P@$$w0rd Start with defaults then tune to network.

Cisco Confidential 106 ..But now what do I do about all that “noise” in my Live Log? © 2013-2014 Cisco and/or its affiliates. Successful Health Monitor Requests using Valid Account Yay! It Works!.. All rights reserved..

ISE Collection Filters Filter Successful LTM Health Checks © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107 .

F5 LTM Configuration Components for RADIUS LB • RADIUS Auth UDP Profile • RADIUS Acct • RADIUS CoA RADIUS Profile SNAT Pool iRule Persistence Virtual Server Virtual Server (Persistence) Profile Health Monitor Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108 .

Cisco Confidential 109 . All rights reserved. and Profiling to reduce probe load for multiple services. Configure RADIUS Health Monitor Local Traffic > Monitors • Same monitor can be leveraged for RADIUS Auth. © 2013-2014 Cisco and/or its affiliates. Accounting. • Be sure BIG-IP LTM configured as ISE NAD.

Cisco Confidential 110 . Optional: Configure UDP Profile for RADIUS Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All rights reserved. Cisco Confidential 111 . Optional: Configure RADIUS Profile Local Traffic > Profiles > Services > RADIUS • Start with default settings • Using a custom profile allows for tuning later if needed without impacting other services based on same parent radiusLB profile © 2013-2014 Cisco and/or its affiliates.

All rights reserved. Configure iRule for RADIUS Persistence Local Traffic > iRules > iRule List • Recommend iRule based on client MAC address • RADIUS Attribute/Value Pair = 31 = Calling-Station-Id • Recommend copy and paste working iRule into text area. Cisco Confidential 112 . © 2013-2014 Cisco and/or its affiliates.

F5 iRule Editor https://devcentral.f5. All rights reserved. Cisco Confidential 113 .com/d/tag/irules%20editor • Manage iRules and config files • Syntax checker • Generate HTTP traffic • Quick links to tech resources © 2013-2014 Cisco and/or its affiliates.

Configure Persistence Profile for RADIUS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for RADIUS Auth and Accounting. © 2013-2014 Cisco and/or its affiliates. All rights reserved. then enable Match Across Virtual Servers (not recommended) • Specify RADIUS Persistence iRule • iRule persistence timer overrides profile setting. Cisco Confidential 114 .

All rights reserved. © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 115 . Configure Server Pool for RADIUS Auth Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server.

Configure Member Nodes in RADIUS Auth Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Server Port: 1812 or 1645 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116 .

All rights reserved. © 2013-2014 Cisco and/or its affiliates. Configure Server Pool for RADIUS Accounting Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor (same monitor used for RADIUS Auth) • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. Cisco Confidential 117 .

Configure Member Nodes in RADIUS Accounting Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port: 1813 or 1646 © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118 .

0. Configure Virtual Server for RADIUS Auth (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. • Destination = RADIUS Virtual IP • Service Port = 1812 or 1645 RADIUS VIP © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 119 . All rights reserved.0/0 (all hosts) or specific network address.0.

Configure Virtual Server for RADIUS Auth (Advanced)
Local Traffic > Virtual Servers

• Protocol = UDP

• Protocol Profile = udp or
custom UDP profile
• RADIUS Profile = radiusLB or
custom RADIUS profile
• Optional: Limit traffic to specific
VLAN(s)
• SNAT = None

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120

Configure Virtual Server RADIUS Auth (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources

• Default Pool = RADIUS Auth Pool

• Default Persistence Profile =
RADIUS persistence profile
• Fallback Persistence Profile:
• RADIUS iRule setting overrides
value set here.
• If not configured in iRule, set
optional value here. Example:
radius_source_addr

Recommend create new
persistence profile based on
Source Address Affinity to allow
custom timers and match settings.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121

Configure Virtual Server for RADIUS Accounting
Local Traffic > Virtual Servers > Virtual Server List
• Same settings as RADIUS Auth Virtual
Server but different service port and pool

RADIUS VIP

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 122

Configure SNAT Pool List for RADIUS CoA
Local Traffic > Address Translation > SNAT Pool List

• CoA traffic is initiated by PSN to
NADs on UDP/1700
• Define SNAT Pool List with RADIUS
Server Virtual IP as a pool member

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123

0 / 0.0 (all hosts) or specific network for all NADs • Service Port = 1700 © 2013-2014 Cisco and/or its affiliates. Configure Virtual Server to SNAT RADIUS CoA (Properties) Local Traffic > Virtual Servers > Virtual Server List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Type = Standard • Source = PSN Network • Destination = 0.0. All rights reserved.0.0. Cisco Confidential 124 .0.

Cisco Confidential 125 . Configure Virtual Server to SNAT RADIUS CoA (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Optional: Limit traffic to specific VLAN(s) • Source Address Translation = SNAT • SNAT Pool = CoA SNAT Pool List • Resources = None © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Scaling Profiling and Database Replication © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 126 . All rights reserved.

MACAddress MDMSerialNumber AUPAccepted MatchedPolicy CreateTime BYODRegistration Otherwise. Cisco Confidential 127 . Whitelist Attributes Attributes that impact profile Significant Attributes AAA-Server NADAddress FirstCollection • Change triggers global replication Calling-Station-ID NAS-IP-Address TimeToProfile Certificate Expiration Date NAS-Port-Id Total Certainty Factor MACADDRESS Certificate Issue Date NAS-Port-Type User-Agent ENDPOINTIP Certificate Issuer Name LastNmapScanTime AC_User_Agent MATCHEDVALUE Certificate Serial Number NmapScanCount cdpCacheAddress ENDPOINTPOLICY Description NmapSubnetScanID cdpCacheCapabilities ENDPOINTPOLICYVERSION DestinationIPAddress 161-udp cdpCacheDeviceId STATICASSIGNMENT Device Identifier OS Version cdpCachePlatform Device Name OUI cdpCacheVersion STATICGROUPASSIGNMENT DeviceRegistrationStatus PolicyVersion ciaddr NMAPSUBNETSCANID PortalUser dhcp-class-identifier EndPointPolicy PORTALUSER EndPointPolicyID PostureApplicable dhcp-requested-address DEVICEREGISTRATIONSTATUS EndPointProfilerServer Product host-name EndPointSource RegistrationTimeStamp hrDeviceDescr Whitelist Attributes FQDN StaticAssignment StaticGroupAssignment ifIndex ip Framed-IP-Address • Change triggers PSN-PSN replication IdentityGroup MDMImei lldpCacheCapabilities and global ownership change IdentityGroupID MDMManufacturer lldpCapabilitiesMapSupported IdentityStoreGUID MDMModel lldpSystemDescription IdentityStoreName MDMOSVersion operating-system Other Attributes L4_DST_PORT MDMPhoneNumber sysDescr • Dropped if whitelist filter enabled. Significant Attributes vs. only locally saved by PSN MatchedPolicyID UpdateTime © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 128 . MnT and Secondary Admin nodes PSN3 © 2013-2014 Cisco and/or its affiliates. PAN PAN Admin (P) Admin (S) • Secondary Admin also listens on GLOBAL TCP/12001 but no connection JGROUP established unless primary CONTROLLER fails/secondary promoted • All Secondary nodes participate in the PSN PSN PSN1 PSN2 Global JGroup cluster. All rights reserved. *Secondary node = All nodes except Primary Admin node. Inter-Node Communications TCP/12001 JGroups Tunneled JGroup Connections – Global Cluster MnT (P) MnT (S) MnT MnT • All Secondary nodes* establish connection to Primary PAN (JGroup Controller) over tunneled connection (TCP/12001) for config/database sync. PSN includes PSNs.

if whitelist JGROUP ownership – fetches all attributes CONTROLLER NODE GROUP A filter enabled. then LOCAL Ownership for same endpoint and takes sync all attributes via PAN. only whitelist attributes from PSN1 (JGROUP A) synced to all nodes. PAN PAN Admin (P) Admin (S) • PSN claims endpoint ownership only if GLOBAL PSN1 isincurrent change endpoint whitelist owner attribute. PSN Fetch Attributes PSN PSN1 PSN2 • Replication to PAN occurs if Change PSN2 gets more current update significant attribute changes. PSN PSN3 *JGroups: Java toolkit for reliable multicast © 2013-2014 Cisco and/or its affiliates. All rights reserved. – triggers JGROUP DHCP IP no database inter-PSN sync replication even of attributes. Cisco Confidential 129 . if Whitelist CONTROLLER Update Address checkwhitelist alwaysattribute changes of occurs regardless t=1 t=0 Change global attribute filter setting. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled MnT (P) MnT (S) MnT MnT • Node Groups can be used to define local JGroup* clusters where members exchange heartbeat and sync profile data multicast or SSL. communications between group/cluster members.

All rights reserved.3 no longer uses UDP multicast for JGroup PSN1 PSN PSN PSN2 • ISE 1.2 uses multicast with TTL=2. LB is NOT a Load but LB is NOT required for node groups. max 1 hop) L2 or L3 LAN Switching • Reduces sync updates even if different PSNs receive data – expect few whitelist PSN changes and even fewer critical attribute changes. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled • General classification data for given endpoint should stay local to node group = whitelist attributes • Node groups continue to provide original • Only certain critical data needs to be shared across entire function of session recovery for failed PSN. [IP change is significant attribute] PSN3 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 130 . requirement for Balancer Node Group • Node group members should have GE LAN NODE GROUP A (JGROUP A) connectivity (L2 or L3) • ISE 1. deployment = significant attributes • Profiling sync leverages JGroup channel • Each LB cluster should be a node group.

Cisco Confidential 131 . PSN1 PSN PSN PSN2 PSN4 PSN PSN PSN5 L2 or L3 LAN Switching NODE GROUP A NODE GROUP B (JGROUP A) (JGROUP B) PSN PSN PSN3 PSN6 © 2013-2014 Cisco and/or its affiliates. then nodes fall back to Global JGroup communication channel. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled MnT MnT PAN PAN • Profiling sync leverages JGroup channels • All replication outside node group must traverse PAN! • If local Multicast fails. All rights reserved.

Configuring Node Groups Recommended for ALL local PSNs! 2) Assign name and available multicast addres • Administration > System > Deployment 1) Create node group 3) Add individual PSNs to node group • Node group members may be L2 / L3 connected • Multicast no longer required in ISE 1.3. All rights reserved.2 uses multicast (TTL=2) and requires multicast configuration on intermediate switches if separated by L3 hop © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 132 . • ISE 1.

• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group. ISE Profiling Best Practices Whenever Possible… • Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection. • For redundancy. • Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) Do NOT send profile data to multiple PSNs ! • Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership. consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using… • DHCP IP Helpers • SNMP Traps DO send profile data to single and same PSN or Node • DHCP/HTTP with ERSPAN (Requires validation) • Ensure profile data for a given endpoint is sent to the same PSN Group ! • Same issue as above. 135 Cisco Confidential 135 . All rights reserved. • DO enable the Profiler Attribute Filter ! Avoid probes that collect the same endpoint attributes • Example: Device Sensor + SNMP Query/IP Helper • Enable Profiler Attribute Filter © 2013-2014 Cisco and/or its affiliates. but not always possible across different probes • Use node groups and ensure profile data for a given endpoint is sent to same node DO use Device Sensor ! group.

• NetFlow Probe: Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE. ISE Profiling Best Practices General Guidelines for Probes • HTTP Probe: • Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN. make sure probe captures traffic to central DHCP Server. look for key traffic chokepoints such as Internet edge or WLC connection. Avoid • SNMP SPAN. © 2013-2014 Cisco and/or its affiliates. Be sure to set optimal PSN for polling in ISE NAD config. If used. and NetFlow probes ! • Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates. • SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth. 137 Cisco Confidential 137 . avoid short polling intervals. If used. • For polled SNMP queries. Also difficult to provide HA for SPAN. • DHCP Probe: • • Do NOT enable all probes by default ! Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same! Avoid DHCP SPAN. All rights reserved. • Avoid SPAN. HA challenges. Probe: SNMP Traps. use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE.

2) PSN PSN2 (10.98.2.99.2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.101.101.8) DC #1 PSN PSN2 (10.2.1.5) or PSN LB Clusters (10.1.1.1. Cisco Confidential 139 .99.99.6) • Different PSNs receive data and may contend for ownership—increases F5 LTM PSN PSN3 (10.98.5) User (10.2.100.8 ip helper-address 10.101.7) F5 LTM ip helper-address <real_DHCP_Server ip helper-address 10.2.1.100. Profiling Redundancy – Duplicating Profile Data Sending Profile Data for the Same Endpoint to the Same Node Group / PSN • Common config is to duplicate IP helper data at each NAD to two different PSNs PSN-CLUSTER1 PSN PSN1 (10.7) replication int Vlan10 DHCP Request PSN PSN-CLUSTER2 PSN1 (10.2.6) DC #2 interface Vlan10 PSN PSN3 (10.

98.99.1.98.1.98.8 © 2013-2014 Cisco and/or its affiliates.1.5) (10.2.8) • Routing metrics determine which VIP DC #1 PSN PSN2 (10.2. Scaling Profiling and Replication Using Anycast to Limit Profile Data to a Single PSN and Node Group • Load Balancer VIPs host same target IP for DHCP profile data PSN-CLUSTER1 PSN PSN1 (10.6) receives DHCP from NAD F5 LTM PSN PSN3 (10.101.7) int Vlan10 DHCP Request PSN PSN1 (10.99.6) DC #2 interface Vlan10 PSN PSN3 (10. All rights reserved.101.7) F5 LTM ip helper-address <real_DHCP_Server ip helper-address 10.1.99.101. 140 Cisco Confidential 140 .5) User PSN-CLUSTER2 (10.8) PSN PSN2 (10.1.1.2.

Cisco Confidential 141 . All rights reserved.Load Balancing Profiling Services © 2013-2014 Cisco and/or its affiliates.

Therefore. this should not impact more real-time profiling of endpoints. although possible that PSN performing polled query is not same PSN that terminates RADIUS for newly discovered endpoints. • SNMP Query Probe (polled) Not impacted by load balancing. SNMP Query data processed by same PSN that terminated RADIUS request for endpoint. All rights reserved. Since poll typically conducted at longer intervals. © 2013-2014 Cisco and/or its affiliates. For Your Profiling Services using Load Balancers Reference Which PSN Services Processes Profile Data? • Profiling Probes The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that terminated RADIUS: • DHCP IP Helper to DHCP probe • NetFlow export to NetFlow Probe Option to leverage Anycast to reduce log targets and facilitate HA • SNMP Traps • SNMP Query Probe (triggered) PSNs configured to send SNMP Queries will send query to NAD that sent RADIUS or SNMP Trap which triggered query. 142 Cisco Confidential 142 . PSN will sync new endpoint data with Admin.

No guarantee that same PSN that collects SPAN data terminates RADIUS session. For Your Profiling Services using Load Balancers (Cont. • HTTP (via URL redirect) URL redirect will point to PSN that terminates RADIUS auth so HTTP data will be parsed by same PSN. © 2013-2014 Cisco and/or its affiliates. All rights reserved. or SNMP Query Probe data. • DHCP SPAN or HTTP SPAN Since mirror port is associated to a specific interface on real PSN. Typically the same PSN that processes RADIUS. DHCP. cannot provide HA for SPAN data unless configure multiple SPAN destinations to separate PSNs.) Reference Which PSN Services Process Profile Data? • DNS Probe Submitted by same PSN which obtains IP data for endpoint. • NMAP Probe Submitted by same PSN which obtains data which matches profile rule condition. Cisco Confidential 143 .

99. Load Balancing Profiling Services Sample Flow DHCP Request to Helper IP 10. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3 real DHCP server and to secondary entry = LB VIP 3.1. Real DHCP server responds and provide client a valid IP address 4.1. © 2013-2014 Cisco and/or its affiliates.1.6 VIP: 10.1.1. All rights reserved.8 Access ISE-PSN-2 Device F5 LTM User 4 PSN 10.5 DHCP Response returned from DHCP Server Server 3 ISE-PSN-1 DHCP Request to Helper IP 10.99.8 1 2 PSN 10.98.7 based on source IP stick (L3 gateway) or DHCP field parsed from request.1. 144 Cisco Confidential 144 .7 1.1.98. DHCP request to VIP is load balanced to PSN @ 10.10 2 DHCP PSN 10.1. Client OS sends DHCP Request 2.10 10.1.99.99.1.

RADIUS Authentication request sent to VIP @ 10.5 MAC: 11:22:33:44:55:66 ISE-PSN-1 F5 LTM RADIUS request to VIP 1 2 User 10. Load Balancing Sticky Guidelines Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN Persistence Cache: 11:22:33:44:55:66 -> PSN-3 10. and entry added to Persistence Cache 3. ISE-PSN-3 2.99.1.98. thus optimizing endpoint replication © 2013-2014 Cisco and/or its affiliates.8 4.1.1. Request is Load Balanced to PSN-3.7 5 1.1. DHCP is received by same PSN.99. Cisco Confidential 145 .8 DHCP Request IP Helper sends DHCP to VIP 3 4 10.6 NAD RADIUS response from PSN-3 ISE-PSN-2 VIP: 10. Load Balancer uses the same “Sticky” as RADIUS based on client MAC address 5.1. All rights reserved.99. DHCP Request is sent to VIP @ 10.8.98.1.98.

3" set static::RULE_ID "dhcp_parser" • Optional debug logging # 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to set debug 1 reduce processing load # Persist timeout (seconds) set persist_ttl 7200 • Configurable persistence timeout © 2013-2014 Cisco and/or its affiliates. iRule for DHCP Persistence Based on Client MAC (1of2) Persistence based on DHCP Option 61 – Client Identifier (MAC Address) • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED priority 100 { # Rule Name and Version shown in the log set static::RULE_NAME "Simple DHCP Parser v0. Cisco Confidential 146 . All rights reserved.

iRule for DHCP Persistence Based on Client MAC (2of2) # extract value filed in hexadecimal format binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex set value "" switch $option { Note: Example is excerpt 61 { # Client Identifier only—Not complete iRule binary scan $value_hex a2a* ht id switch $ht { 01 { binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f) set value "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)" set option61 "$value" set mac_up [string toupper $option61] # Normalize MAC } default { set value "$id" persist uie $mac_up $persist_ttl if {$debug}{ set target [persist lookup uie $mac_up] log local0. Cisco Confidential 147 .debug "$log_prefix_d ***** iRule: $static::RULE_NAME competed ***** MAC=$option61 Normal MAC=$mac_up TARGET=$target“ © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All rights reserved.1)(debug) ***** iRule: Simple DHCP Parser v0.10.3 executed ***** Sat Sep 27 13:39:45 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.1)(debug) ***** iRule: Simple DHCP Parser v0. Cisco Confidential 148 .10. iRule for DHCP Persistence – Sample Debug Output Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1.1)(debug) BOOTP: 0.1)(debug) ***** iRule: Simple DHCP Parser v0.3 competed ***** MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D TARGET= © 2013-2014 Cisco and/or its affiliates.1.0.0.3 competed ***** MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET= Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.0 00:50:56:a0:0b:3a Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.40.

Load Balancing Simplifies Device Configuration L3 Switch Example for DHCP Relay • Before ! interface Vlan10 description EMPLOYEE ip address 10.1.1. All rights reserved.Real DHCP Server ip helper-address 10.98. ISE-PSN-2 impact each ip helper-address 10. Real DHCP Server ip helper-address 10.5 <--.8 <--.100 <--.1.255.100.10. ISE-PSN-1 Settings ip helper-address 10.255.100.99.98.1 255.F5 VIP ! © 2013-2014 Cisco and/or its affiliates.255.99.255. ISE-PSN-3 ! L3 interface servicing • After ! DHCP interface Vlan10 endpoints description EMPLOYEE ip address 10.7 <--.100 <--.1.0 ip helper-address 10.1.1.1.1 255. Cisco Confidential 149 .10.6 <--.1.0 ip helper-address 10.

5 version 2c public mac-notification snmp snmp-server host 10. Cisco Confidential 150 .7 version 2c public mac-notification snmp ! • After ! snmp-server trap-source GigabitEthernet1/0/24 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.98.1.1.99.1.99.8 version 2c public mac-notification snmp ! © 2013-2014 Cisco and/or its affiliates. All rights reserved.99.6 version 2c public mac-notification snmp snmp-server host 10.1. Load Balancing Simplifies Device Configuration Switch Example for SNMP Traps • Before ! snmp-server trap-source GigabitEthernet1/0/24 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.

F5 LTM Configuration Components for Profiling LB UDP Profile iRule Persistence (Persistence) Profile Virtual Server Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 151 . All rights reserved.

All rights reserved. Optional: Configure UDP Profile for Profiling Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 152 .

All rights reserved. Optional: Configure iRule for DHCP Profiling Persistence Local Traffic > iRules > iRule List • Alternative to basic Source Address-based persistence • Sample iRule based on client MAC address parsed from DHCP Request packets • Allows DHCP for given endpoint to persist to same PSN serving RADIUS for same endpoint • Recommend copy and paste working iRule into text area. Cisco Confidential 153 . © 2013-2014 Cisco and/or its affiliates.

Optional: Configure Persistence Profile for Profiling Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for DHCP Profiling and RADIUS. then enable Match Across Virtual Servers. All rights reserved. Cisco Confidential 154 . © 2013-2014 Cisco and/or its affiliates. (Recommend use same IP address) • Specify DHCP Persistence iRule • iRule persistence timer overrides profile setting.

All rights reserved. Configure Server Pool for DHCP Profiling Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • If PSN not configured for User Services (RADIUS auth). Cisco Confidential 155 . © 2013-2014 Cisco and/or its affiliates. • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. then can use default gateway_icmp monitor.

Configure Member Nodes in DHCP Profiling Pool Local Traffic > Pools > Members • Load Balancing Method = Round Robin • Server Port = 67 (DHCP Server) © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 156 . All rights reserved.

All rights reserved. Cisco Confidential 157 . © 2013-2014 Cisco and/or its affiliates. Configure Server Pool for SNMP Trap Profiling Local Traffic > Pools • Same settings as DHCP Profiling Pool except members configured for UDP Port 162.

Configure Virtual Server for DHCP Profiling (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. • Destination = Can be same as RADIUS Virtual IP or unique IP.0.0. Cisco Confidential 158 .0/0 (all hosts) or specific network address. Be sure to configure DHCP Relays/ IP Helpers to point to this IP address • Service Port = 67 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Configure Virtual Server for DHCP Profiling (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • Optional: Limit traffic to specific VLAN(s) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159 .

o If not configured in iRule. Configure Virtual Server for DHCP Profiling (Resources) Local Traffic > Virtual Servers > Resources • Default Pool = DHCP Profiling Pool • Default Persistence Profile = Persistence Profile based on Source Address Affinity. © 2013-2014 Cisco and/or its affiliates. OR DHCP persistence profile • Fallback Persistence Profile: o DHCP iRule setting overrides value set here. Example: profiling_source_addr • If persistence profile based on Source Address Affinity (source_addr). Cisco Confidential 160 . recommend create new profile to allow custom timers and “Match Across” settings. All rights reserved. set optional value here.

Additionally. © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 161 . All rights reserved. Default Persistence Profile should be based on Source Address Affinity (NAD IP address). Configure Virtual Server for SNMP Trap Profiling Local Traffic > Virtual Servers • Same settings as DHCP Profiling Virtual Server but different service port and pool.

All rights reserved.Load Balancing Web Services © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 162 .

98.5 ISE-PSN-1 F5 LTM 1 RADIUS request to RADIUS VIP @ 10.. 2 5 HTTPS response from ise-psn-3. User sends web request directly to same PSN that serviced RADIUS request.1...1. All rights reserved.com 10.8 User 3 VIP: 10.com 5.company.1.98.7 1.99.company. Subject CN = 4. RADIUS Authentication requests sent to VIP 10..1.1.company.1.1.8.99..com DNS 4 DNS Response = 10.99. Client browser redirected and resolves FQDN in URL to real server address.com:8443/. Requests for same endpoint load balanced to same PSN via RADIUS sticky.8 ISE-PSN-2 https://ise-psn-3.1.com:8443/. Cisco Confidential 163 .8 NAD 10.company.company.7 with URL Redirect to ISE Certificate https://ise-psn-3.98. ise-psn-3.&sessionId=0a012c5a0000.7 Server 10.1.99. RADIUS Authorization received from ise-psn-3 @ 10.99..6 RADIUS response from 10. ISE-PSN-3 2. 3.98. © 2013-2014 Cisco and/or its affiliates. F5 Load Balancing and URL-Redirected Web Services Sample Flow DNS Lookup = ise-psn-3.

8 10.1.7 Access VIP: 10.99.company.98. F5 Load Balancing Non-Redirected Web Services Sample Flow DNS Lookup = sponsor.1.1.8 10.98.1. HTTPS response received from ise-psn-3 @ 10. F5 load balances request to PSN based on IP or HTTP sticky ISE-PSN-3 4.7 2.99.company.8 ISE-PSN-2 Sponsor 4 Device 1.98.1.1.com DNS 1 DNS Response = 10. Cisco Confidential 164 .99.98.1.8 3 3.company.99.com @ 10.8 Server 10.5 https://sponsor. All rights reserved.1. company. Browser resolves sponsor.company.com @ 10. Web request sent to https://sponsor.6 https response from ise-psn-3 @ 10.7 © 2013-2014 Cisco and/or its affiliates.99.1.com to VIP @ 10.98.1.com ISE-PSN-1 F5 LTM 2 https://sponsor.

.1 F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X User RADIUS session load-balanced to PSN @ 10.company. All rights reserved..99.1.x . Load Balancer NAT Guidelines for Web Traffic URL-Redirected Traffic with Single PSN Interface • No NAT Required • Allow web portal traffic direct to PSN without NAT 10.1 PSN PSN PSN PSN 10.com: https://10.99.6 .6:8443/guestportal/Login..1 .6 URL Redirect automatically includes FQDN/Interface IP of same PSN @ 10.1.0/24 10.10.com:8443/guestportal/Login.1. © 2013-2014 Cisco and/or its affiliates.99.7 .5 .0/24 .6 https://ise-psn-2.1. Browser traffic redirected to IP for ise-psn-2.1.99.98.1.8 .company.0/24 . Cisco Confidential 166 ..

. SNAT on L3 Switch for Dedicated Web Interfaces (ISE 1.0/24 .1 PSN PSN PSN PSN 10.1.1.x.91.6 . Cisco Confidential 167 .99. Source NAT web traffic from user networks destined to PSN web interfaces @ 10.8 .98.company.7 .91. URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @ 10..1 .6.0/24 . All rights reserved. translate to 10.1.6 .1.x .91.2) URL-Redirected Traffic with Dedicated PSN Interface for Web Portals (Single F5 LTM interface) • Source NAT portal traffic to simplify routing • Maintains Path Isolation 10.1.0/24 RADIUS session load-balanced to PSN @ 10.5 .1 F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .6: https://ise-psn-2-guest.com:8443/guestportal/Login.10.91.5 .x (or any address block that can be statically added to PSN route table) Ensures all Web requests received by PSN web interface are returned out same interface.0/24 10.x User 10. © 2013-2014 Cisco and/or its affiliates.1.99.1.7 .1.

6. Cisco Confidential 168 .0/24 L3 User A 10.x 10.99.0/24 10.5 .0/24Switch 10. © 2013-2014 Cisco and/or its affiliates.11.1 User B . All rights reserved.1.6 .98.1 PSN PSN PSN PSN 10.1.6 . and LWA portals.7 .0/24 .91. URL-Redirected Web Portals/Services: Enable SNAT on F5 IP Forwarding Virtual Servers.1 . My User C Devices.8 .1.1.7 .10.0/24 Direct-Access Portals: Enable SNAT on Virtual Servers for ISE Sponsor.1.0/24 F5 LTM .5 .1.2) Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces RADIUS session load-balanced to PSN @ 10. SNAT on F5 LTM for Dedicated Web Interfaces (ISE 1.12. 10.1.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .x .99.

0/24 F5 LTM .5 . Dedicated Web Interfaces under ISE 1.1.0/24 .1. All rights reserved.1.12.0/0 10.6.1.1.6 .1 eth1 © 2013-2014 Cisco and/or its affiliates.0/24 Response to traffic received on an interface sent out same interface if User C default route exists for interface: No SNAT required! Default route 0.1.0/24Switch 10.0/24 10.99.0.91.1 eth0 Default route 0.x .1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .0.10.0.1 .7 .11.1 PSN PSN PSN PSN 10.7 .91.1.3 Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces RADIUS session load-balanced to PSN @ 10.0.98. 10.6 .99.8 .0/24 L3 User A 10.5 .x 10.1 User B . Cisco Confidential 169 .1.99.0/0 10.1.

0 eth0 default 10.0.1.0.91. ise13-psn-x/admin(config)# ip route 0.0.99.1.0. ----- 10. End with CNTL/Z.0 eth1 10.1 eth0 © 2013-2014 Cisco and/or its affiliates.0/24 0.1 • Validate new default route ise13-psn-x/admin# sh ip route Destination Gateway Iface ----------.1.1. Dedicated Web Interfaces under ISE 1. Cisco Confidential 170 . one per line.0 gateway 10.1. All rights reserved.0.91.0.0 0. ------.0.3 Symmetric Traffic Flows • Configure default routes for each interface to support symmetric return traffic ise13-psn-x/admin# config t Enter configuration commands.0/24 0.1 eth1 default 10.0.99.91.

F5 LTM Configuration Components for HTTP/S LB TCP Profile Persistence Profile Virtual Server Health Monitor Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 174 . All rights reserved.

Configure HTTPS Health Monitor
Local Traffic > Monitors

• Configure Send and Receive Strings appropriate to
ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175

HTTPS Health Monitor Examples
Local Traffic > Monitors

• ISE 1.2 Example
• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK

• ISE 1.3 Example
• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176

Optional: Configure TCP Profile for HTTPS
Local Traffic > Profiles > Protocol > TCP

• Start with default Idle Timeout

• Using a custom profile allows for
tuning later if needed without
impacting other services based on
same parent TCP profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177

Configure Persistence Profile for HTTPS
Local Traffic > Profiles > Persistence

• Enable Match Across Services

• If different Virtual Server IP
addresses used for Web Services,
then enable Match Across Virtual
Servers

Generally recommend use same
VIP address for all portals
• Timeout = Persistence timer

Value of 1200 seconds = 20
minutes (default Sponsor Portal idle
timeout setting in ISE)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178

Cisco Confidential 179 . All rights reserved. Configure Server Pool for Web Services Local Traffic > Pools > Pool List • Health Monitor = HTTPS Monitor • Action on Service Down = None © 2013-2014 Cisco and/or its affiliates.

All rights reserved. Configure Member Nodes in Web Services Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port = 0 (all ports) © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 180 .

Configure Virtual Server for Web Portals (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0.0/0 (all hosts) or specific network address.0. Cisco Confidential 181 . All rights reserved. • Destination = Web Portal Virtual IP • Service Port = Web Portal Port configured in ISE (default 8443) © 2013-2014 Cisco and/or its affiliates.0.

2): Auto Map • Dedicated PSN interface (ISE 1. Cisco Confidential 182 .3): None or Auto Map © 2013-2014 Cisco and/or its affiliates. Configure Virtual Server for HTTPS Portals (Advanced) Local Traffic > Virtual Servers • Protocol = TCP • Protocol Profile = tcp or custom TCP profile • Optional: Limit traffic to specific VLAN(s) • Source Address Translation (SNAT) • Single PSN interface: None • Dedicated PSN interface (ISE 1. All rights reserved.

Configure Virtual Server HTTPS Portals (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = Web Portals Pool • Default Persistence Profile = HTTPS persistence profile • Fallback Persistence Profile: Not required © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183 .

Configure Virtual Server for Web Portals on TCP/443 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTPS port 443 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. Cisco Confidential 184 . All rights reserved. • Service Port = 443 (HTTPS) Default HTTPS port used in initial portal request by end user. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) © 2013-2014 Cisco and/or its affiliates.

• Service Port = 80 (HTTP) Default HTTP port used in initial portal request by end user. Configure Virtual Server for Web Portals on TCP/80 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTP port 80 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185 .

Under Actions. Configure Virtual Server for Web Portals on TCP/80 Optional HTTP -> HTTPS Redirect by F5 LTM To configure F5 LTM to perform automatic HTTP to HTTPS redirect instead of PSNs: • Configure new http profile under Profiles > Services > HTTP using default settings • Configure new http class under Profiles > Protocol > HTTP Class. set redirect URL. All rights reserved. Cisco Confidential 186 . © 2013-2014 Cisco and/or its affiliates. • Under Virtual Server for HTTP (TCP/80): • Specify HTTP Profile under Advanced Configuration • Specify new HTTP Class under Resources > HTTP Class Profiles.

Virtual Server List © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 187 . All rights reserved.

All rights reserved. Server Pool List © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 188 .

Cisco Confidential 189 .Global Load Balancing Considerations © 2013-2014 Cisco and/or its affiliates. All rights reserved.

12 sponsor IN A 10.2.100.5.2.15 sponsor IN A 10.com? DNS SOA for company.2.14 What is IP address for sponsor.company. All rights reserved.1.1.105 10.2.1. Cisco Confidential 191 .12 F5 BIG-IP GTM 10.99.company.99.com 10.100.1.100.14 10.99.com? sponsor IN A 10.2.100. F5 BIG-IP GTM: Load Balancing Web Requests Client-Based Load Balancing/Distribution Based on DNS Response • Integrate Global LB using F5 BIG-IP GTM with Local LB using F5 BIG-IP LTM ISE-PSN-14 ISE-PSN-15 F5 LTM F5 LTM PSN PSN 10.12 10.15 sponsor.1.100.13 What is IP address for sponsor IN A 10.15 10.2.221 © 2013-2014 Cisco and/or its affiliates.99.60.

1.12 10.5.2.99.1.com? lwa-portal2 IN A 10.1.1. F5 BIG-IP GTM: Load Balancing Web Requests Global Load Balancing/Distribution Based on Routing and DNS Response • Example combines Anycast as DNS response ISE-PSN-14 ISE-PSN-15 F5 LTM F5 LTM PSN PSN 10.1.12 What is IP address for sponsor.105 10.com? DNS SOA for company. Cisco Confidential 192 .12 10.12 F5 BIG-IP GTM 10.99.12 sponsor.1.99. All rights reserved.99.com 10.company.12 mydevices IN A 10.221 © 2013-2014 Cisco and/or its affiliates.1.99.1.company.1.12 sponsor IN A 10.12 10.99.99.99.12 What is IP address for lwa-portal1 IN A 10.1.60.99.

7.7.3 auth-port 1812 acct-port 1813 radius-server host 10.6) User Network Access Device PSN PSN3 (10.4. Cisco Confidential 193 .2.5.4. • Fallback to secondary servers if primary fails RADIUS Auth PSN PSN1 (10.9 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates.1. Basic NAD-Based RADIUS Server Redundancy Multiple RADIUS Servers Defined in Access Device • Configure Access Devices with multiple RADIUS Servers.6 auth-port 1812 acct-port 1813 radius-server host 10. All rights reserved.8.1.2.3) PSN PSN2 (10.9) radius-server host 10.5.8.

2.8 auth-port 1812 acct-port 1813 radius-server host 10.5) LB cluster VIP as a RADIUS Server.1.2) PSN PSN2 (10. (10.2.101.1.2.8) DC #1 • Fallback to secondary DC PSN PSN2 (10.6) DC #2 PSN PSN3 (10.6) if primary DC fails PSN PSN3 (10.2 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates.7) Network Access Device RADIUS Auth PSN F5-LTM2 PSN1 (10.2. NAD-Based Redundancy to Different LTM LB Clusters RADIUS Example – Different RADIUS VIP Addresses • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10.99.5) User (10.1.7) radius-server host 10.100.1.101.99.100.98. All rights reserved.2. Cisco Confidential 194 .1.98.101.99.

8) DC #1 • Fallback to secondary DC PSN PSN2 (10.7) Network Access Device RADIUS Auth PSN F5-LTM2 PSN1 (10. All rights reserved.101. Cisco Confidential 195 .1.8 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates.99.8) PSN PSN2 (10.98.1.1.2.101.1.7) radius-server host 10.1.101.98. (10.6) DC #2 PSN PSN3 (10.5) LB cluster VIP as a RADIUS Server.99. NAD-Based Redundancy to Different LTM LB Clusters RADIUS Example – Single RADIUS VIP Address using Anycast • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10.98.1.6) if primary DC fails PSN PSN3 (10.99.2.5) User (10.2.

11) DC #1 • Both Data Centers receive copy PSN PSN2 (10.11 # LTM1 ip helper-address 10.X.99.100.101. All rights reserved.98. Cisco Confidential 196 .7) Network Access Device DHCP Relay PSN F5-LTM2 PSN1 (10.255.99.5) cluster VIP as an IP Helper.1.3) PSN PSN2 (10. (10.6) of DHCP Profiling data PSN PSN3 (10.C.1.2.2.2.99.98.101.1.7) ip address A.6) DC #2 interface VLAN 10 PSN PSN3 (10.101.NAD-Based Redundancy to Different LTM LB Clusters Profiling Example – Different DHCP VIP Addresses • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10.1.2.X.100.X # Real ip helper-address 10.3 # LTM2 © 2013-2014 Cisco and/or its affiliates.0 ip helper-address X.5) User (10.255.B.1.D 255.2.

0 ip helper-address X.1.98.11 # Anycast © 2013-2014 Cisco and/or its affiliates.101.101.1.2.1.98.6) DC #2 PSN PSN3 (10.5) User (10.6) primary DC fails PSN PSN3 (10.99.7) interface VLAN 10 ip address A.99.X.D 255.1.1.7) Network Access Device DHCP Relay PSN F5-LTM2 PSN1 (10.99.5) PSN cluster VIP as an IP Helper.255.1.11) PSN PSN2 (10.11) DC #1 • Fallback to secondary DC if routing to PSN PSN2 (10.2.C.X # Real ip helper-address 10.101.X.B. All rights reserved. (10.2. NAD-Based Redundancy to Different LTM LB Clusters Profiling Example – Single DHCP VIP Address using Anycast • Configure access devices with the single PSN F5-LTM1 PSN1 (10.255. Cisco Confidential 197 .98.

Monitoring and Troubleshooting © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 198 . All rights reserved.

98.8 Requests evenly distributed across real servers: ise-psn-1 ise-psn-2 ise-psn-3 © 2013-2014 Cisco and/or its affiliates. Live Log Output for Load Balanced Sessions Synthetic Transactions • Batch of test authentications generated from Catalyst switch: # test aaa group radius radtest cisco123 new-code count 100 All RADIUS sent to LB VIP @ 10.1. All rights reserved. Cisco Confidential 199 .

8 1• All phone auth is load balanced from VIP to ise-psn-3 @ 10.1. 4• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address.1.99.7 2• All PC auth is load balanced to ise-psn-1 @ 10.5.99.98.1. 3 4 2 1 © 2013-2014 Cisco and/or its affiliates. URL Redirect traffic sent to same PSN. Live Log Output for Load Balanced Sessions Real Transactions • All RADIUS sent to LB VIP @ 10. All rights reserved. 200 Cisco Confidential 200 . 3• CoA is sent from same PSN that is handling the auth session. Not required to pull dACL from same PSN as auth. Request can be load balanced to any PSN.

• ISE Authentications Live Log • ISE Reports • ISE Packet Capture using TCP Dump • Logging Suppression and Collection Filters © 2013-2014 Cisco and/or its affiliates. Cisco ISE Monitoring and Troubleshooting • Verify Operational Status of Cisco Components • Validate ISE Nodes Online and Connected • Check that PSNs are synchronized under Administration > Deployment. • Verify the RADIUS Server status from the NADs. All rights reserved. Cisco Confidential 201 . • Verify Identity Stores such as AD and LDAP are connected to PSNs and traffic is not being dropped.

Cisco ISE Monitoring and Troubleshooting Verify ISE Node Status • Check Node Status from ISE Dashboard and under Administration > Deployment © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 202 . All rights reserved.

All rights reserved. Cisco Confidential 203 . Cisco ISE Monitoring and Troubleshooting Verify Health Monitor Is Authenticating Successfully • Are Probes Failing? © 2013-2014 Cisco and/or its affiliates.

Cisco ISE Monitoring and Troubleshooting Verify Health Monitor Is Authenticating Successfully • If internal user used. Cisco Confidential 204 . is account enabled? Is password correct? • If external user store used. is identity store connected? © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All rights reserved. F5 BIG-IP LTM Monitoring and Troubleshooting • Verify Operational Status of F5 Components • Virtual Server Status • Pool Member Status • Health Monitors • Persistence Records • iRule Debug and View Local Traffic Logs • Packet Capture using TCP Dump © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 205 .

If Virtual Server down. verify persist entries cleared. All rights reserved. Cisco Confidential 206 . then all Pool Members are down © 2013-2014 Cisco and/or its affiliates. If connections fail. cluster impacted but Server is still up. F5 BIG-IP LTM Monitoring and Troubleshooting Verify Virtual Server and Pool Member Status • Virtual Server Status • Pool Member Status If node down.

Cisco Confidential 207 . F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 Web Interface • Persistence Records —Bad Example • MAC addresses are not normalized so separate persist entries created © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 208 . All rights reserved. F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 Web Interface • Persistence Records —Good Example © 2013-2014 Cisco and/or its affiliates.

17:1812 0 universal 10.99.1.8:1812 10.98.15:1812 0 universal 10.16:1812 0 universal 10. All rights reserved.1.98.99.1.99.1. Cisco Confidential 209 . F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 BIG-IP LTM Console Interface • Show Persistence Records for RADIUS Virtual Server root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence persist-records virtual ise_radius_auth Sys::Persistent Connections universal 10.8:1812 10.99.1.99.98.8:1812 10.1.1.98.99.1.98.1.8:1812 10.1.98.1.8:1812 10.15:1812 0 universal 10.8:1812 10.17:1812 0 Total records returned: 5 • Show Persistence Records for Specific Client Based on MAC address as Persist Key root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence persist-records virtual ise_radius_auth mode universal key 7C-6D-62-E3-D5-05 Sys::Persistent Connections universal 10.1.16:1812 0 Total records returned: 1 © 2013-2014 Cisco and/or its affiliates.

F5 BIG-IP LTM Monitoring and Troubleshooting Clearing Persistence Records and Connections from the F5 BIG-IP LTM Console Interface • Delete Persistence Records for RADIUS Virtual Server root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence persist-records virtual ise_radius_auth • Delete All Persistence Records root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence persist-records • Delete Connections for RADIUS Auth Services root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection cs- server-port 1812 • Delete All Connections root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 210 . All rights reserved.

All rights reserved. AD/LDAP. Network Topology. Cisco Confidential 211 . and Admin and MnT nodes © 2013-2014 Cisco and/or its affiliates. and Addressing Review Key Components • Clients / Endpoints • Network Access Devices • Intermediate infrastructure • BIG-IP LTM appliances • ISE PSN appliances • Supporting services such as DNS. NTP. Routing.

• Validate actual path taken by packets by reviewing configuration files. © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 212 . Routing. and ARP tables. and Addressing Review Other Troubleshooting Checklist Items • Map out the expected path for each flow. This can sometimes cause confusion when analyzing packet captures. note that packet captures may show both ingress and egress packets where MAC addresses change but IP addresses do not. routing tables. All rights reserved. logs and packet captures. Network Topology. • Verify symmetric path is taken and that no packets are being dropped using component logs and debugs and packet captures. • Take into special consideration where NAT may be deployed and addresses change. • If F5 appliance trunks multiple VLANs.

All rights reserved. Cisco Confidential 214 .Summary © 2013-2014 Cisco and/or its affiliates.

and Web Service performance. Cisco ISE / F5 BIG-IP Load Balancing Summary Review • Cisco ISE is a comprehensive. Cisco Confidential 215 . and database replication by ensuring same PSN services requests • Simplify configuration management for network devices • Improve overall user experience © 2013-2014 Cisco and/or its affiliates. and availability • Optimize ISE AAA. • F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. profiling. Profiling. All rights reserved. scalability. • F5 BIG-IP Global Traffic Manager (GTM) is a global load balancing solution that leverages standard DNS to help ensure that users and applications are directed to the most available and optimal server • Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS. context-based policy management system that can scale services through the deployment of multiple Policy Service Nodes (PSNs).

com/t5/AAA-and-Identity-Management/ct-p/aaa  ISE and TrustSec “How-To” and Design Guides: http://www.com/sacise Website: sac.com Phone: +1-408-902-4872 (International) 800-225-0905 (US Toll Free ) 8-902-4872 (within Cisco) Live Chat: http://tinyurl. All timezones Email: sac-support@cisco.cisco.cisco.com/docs/DOC-30977  Tech Zone: https://techzone.Cisco Support References  Your local Cisco Channel/Security SE  Sales Assistance Center (SAC) -.cisco.cisco.com/c/en/us/solutions/enterprisehttps://www.scribd.com/design-zone-security/landing_DesignZone_TrustSec.com (Cisco Internal)  Cisco Support Communities: supportforums. All rights reserved.html © 2013-2014 Cisco and/or its affiliates.cisco. Cisco Confidential 216 .24 x 7 All countries.com  Tech Talks – Security Deep Dive Training Series: https://communities.

F5 Support References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
• BIG-IP LTM Support forum
https://support.f5.com/kb/en-us/products/big-ip_ltm.html
• DevCentral Forum
https://devcentral.f5.com/
• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
• F5 University – LTM Training
https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Follow us on Twitter @f5Networks  Official F5 Networks Channel

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 217

DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation

Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs

Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring
Pack

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 218

 F5 BIG-IP Product Trials – Trial, Eval, and Lab Licenses:
https://f5.com/products/trials/product-trials

 Cisco dCloud: http://dcloud.cisco.com/
 ISE / NFR POC Kit on MarketPlace: http://cisco.mediuscorp.com/ise
 ISE Configured Limited Deployment (COLD) Program: https://communities.cisco.com/docs/DOC-32999

 QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE
 Public – Scheduled and On-Demand ISE Demos:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 220

Questions? .

Thank you. .