You are on page 1of 208

ISE 1.

3 F5-ISE Load Balancing
Deep Dive
• Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer
• Faraz Siddiqui, F5 Networks, Solution Architect

• December 4, 2014

Agenda

 Introducing F5 BIG-IP and Cisco ISE Solution Components
 Joint Solution Overview – Deployment Model, Topology, and Traffic Flow
 Configuration Prerequisites (Starting Point for LB Deployment)
 Forwarding Non-LB Traffic
 Load Balancing RADIUS
 Load Balancing Profiling Services
 Load Balancing Web Services
 Global Load Balancing Considerations
 Monitoring and Troubleshooting
 Summary

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

F5 BIG-IP Solution
Components

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

F5 BIG-IP Product
Good, Better, Best Platforms

New VIPRION 2200 VIPRION 2400
25M 200M 1Gbps 3Gbps 5Gbps New 10Gbps

2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800

Virtual Physical Hybrid
F5 virtual editions F5 physical ADCs Physical + virtual =
Provide flexible deployment options for High-performance with specialized and hybrid ADC infrastructure
virtual environments and the cloud dedicated hardware Ultimate flexibility and performance
Virtual ADC is best for: Physical ADC is best for: Hybrid ADC is best for:
• Accelerated deployment • Fastest performance • Transitioning from physical to
• Maximizing data center efficiency • Highest scale virtual and private data center to
• Private and public cloud deployments • SSL offload, compression, and DoS mitigation cloud
• Application or tenant-based pods • An all F5 solution: integrated HW+SW • Cloud bursting
• Keeping security close to the app • Edge and front door services • Splitting large workloads
• Lab, test, and QA deployments • Purpose-built isolation for application delivery • Tiered levels of service
workloads
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

All rights reserved. Understanding F5 BIG-IP Components © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 5 .

Cisco Confidential 6 . provide Application Delivery Controller (ADC) functionality. it is a licensed LTM software module run inside a F5 BIG-IP. LTM handles server load balancing function. F5 BIG-IP offers virtual. appliance Virtual Edition Appliance Chassis or chassis form factor LTM is the Local Traffic Manager. Virtual Server is the traffic management object on the BIG-IP system that represented by an IP address and a service. All rights reserved.Understanding F5 Components BIG-IP BIG-IP is the name of the platform produced by F5. VIP is configured in the virtual server © 2013-2014 Cisco and/or its affiliates.

20.4 © 2013-2014 Cisco and/or its affiliates.3 1 7 2 . All rights reserved.2 0 .2 1 7 2 . VMWare) server in the internal network A node is represented by the IP address of the server 172.1 0 .1 0 .2 0 . Cisco Confidential 7 .1 1 7 2 .BIG-IP LTM Components: Nodes A node is a physical or logical (for example.1 0 .10.2 0 .

10.2 :4 4 3 1 7 2 .2 0 .BIG-IP LTM Components: Pool Members A pool member is a service running on a node.2 :8 0 1 7 2 .1 0 .1 0 .3 :8 0 1 7 2 .1 0 .1 0 .1 1 7 2 .20.1 0 .2 0 . A node can host multiple pool represented by the IP address of the node and members service (port) number 172.1 0 .3 1 7 2 .2 0 .2 0 . All rights reserved.2 1 7 2 . Cisco Confidential 8 .1 :8 0 1 7 2 .2 0 .1 0 .4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.2 0 .3 :4 4 3 1 7 2 .2 0 .2 0 .2 0 .4 1 7 2 .1 0 .1 0 .

2 0 .2 0 .10.1 0 .2 0 .1 0 .1 0 .2 :4 4 3 1 7 2 .1 0 . Cisco Confidential 9 .2 :8 0 1 7 2 .2 0 .1 1 7 2 .2 0 .4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.1 0 .2 0 .3 :8 0 8 0 1 7 2 .2 0 .3 1 7 2 .20. All rights reserved.1 0 .BIG-IP LTM Components: Pools Each pool has its own load balancing method A pool is a logical grouping of pool A node can be a member of members that represents an multiple pools application 172.2 0 .4 1 7 2 .1 :8 0 1 7 2 .1 0 .3 :4 4 3 1 7 2 .1 0 .1 0 .2 0 .2 1 7 2 .

2 .2 .2 0 .3 1 7 2 .2 .10 0 :4 43 Each virtual server then directs the 10 .1 0 . usually to an application pool The virtual server translates the destination IP address and port to the selected pool member 172.2 0 . Cisco Confidential 10 .4 :4 4 3 © 2013-2014 Cisco and/or its affiliates.2 0 .2 0 .2 0 .2 .1 0 .2 .2 . All rights reserved.2 0 .10.2 0 .20.2 :4 4 3 1 7 2 .3 :8 0 8 0 1 7 2 .BIG-IP LTM Components: Virtual Servers NOTE: BIG-IP NOTE: LTM isvirtual Multiple a default denycan servers device.2 2 5 :80 80 traffic.2 0 .1 0 .2 1 7 2 .1 1 7 2 . pool members.1 :8 0 1 7 2 . virtual server is an IP address and to pass service client request that match its IP address and and/ or nodes through (port) combination that listens for client port requests 10 .1 0 .4 1 7 2 .1 0 . the virtual server Each virtual server will uniquely process is the most common way allow Arequests client reference the same pools.1 0 .1 0 .2 0 .1 0 .2 :8 0 1 7 2 .10 0 :80 10 .3 :4 4 3 1 7 2 .1 0 .

Cisco Confidential 11 . so it can apply multiple checks • It can use all or some of the monitors to determine member status • Monitors can also use reverse logic • Monitors are served from the Self IP addresses © 2013-2014 Cisco and/or its affiliates. Monitors • A monitor is a test. All rights reserved. Within a given time • All BIG-IP have to things in common • Interval • The time between each check • Timeout • The time required for a successful check to be received before BIG-IP marks the node as unavailable • BIG-IP LTM can use composite monitors. • Of a specific application. For an expected response.

3:8080 172.10.10. Cisco Confidential 12 .4 172.2.20.10.20.1:80 172.20.10. BIG-IP LTMmember marks it offline 172. All rights reserved. How Active Monitors Work BIG-IP LTM continues to direct traffic to the remaining pool members while continuing to monitor the 10.2:443 172.10.2.4:443 © 2013-2014 Cisco and/or its affiliates.20.20. at a set Ifnode responds.10.20.20.20.20.2.10.10.100:443 offline pool member or node Monitors check the status of a pool member or node on Are you up? When the pool member or an ongoing basis.20.10.1 Yes 172.2 Yes 172.10.100:80 10. a pool memberBIG-IP LTMbeing or node interval marks it as available monitored andrespond does not starts directing traffic within the to the pool set interval.2.2:80 172.3:443 172.3 Yes 172.

All rights reserved. What is an iRule? © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 13 .

Cisco Confidential 14 . and track inbound or outbound application traffic • Core of the F5 “secret sauce” and key differentiator © 2013-2014 Cisco and/or its affiliates. All rights reserved. transform. What are iRules? • The programming language integrated into the TMOS® architecture • iRules work at wire-speed • Based on the industry standard Tool Command Language (TCL) • Provide the ability to intercept. direct. inspect.

such as: • HTTP_REQUEST • HTTP_RESPONSE • CLIENT_ACCEPTED Modified Requests HTTP_RESPONSE HTTP_REQUEST Response • Enable you to perform deep packet inspection (entire iRule triggered header and payload) HTTP events fired • Provide a full scripting language that enables bidirectional and granular control of: Response Modified • Inspection Request • Alteration • Delivery of application traffic on a packet-by-packet basis Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect.How do iRules Work? • Respond to events. All rights reserved. regardless of direction © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 15 . and route traffic at nearly any point in the traffic flow. modify.

com”}{ pool http_pool1 } } Operators Commands • Define under which conditions BIG-IP LTM • Define the action to perform performs an action © 2013-2014 Cisco and/or its affiliates. All rights reserved.Key Elements of an iRule Event Declarations • Define when the code executes • Every iRule has an event when HTTP_REQUEST { if{[HTTP::host] ends_with “bob. Cisco Confidential 16 .

Cisco Confidential 17 .iRules Events • Events are actions that trigger the processing of the iRule • Examples • HTTP_REQUEST • HTTP_RESPONSE • CLIENT_ACCEPTED • LB_FAILED when HTTP_REQUEST { if{[HTTP::host] ends_with “bob.com”}{ pool http_pool1 } } © 2013-2014 Cisco and/or its affiliates. All rights reserved.

etc. © 2013-2014 Cisco and/or its affiliates.Persistence • Persistence • Directs a client back to the same server after the initial load balancing decision has been made • Is required for stateful applications • such as e-commerce shopping carts • May skew load balancing statistics • Universal Persistence • iRules can create persistence records based on anything in the clients request • Such as. username. All rights reserved. sessionid. Cisco Confidential 19 .

• It is advantageous for this persistence to continue after initial session establishment to allow re- authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN Using Persistence Profiles Using iRules for Radius Persistence • Persist Attribute • iRules form the crucial pillar behind the • Default Persistence Profile operational and configurational flexibility for • Fallback Persistence Profile enabling load balancing of any device. in this case. Radius Persistence • Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN which includes additional RADIUS transactions that may occur during the initial connection phase such as re-authentication following CoA. Cisco Confidential 20 . All rights reserved. the Cisco ISE © 2013-2014 Cisco and/or its affiliates.

All rights reserved. Cisco Confidential 21 . BIG-IP Listeners Traffic Flow © 2013-2014 Cisco and/or its affiliates.

2.2.168.2. All rights reserved.2.2.2. Cisco Confidential 22 .8 © 2013-2014 Cisco and/or its affiliates.1 10.50 NAT to 192.4.100:80 External VLAN 10.How Does Traffic Enter a BIG-IP? • Routing to a listener on the BIG-IP • Listeners are • Self IPs Internet • SNATs • NATs • Virtual Servers 10.

Existing connection in connection table 2. Self-IP 7. NAT 6. All rights reserved. Packet filter rule 3.Packet Processing Priority 1. Drop © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 23 . Virtual server 4. SNAT 5.

Cisco Confidential 25 . All rights reserved. such as the current connection count • It is important to experiment with different load balancing methods and select the one that offers the best performance in your particular environment © 2013-2014 Cisco and/or its affiliates.Load Balancing • A load balancing method is an algorithm or formula used to determine which pool member to send traffic to • Load balancing is connection based • Static load balancing methods distribute connections in a fixed manner • Round Robin (RR) • Ratio (Weighted Round Robin) • Distributes in a RR fashion for members/ nodes whose ratio has not been met • Dynamic load balancing methods take into account one or more factors.

All rights reserved. Cisco Confidential 26 .Dynamic Load Balancing Methods • Least Connections • Fewest L4 connections when load balancing decision is being made • Recommended when servers have similar capabilities • Very commonly used • Fastest • Balances based upon the number of outstanding L7 requests and then L4 connections • Requires a L7 profile on the virtual server. else its just Least Connection • Recommended when servers have similar capabilities • Observed • Calculates a ratio each second based on the number of L4 connections • Not recommended for large pools © 2013-2014 Cisco and/or its affiliates.

1 0 .2 0 0 .3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates.1 5 0 .2 . Cisco Confidential 27 .10 0 :80 BIG-IP LTM directs the request to the pool member with the least number of connections Current connection counts for each pool member are displayed in red 1 7 2 .1 0 In this example.1 0 .2 0 .2 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .1 0 .3 http_pool 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36 secure_pool 1 7 2 .1 1 7 2 .1 0 .2 0 .2 1 7 2 . BIG-IP Internet LTM verifies which pool member has the fewest active connections 1 8 .2 0 .2 . the HTTP pool is configured with the Least Connections (member) method 10 .1 0 .1 :8 0 45 1 7 2 .1 0 .2 0 . Load Balancing a Service (Member) With each new client request.2 :8 0 42 1 7 2 .2 0 . All rights reserved.

Cisco Confidential 28 . scalability. and Web Service performance. All rights reserved. Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS. F5 BIG-IP and Cisco ISE Joint Solution Benefits F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. Profiling. and availability • Provide Bring Your Own Device (BYOD) endpoint scalability • Deliver customizable policies for identity management of enterprise users and user devices • Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users • Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers © 2013-2014 Cisco and/or its affiliates.

f5.pdf • BIG-IP LTM Configuration Guide https://support.com/kb/en-us/products/big-ip_ltm.com/resource/login.html • BIG-IP LTM Support forum https://support. Cisco Confidential 29 .f5. All rights reserved.f5.com/kb/en-us/products/big- ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.com/ • iRules on F5 DevCentral https://devcentral.f5.ltmmaintenancepage.f5.ashx • F5 University – LTM Training https://login.jsp?ctx=719748&referral=university Follow us on Twitter @f5Networks  Official F5 Networks Channel © 2013-2014 Cisco and/or its affiliates.com/pdf/products/big-ip-local-traffic-manager-overview.com/wiki/irules.html • DevCentral Forum https://devcentral.f5. References • BIG-IP LTM Product Overview http://www.

101 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 30 . Load Balancing . All rights reserved.

such as the current connection count • It is important to experiment with different load balancing methods and select the one that offers the best performance in your particular environment © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 31 . All rights reserved.Load Balancing • A load balancing method is an algorithm or formula used to determine which pool member to send traffic to • Load balancing is connection based • Static load balancing methods distribute connections in a fixed manner • Round Robin (RR) • Ratio (Weighted Round Robin) • Distributes in a RR fashion for members/nodes whose ratio has not been met • Dynamic load balancing methods take into account one or more factors.

else its just Least Connections • Recommended when servers have similar capabilities • Observed • Calculates a ratio each second based on the number of L4 connections • Not recommended for large pools © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 32 . All rights reserved.Dynamic Load Balancing Methods • Least Connections • Fewest L4 connections when load balancing decision is being made • Recommended when servers have similar capabilities • Very commonly used • Fastest • Balances based upon the number of outstanding L7 requests and then L4 connections • Requires an L7 profile on the virtual server.

2 0 .1 :8 0 45 1 7 2 .1 0 .2 0 .2.2 0 .2 0 .2 0 . Load Balancing a Service (Member) With each new client request.1 0 .2 0 . Cisco Confidential 33 .3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates.1 0 .1 0 .2 :8 0 42 1 7 2 .1 0 .1 0 .10 In connections this example.2 0 . the HTTP pool is configured with the Least Connections (member) method 10.1 1 7 2 .3 :8 0 8 0 36 secure_pool 1 7 2 . All rights reserved.2 1 7 2 .150.1 0 .2 :4 4 3 12 1 7 2 .3 http_pool 1 7 2 .2 0 .1 0 .200.100:80 BIG-IP LTM directs the request to the pool member with the least number of connections Current connection counts for each pool member are displayed in red 1 7 2 . BIG- Internet IP LTM verifies which pool member has the fewest active 18.2.

3 :8 0 8 0 36 secure_pool 1 7 2 .1 0 .100:80 IPBIG-IP LTM BIG-IP verifies LTM LTM verifies which directs node which has the request node to the has fewest the fewest active active connections connections the node with the least number of connections This takes into account all Current connection counts services running on the node for each pool member are displayed in red 45 54 58 172.2 0 . the HTTP pool is configured with the Least Connections (node) method With Witheach eachnew newclient end-user request.2.2 1 7 2 .1 0 .150.2 :4 4 3 12 1 7 2 .1 :8 0 45 1 7 2 .1 0 .10.1 0 .2 0 .1 1 7 2 .20.2 0 .3 :4 4 3 22 © 2013-2014 Cisco and/or its affiliates.3 http_pool 1 7 2 .1 0 .2. Load Balancing an IP Address (Node) Internet 18. All rights reserved.2 0 . BIG.10 In this example. 10.2 0 .2 0 .2 0 .2 :8 0 42 1 7 2 .200.1 0 . Cisco Confidential 34 .1 0 . request.

Pool Failure Mechanisms • Fallback Host (for HTTP and HTTPS applications) • Is the server of last resort if all pool members are unavailable • Returns HTTP redirect (http 302) to client • Configured in the HTTP profile. the fallback host is not monitored • Priority Group Activation • Can dynamically pull in new members into the pool • Pulls lower priority groups into higher priority groups Backup Servers Running WWW and FTP • Pulls in all members of a priority group together Priority = 1 web_pool ftp_pool Priority = 5 Priority = 5 Activation < 2 Activation < 3 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 35 . All rights reserved.

scalability. F5 BIG-IP and Cisco ISE Joint Solution Benefits • F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. Cisco Confidential 36 . Profiling. All rights reserved. and Web Service performance. and availability • Provide Bring Your Own Device (BYOD) endpoint scalability • Deliver customizable policies for identity management of enterprise users and user devices • Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users • Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers © 2013-2014 Cisco and/or its affiliates. • Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS.

com/wiki/irules.f5.html • DevCentral Forum https://devcentral.html • BIG-IP LTM Support forum https://support. All rights reserved.f5.pdf • BIG-IP LTM Configuration Guide https://support.com/kb/en-us/products/big-ip_ltm.f5.jsp?ctx=719748&referral=university Follow us on Twitter @f5Networks  Official F5 Networks Channel © 2013-2014 Cisco and/or its affiliates.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0. References • BIG-IP LTM Product Overview http://www.ltmmaintenancepage.com/resource/login.ashx • F5 University – LTM Training https://login.f5.com/pdf/products/big-ip-local-traffic-manager-overview.f5.com/ • iRules on F5 DevCentral https://devcentral.f5. Cisco Confidential 37 .

Java. Cisco Confidential 38 .NET. All rights reserved. DevCentral F5 User Community Over 105. • VMware vSphere Management Plug-in • Microsoft SCOM Monitoring Pack © 2013-2014 Cisco and/or its affiliates. Powershell.. ..000 Members in 191 Countries and Growing! References • Wikis • API/SDK Documentation Resources • Sample Code • Tech Tips • Forums • Podcasts • Blogs Tools and Frameworks • iRule Editor • iControl SDK • . Python.

All rights reserved. Cisco Confidential 39 .Cisco ISE Solution Components © 2013-2014 Cisco and/or its affiliates.

guest. guest management. NAC. All rights reserved. Cisco Confidential 40 . employee. Cisco Identity Services Engine (ISE) All-in-One Enterprise Policy Control Who What Where When How Security Policy Attributes Identity Context Cisco® ISE Business-Relevant Policies Wired Wireless VPN Virtual machine client. and remote user Replaces AAA and RADIUS. and device identity servers © 2013-2014 Cisco and/or its affiliates. IP device.

All rights reserved.ISE Node Types  Policy Service Node (PSN) Can run in a single host – Makes policy decisions – RADIUS server & provides endpoint/user services  Policy Administration Node (PAN) – Interface to configure policies and manage ISE deployment – Writeable access to the database  Monitoring & Troubleshooting Node (MnT) – Interface to reporting and logging – Destination for syslog from other ISE nodes and NADs  Inline Posture Node (IPN) – Enforces posture policy for legacy or 3rd-party NADs © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 41 .

Cisco Confidential 42 . All rights reserved. Profiling. Sponsor synchronizing all ISE Reporting Data all Policy Portal Client Provisioning Nodes NAD PSN PAN MnT Policy Sync RADIUS from NAD to PSN PSN queries RADIUS reply from PSN to NAD external database User directly RADIUS Accounting syslog syslog syslog © 2013-2014 Cisco and/or its affiliates. Posture. UI Activities & Logging and Enforcement Point for WebAuth. Admin ISE Communications Network Access Policy Service Node Policy Administration Monitoring and Device The “Work-Horse”: Node: All Management Troubleshooting Access-Layer Devices RADIUS.

Cisco Confidential 43 .1X © 2013-2014 Cisco and/or its affiliates.1X Branch B Branch A Switch Switch AP 802.1X AP 802.1X Switch AP 802.1X AP WLC 802.1X ASA VPN Switch 802. Example ISE Deployment Admin (P) Monitor (P) Policy Services Cluster Distributed Admin (S) Monitor (S) Policy Services PAN MnT PSN PSN PSN PSN PAN MnT PSN PSN HA Inline AD/LDAP Posture Nodes (External ID/ AD/LDAP Attribute Store) (External ID/ Data DC B Attribute Store) IPN IPN Center A WLC Non-CoA 802. All rights reserved.

000 5 3495 as Admin+MNT 10. All rights reserved.000 0 3355 as Admin+MNT 5.Scaling by Deployment.000 SNS-3495 20.000 5 Admin + MnT on same node.000 5 Dedicated PSN (Minimum 4 nodes redundant) 3415 as Admin+MNT 5.000 Dedicated Policy nodes ISE-3355 6.000 40 Scaling per PSN Platform Max # Endpoints per PSN ISE-3315 3.000 Deployment Size) SNS-3415 5.000 0 same node) 3415 5.000 0 (2 nodes redundant) 3495 10. and Persona • Max Concurrent Endpoint Counts by Deployment Model and Platform Max # Dedicated Deployment Model Platform Max # Endpoints per Deployment PSNs Standalone (all personas on 33xx 2. Cisco Confidential 44 . Platform. 3395 as Admin+MNT 10.000 5 Dedicated Admin and MnT nodes 3395 as Admin and MNT 100.000 (Max Endpoints Gated by Total ISE-3395 10.000 40 (Minimum 6 nodes redundant) 3495 as Admin and MNT 250.000 © 2013-2014 Cisco and/or its affiliates.

Topology.Joint Solution Overview – Deployment Model. and Traffic Flow © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45 .

Cisco Confidential 46 . All rights reserved. • Access Devices send RADIUS AAA requests to LB virtual IP. Scaling RADIUS. ISE PSNs PSN PSN PSN PSN PSN PSN PSN PSN PSN (RADIUS Servers) F5 BIG-IP LTM (Load Balancers) Virtual IP Network Access Devices © 2013-2014 Cisco and/or its affiliates. and Profiling with BIG-IP LTM • Policy Service nodes can be configured in a cluster behind a load balancer (LB). Web.

4 ISE-PSN-5 10.2.0.1.3.0.3.0.5 F5 BIG-IP LTM ISE-PSN-6 10. F5 BIG-IP LTM Load Balancing simplifies and scales ISE Web Portal Services 10.2.2.3.1.3.1. Scaling Global Sponsor / MyDevices with BIG-IP GTM DNS SERVER: DOMAIN = COMPANY. 10.1.1.1.6 (Local LB) F5 BIG-IP ISE-PSN-7 10.0.COM F5 BIG-IP GTM MnT MnT (Global LB) SPONSOR PAN PAN 10.100 ISE-PSN-1 10.1.100.8 10.100 LTM ISE-PSN-8 10.1.1.100 (Local LB) ISE-PSN-9 10.1.1.100.1.0.2.1 ISE-PSN-2 10. 10.100 (Local LB) © 2013-2014 Cisco and/or its affiliates.3 PSN PSN PSN ISE-PSN-4 10.0.1.1.2 PSN PSN PSN ISE-PSN-3 10.2.2.100 MYDEVICES 10. 10.100.0.1.0. Cisco Confidential 47 .3.0.3.9 PSN PSN PSN Use Global Load Balancing (GTM) to direct traffic to closest VIP. All rights reserved. Local Web Load-balancing (LTM) distributes request to single PSN.7 10.100. 10.

VIP can be same or different than one used by RADIUS LB. • Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal Single web portal domain name should resolve to LB virtual IP for http/s load balancing. Cisco Confidential 49 . Real server interface can be same or different than one used by RADIUS © 2013-2014 Cisco and/or its affiliates. Sticky algorithm determines method to ensure same Policy Service node services same endpoint. Load Balancing ISE Policy Services • RADIUS Authentication and Accounting Services Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. • Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS LB VIP is the target for one-way Profile Data (no response required). All rights reserved. • URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name substituted for ‘ip’ variable in URL.

RADIUS Response received from real server ise-psn-3 @ 10.1.98. RADIUS Auth requests sent to VIP 10.99.7 from 10.7 5.98.1.8 ISE-PSN-3 3 3.99.98.1. RADIUS Accounting sent to/from same PSN based on sticky © 2013-2014 Cisco and/or its affiliates. All rights reserved.1. Load Balancing RADIUS Sample Flow VLAN 98 (10.8 PSN 10.99.1. Requests for same endpoint load balanced to same PSN via sticky based on RADIUS Calling-Station-ID and Framed-IP-Address 4. Cisco Confidential 50 .1.7 1.98.1.8 ISE-PSN-1 F5 LTM 2 AUTH request RADIUS ACCTG requesttoto10.99.1.99.7 Access VIP: 10.1.1. NAD has single RADIUS Server defined (10.98.99.6 AUTH response RADIUS ACCTG from response 10.98.1.1.0/24) VLAN 99 (10.99.5 1 radius-server host 10.8) 2.98.1.0/24) PSN 10.1.8 10.8 ISE-PSN-2 User Device 4 5 PSN-CLUSTER PSN 10.

. RADIUS Authorization received from ise-psn-3 @ 10.99.98. Subject CN = 4.98.company.99.7 with URL Redirect to ISE Certificate https://ise-psn-3.com PSN 10.com DNS 4 DNS Response = 10. © 2013-2014 Cisco and/or its affiliates.8. 3. ise-psn-3.99.99. All rights reserved.com 3 Access VIP: 10. PSN-CLUSTER User 2 5 HTTPS response from ise-psn-3.7 Server PSN 10.1.1.com PSN 10.1. Requests for same endpoint load balanced to same PSN via RADIUS sticky.1.. Client browser redirected and resolves FQDN in URL to real server address.8 ISE-PSN-2 Device https://ise-psn-3.com:8443/.6 RADIUS response from ise-psn-3.company.1. User sends web request directly to same PSN that serviced RADIUS request.company.company.com:8443/.company. Cisco Confidential 51 .5 ISE-PSN-1 F5 LTM 1 RADIUS request to psn-cluster. Load Balancing with URL-Redirection Sample Flow DNS Lookup = ise-psn-3.7 1.company..1.1.99. ISE-PSN-3 2.company.. RADIUS Authentication requests sent to VIP 10.com 5.

98. sponsor. company.8 Server 10.1.99.5 https://sponsor.com 5.com ISE-PSN-3 3 ISE Certificate 1.98.1.com 3.company.1. Cisco Confidential 52 .com ISE-PSN-1 F5 LTM 2 https://sponsor.com to VIP @ 10.company.1.company.1.company.99.com DNS PSN 1 DNS Response = 10.1.1.98.company.company. All rights reserved.com 10.6 https response from ise-psn-3 @ 10. Web request sent to https://sponsor.1. HTTPS response received from ise-psn-3 @ 10.99.8 ise-psn-3.com @ 10.com © 2013-2014 Cisco and/or its affiliates.99.com @ 10.company. Certificate SAN includes FQDN for both sponsor and ise-psn-3.8 Subject = 2.8 ISE-PSN-2 Sponsor 4 Device PSN-CLUSTER Certificate OK! 5 PSN Requested URL = sponsor.1.7 Certificate SAN = sponsor.7 Access VIP: 10.98.99.company.1. ACE load balances request to PSN based on IP or HTTP sticky SAN= 4.98.company.8 PSN 10.7 ise-psn-3. Load Balancing Non-Redirected Web Services Sample Flow DNS Lookup = sponsor. Browser resolves sponsor.

98.98.99. DHCP request to VIP is load balanced to PSN @ 10. Client OS sends DHCP Request 2.1.1. Real DHCP server responds and provide client a valid IP address 4.7 1.8 Access PSN-CLUSTER ISE-PSN-2 Device User 4 PSN 10. © 2013-2014 Cisco and/or its affiliates.1.7 based on source IP stick (L3 gateway) or DHCP field parsed from request.8 1 2 PSN 10. Load Balancing Profiling Services Sample Flow DHCP Request to Helper IP 10. 53 Cisco Confidential 53 .1.1.1. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3 real DHCP server and to secondary entry = LB VIP 3.1. All rights reserved.99.99.5 DHCP Response returned from DHCP Server Server 3 ISE-PSN-1 F5 LTM DHCP Request to Helper IP 10.6 VIP: 10.99.10 2 DHCP PSN 10.1.

5 (10.1.0/24) ISE-PSN-1 NAS IP: 10.1.50. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.0/24) (10.8 LB: 10.99.99.1.99.1 10.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 54 © 2013-2014 Cisco and/or its affiliates.1.1.99.98.2 VIP: 10. All rights reserved.1.99.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10.1. Cisco Confidential 54 .1.98.

1 10. Profiling. Web Services.1. Traffic Flow—Fully Inline: Physically Separation Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic Flow recommended— • BIG-IP LTM is directly inline between ISE PSNs and rest of network physical or logical • All traffic flows through Load Balancer including RADIUS.5 (External) (Internal) ISE-PSN-1 Network Switch NAS IP: 10.1.99.99. PAN/MnT.1 10.99. All rights reserved.1.98.1.98.2 10. LDAP… VLAN 98 VLAN 99 10.1. Cisco Confidential 56 . MDM.1.99. AD.50. Feed Services.7 External NTP LDAP ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3 MDM © 2013-2014 Cisco and/or its affiliates.2 10.1.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM DNS AD 10. Management.

8 • All traffic flows through LB including RADIUS.1.98.99.5 Feed Services. All rights reserved.1. 10.1.50.1.98. Cisco Confidential 57 .1.1. VLAN 98 VLAN 99 10.6 Network Access ISE-PSN-2 End User/Device Device Network Switch DNS AD 10. Traffic Flow—Fully Inline: VLAN Separation Logical Network Separation Using Single LB Interface and VLAN Trunking F5 LTM • BIG-IP LTM is directly inline between ISE PSNs and rest of network.1 PAN/MnT. LDAP… (External) (Internal) ISE-PSN-1 10.2 10.98. Web Services. MDM. Profiling.1.99. Management.99.1. VIP: 10.99.1 NAS IP: 10. AD.7 External NTP LDAP ISE-PAN ISE-MNT Logger ISE-PSN-3 SMTP MDM © 2013-2014 Cisco and/or its affiliates.2 10.

1.50.98. Feed Services. VLAN 98 Management.1. AD.7 • LTM must be configured Network Access L3 Device Switch to allow Asymmetric traffic End User/Device ISE-PSN-3 Generally NOT RECOMMENDED due to DNS AD traffic flow complexity—must fully External NTP LDAP ISE-PAN ISE-MNT Logger SMTP MDM understand path of each flow to ensure proper handling by routing. Profiling. LB. and directed Web Services sent to LTM VIP 10.5 VIP: 10. MDM. © 2013-2014 Cisco and/or its affiliates.6 • All outbound traffic from PSNs NAS IP: 10.2 • All inbound LB traffic such RADIUS.1.1. Partially Inline: Layer 2/Same VLAN (One PSN Interface) Direct PSN Connections to LB and Rest of Network F5 LTM 10.2 ISE-PSN-2 10.8 • Other inbound non-LB traffic bypasses LTM ISE-PSN-1 including redirected Web Services.1.98.1 sent to LTM as DFGW.98. LDAP… 10. 10.1.98. PAN/MnT.1. All rights reserved. Cisco Confidential 58 . and end stations.98.98.

7 • LTM must be configured Network Access L3 to allow Asymmetric traffic End User/Device Device Switch ISE-PSN-3 Generally NOT RECOMMENDED due to DNS AD traffic flow complexity—must fully External NTP LDAP ISE-PAN ISE-MNT Logger SMTP MDM understand path of each flow to ensure proper handling by routing. VIP: 10. and end stations.8 and directed Web Services sent to LTM VIP 10.99.1.1. All rights reserved.1. (External) (Internal) Management.1.1. AD.1.1.1 10. Cisco Confidential 59 .1.99. © 2013-2014 Cisco and/or its affiliates.50.99.2 • All inbound LB traffic such RADIUS.5 10.6 NAS IP: 10. 10.99. MDM. Feed Services.1.99.98.98. LB. PAN/MnT. Profiling. LDAP… 10.2 sent to LTM as DFGW.1 • All outbound traffic from PSNs ISE-PSN-2 10. Partially Inline: Layer 3/Different VLANs (One PSN Interface) Direct PSN Connections to LB and Rest of Network F5 LTM 10.98.2 • Other inbound non-LB traffic bypasses LTM ISE-PSN-1 VLAN 98 VLAN 99 including redirected Web Services.

1.2 ISE-PSN-2 VLAN 98 VLAN 99 • All traffic initiated by PSNs sent to (Internal) (External) F5 LTM as global default gateway 10.1.98.98.7 10.98.6 10.1 bypasses LTM Network Access L3 VLAN 91 • For ISE 1.99.5 Separate PSN Connections to LB and Rest of Network F5 LTM ISE-PSN-1 VIP: • All LB traffic sent to LTM VIP including 10.1. Cisco Confidential 60 .1.1. End User/Device Device Switch (Web Portals) recommend SNAT redirected HTTPS traffic at L3 switch DNS AD External NTP LDAP • ISE 1.2.99.1. All rights reserved.99.6 and directed Web Services 10.91.1.50.1. Profiling (except SPAN data).2 ISE-PSN-3 Services traffic 10. Partially Inline: Multiple PSN Interfaces 10.7 NAS IP: 10.1 • Redirected Web 10.91.1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM traffic responses (set default gateway per interface) © 2013-2014 Cisco and/or its affiliates.8 RADIUS.99. 10.2 10.1.91.1.91.1.5 10.

5 10. Profiling (except SPAN data).1.98.1.1. 61 Cisco Confidential 61 .1.3).1.7 10.6 10.1 • LTM sends Web ISE-PSN-2 10.99.1 10.91.1 • All traffic sent to LTM including F5 LTM RADIUS.1.1.99. Fully Inline – Multiple PSN Interfaces VLAN 91 (Web Portals) Network Separation Using Separate LB Interfaces 10.1.99.1.91.99.91.2 and directed Web Services VIP: 10.8 ISE-PSN-1 • All traffic initiated by PSNs sent to VLAN 98 VLAN 99 F5 LTM as global default gateway (External) (Internal) 10.1.1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM traffic responses (set default gateway per interface) © 2013-2014 Cisco and/or its affiliates. SNAT Web Services at LTM DNS AD External NTP LDAP • ISE 1.7 interface. 10.50.2 Services traffic L3 on separate PSN Switch 10.6 NAS IP: 10. All rights reserved.5 10.1.98.98.2 (and optionally 1.91. Network Access End User/Device Device ISE-PSN-3 • For ISE 1.

Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 62 . All rights reserved.

98.1.1.4 External AD/ SMTP ISE-PAN ISE-MNT Logger MDM LDAP ISE-PSN-3 Network Next Hop 0.2 VIP: 10.1.1. Verify Routing Configuration in Overall Topology L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network Network Next Hop 0.1. All rights reserved.0.1.1 10.5 10.0/24) ISE-PSN-1 Network Switch NAS IP: 10.1.0.50.1.99.1.50.100.1.98.98.1.1.98.1 F5 LTM DNS 10.7 10.99.0/0 10.100.98.0/0 10.1.6 10.1 10.2 10.99.0.3 NTP 10.1.1.99.0/24 10.1 © 2013-2014 Cisco and/or its affiliates.2 (10.0/24) (10.99.99.8 10.1.98.1 Network Next Hop VLAN 98 VLAN 99 10.1 Network Access ISE-PSN-2 End User/Device Device 10.0.100. 63 Cisco Confidential 63 .1.1.99.

4.1.2. © 2013-2014 Cisco and/or its affiliates.0 hotfix HF6 Additionally. 11. 1.0 with current patches installed.2.0 HF2 incorporates performance enhancements that can improve RADIUS load balancing performance.6.0.3.1 hotfix HF5 or 11.4. • Cisco ISE: 1. All rights reserved. Recommended Software Versions • F5 BIG-IP LTM: 11. Cisco Confidential 64 . or 1.

Cisco Confidential 65 .F5 Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates. All rights reserved.

All rights reserved.Validate IP Addressing for Internal and External Interfaces  Main > Network Self IPs © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 66 .

All rights reserved. Cisco Confidential 67 . Validate Correct VLAN Assignments Main > Network > VLANs > VLAN List • Separate Physical Interfaces Example • Single Physical Interfaces—VLAN Trunking Example © 2013-2014 Cisco and/or its affiliates.

Verify LTM Routing Configuration Main > Network > Routes • Default route for LTM appliance set to external interface next hop gateway © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 68 . All rights reserved.

default gateways and next hop routes will point to the floating IP address on the F5 appliance • Health monitors will be sourced from the locally-assigned IP addresses. © 2013-2014 Cisco and/or its affiliates. Optional: Verify LTM High Availability • F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes • Configuration of LTM high availability is beyond the scope of this session. Cisco Confidential 69 . All rights reserved. • Refer to F5 product documentation for additional details: • Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility • Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility • When configured for high availability.

All rights reserved.ISE Configuration Prerequisites © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 70 .

Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group

• Administration > System > Deployment
2) Assign name (and multicast address if ISE 1.2)
1) Create node group

3) Add individual PSNs to node group

• Node group members can be L2 or L3
• Multicast no longer a requirements in ISE 1.3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71

Load Balancer General RADIUS Guidelines
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
Interval 15
ISE-PAN-1 ISE-MNT-1
Timeout 46
PAN MnT
User Name radprobe
Password cisco123
Alias Service Port 1812
PSN

ISE-PSN-1
VIP: 10.1.98.8
NAS IP: 10.1.50.2 10.1.99.1
PSN

Access Device
F5 LTM ISE-PSN-2
User
PSN
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72

Add LTM(s) as NAD(s) for RADIUS Health Monitoring
Administration > Network Resources > Network Devices

• Configure Self IP address of LTM Internal
interface connected to PSN RADIUS
interfaces.
10.1.99.1
• Enable Authentication and set RADIUS
shared secret.
PSN

ISE-PSN-1

10.1.99.1
PSN

F5 LTM ISE-PSN-2

PSN

ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73

Configure Internal User for RADIUS Health Monitoring
Administration > Identity Management > Identities > Users

• This step optional if plan to use external ID store for health monitoring account. Still
recommended for testing and troubleshooting.
• User authorization for this account should be granted no network access.

• F5 LTM monitor accepts both Access-Accept and Access-Reject as healthy responses

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74

98.8 SPONSOR IN A 10.98.com multiple FQDN sponsor.company.99.company.7 • Configure ISE PSN server certs with Subject Alternative Name configured for other FQDNs to be used by LB VIP or optionally use wildcards (available in ISE 1.2).99.com DNS SERVER: DOMAIN = COMPANY.company.8 MYDEVICES IN A 10.1.com © 2013-2014 Cisco and/or its affiliates.6 ISE-PSN-3 IN A 10. Example Example certificate SAN: ise-psn-1.company.1.1. guest.5 ISE-PSN-2 IN A 10.com certificate with psn-cluster. Cisco Confidential 75 . Example: psn-cluster.1.COM PSN-CLUSTER IN A 10. Configure DNS and Certs to Support PSN Load Balancing • Configure DNS entry for PSN cluster(s) and assign VIP IP address.com values in SAN.98.99.1.company. All rights reserved.1.8 ISE-PSN-1 IN A 10.

8 10.com PSN Name Mismatch! 10.98.99.com DNS Lookup = sponsor.company.company.98.8 SPONSOR http://sponsor.com:8443/sponsorportal ISE Certificate ISE-PSN-2 F5 LTM Subject = ise-psn-3. All rights reserved.company.company.company.1.Name Mismatch DNS http://sponsor.1.6 https://sponsor. Cisco Confidential 76 .company. ISE Certificate without SAN Certificate Warning .5 ISE-PSN-1 10.company.1.com Certificate Subject = ise-psn-3.com ISE-PSN-3 © 2013-2014 Cisco and/or its affiliates.1.com Server PSN DNS Response = 10.7 Requested URL = sponsor.com PSN 10.99.99.1.

company.99.1.company.99.98. ISE Certificate with SAN No Certificate Warning DNS http://sponsor.company.com Certificate SAN = sponsor.company. All rights reserved.com PSN 10.com:8443/sponsorportal ISE-PSN-2 ISE Certificate F5 LTM Subject = ise-psn.com PSN SAN= Certificate OK! 10.company.company.8 10.99.6 https://sponsor.5 ISE-PSN-1 10.company.company.1.com ise-psn-2.1.company.1.com Server PSN DNS Response = 10.7 ise-psn-1.com ISE-PSN-3 ise-psn-3.com sponsor.98.com Requested URL = sponsor.8 SPONSOR http://sponsor.company.com DNS Lookup = sponsor. Cisco Confidential 77 .com © 2013-2014 Cisco and/or its affiliates.company.1.

General Best Practices for Universal Certificates • Use a common FQDN for Subject CN: Examples: ise.company. Cisco Confidential 78 . add same FQDN to SAN • Multi-Domain/UCC* Certificate: Update SAN with all FQDNs serviced by PSN • OR Wildcard Certificate: Update SAN with wildcard domain using syntax *.com aaa. All rights reserved.com • If Subject CN contains FQDN. add IP addresses as both DNS and IP entries (increases device compatibility) *UCC = Unified Communications Certificate © 2013-2014 Cisco and/or its affiliates.company.company.local • If required for static IP hosting.

Cisco Confidential 79 . All rights reserved.Forwarding Non-LB Traffic © 2013-2014 Cisco and/or its affiliates.

6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10.1.2 VIP: 10.99.1.98.1. Cisco Confidential 80 . All rights reserved.99.1.1 10.99.5 (10. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.0/24) (10.99.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 80 © 2013-2014 Cisco and/or its affiliates.1.1.8 LB: 10.0/24) ISE-PSN-1 NAS IP: 10.99.50.1.98.1.

Cisco Confidential 81 . and HTTPS. DRW/Hotspot. SMTP. SSH. partner MDM integration. SCP. All rights reserved. TFTP. pxGrid. external RADIUS servers (token or foreign proxy). • RADIUS CoA from PSNs to network access devices. SNMP. SCEP proxy). LDAP. Posture. SFTP. and Syslog. NFS. NTP. and Client Provisioning. HTTP. • Repository and file management access initiated from PSN including FTP. • All external AAA-related traffic to/from the PSN real IP addresses such as AD. and external CA communications (CRL downloads. Non-LB Traffic that Requires IP Forwarding Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA • PAN/MnT node communications • All management traffic to/from the PSN real IP addresses such as HTTPS. © 2013-2014 Cisco and/or its affiliates. DNS. • All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed Services. SNMP queries) and URL-Redirection such as CWA. • Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP. OCSP checks. MDM. and REST/ERS API communications. RSA.

0. All rights reserved. • Destination = PSN Network Addresses • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 82 . Virtual Server to Forward General Inbound IP Traffic General Properties • Applies to connections initiated from outside (external) network • Type = Forwarding (IP) • Source = All traffic (0.0/0) or limit to specific network.0.

Virtual Server to Forward General Inbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). • No SNAT © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 83 . All rights reserved.

0.0. • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates.0. Virtual Server to Forward General Outbound IP Traffic General Properties • Applies to connections initiated from PSN (internal) network • Type = Forwarding (IP) • Source = PSN Network Addresses • Destination = All traffic (0.0/0.0) or limit to specific network.0. All rights reserved. Cisco Confidential 84 .

Cisco Confidential 85 . All rights reserved. • No SNAT © 2013-2014 Cisco and/or its affiliates. Virtual Server to Forward General Outbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s).

Example Inbound / Outbound IP Forwarding Servers © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 86 . All rights reserved.

99.1.99.2 VIP: 10. so SNAT not required (Set default gateway per interface) © 2013-2014 Cisco and/or its affiliates.98. 87 Cisco Confidential 87 .5 10.1.91.1.6 10.8 ISE-PSN-1 VLAN 98 VLAN 99 (External) (Internal) 10.5 10.1 • LTM sends Web Services traffic F5 LTM on separate PSN interface.91.1. LTM can perform SNAT on Web Services traffic • ISE 1.1 10.99.99. All rights reserved. Inbound IP Forwarding for 2nd PSN Interface VLAN 91 (Web Portals) 2nd PSN Interface for Web Services 10.2 L3 Switch 10.3+ supports symmetric traffic responses.50.1 ISE-PSN-2 10.1.1.91.7 Network Access End User/Device Device ISE-PSN-3 • For ISE 1.1.1.1. 10.98.6 NAS IP: 10.1.91.1.98.1.3).7 10.2 (and optionally 1.

0. Virtual Server to Forward Inbound Redirected Web Traffic General Properties • Applies to connections initiated from URL-redirected clients on outside (external) network to 2nd PSN interface • Type = Forwarding (IP) • Source = All traffic (0.0/0) or limit to specific client networks. Cisco Confidential 88 .0. • Destination = PSN Network Addresses for Web Portals • Service Port = 8443 (configurable) Optionally set wildcard value of 0 for multiple portal ports or services. All rights reserved. (NSP and Posture work on port 8905) • Availability = Unknown (No service validation via health monitors) © 2013-2014 Cisco and/or its affiliates.

3. • For ISE 1. • NSP requires TCP/8905. All rights reserved. © 2013-2014 Cisco and/or its affiliates. but Posture requires both TCP and UDP/8905.2. enable SNAT • For ISE 1. Virtual Server to Forward Inbound Redirected Web Traffic Configuration (Advanced) • Protocol = TCP Optionally set to * (All Protocols) for multiple services. SNAT optional if enabled symmetric traffic routing (default route per interface). • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). Cisco Confidential 89 .

Cisco Confidential 90 . All rights reserved.Load Balancing RADIUS © 2013-2014 Cisco and/or its affiliates.

All rights reserved. or “node group”. Network Access Devices © 2013-2014 Cisco and/or its affiliates. Administration PAN PAN Administration Node (Primary) Node (Secondary) N+1 node redundancy Policy Services Node assumed to support total Policy PSN PSN PSN PSN endpoints during: Group (Same Replication • Unexpected single multicast domain) server outage AAA connection F5 BIG-IP • Scheduled server LTM Load maintenance Virtual Balancers IP Also provides additional scaling buffer. Policy Service Node Scaling and Redundancy • NADs can be configured with sequence of redundant RADIUS servers (PSNs). • Policy Service nodes can also be configured in a cluster. NADs send requests to LB virtual IP for Policy Services. • Policy Service nodes in node group maintain heartbeat to verify member health. behind a load balancer. Cisco Confidential 91 .

7 4 User RADIUS ACCTG response from 10.99.8 5 PSN 10.98.1.99.8 VIP: ISE-PSN-1 2 RADIUS AUTH request to 10.1.98.1.8 6.8 RADIUS ACCTG request to 10.1.99.8 3 3.98. RADIUS Accounting Response received from same PSN based on sticky.1.98. Load Balancing RADIUS Sample Flow VLAN 98 (10.8 10. RADIUS Auth Response received from real server ise-psn-3 @ 10.99. or NAS-IP-Address 4.99.0/24) PSN 10.7 2. Cisco Confidential 92 . Requests for same endpoint load balanced to same PSN via sticky based ISE-PSN-3 on RADIUS Calling-Station-ID.6 NAD RADIUS AUTH response from 10.1. All rights reserved.7 5. RADIUS Auth requests sent to VIP @ 10.1.7 6 F5 LTM ISE-PSN-2 1. Successive RADIUS Accounting sent to VIP @ 10.1.98.98.1. Framed-IP-Address.1.8) PSN 10.98.0/24) VLAN 99 (10.1.99.1. NAD has single RADIUS server defined (10.5 1 radius-server host 10. © 2013-2014 Cisco and/or its affiliates.1.1.1.99.98.

LB appears as the Network Access Device (NAD) to PSN. NAT Restrictions for RADIUS Load Balancing Why Source NAT Fails for NADs SNAT also results in less visibility as all requests appear sourced from LB – makes troubleshooting more difficult. Cisco Confidential 93 . All rights reserved. but not currently used for CoA © 2013-2014 Cisco and/or its affiliates. • CoA sent to wrong IP address NAS IP Address is correct. • With SNAT.

SNAT of NAD Traffic: Live Log Example Auth Succeeds/CoA Fails: CoA Sent to BIG-IP LTM and Dropped © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94 .

99.8 client 10.98.99.1. Allow Source NAT for PSN CoA Requests Simplifying Switch CoA Configuration • Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.1.99.1.99.7 server-key cisco123 10.1.1.99. All rights reserved.5 aaa server radius dynamic-author ISE-PSN-1 CoA SRC=10.6 server-key cisco123 PSN 10. Cisco Confidential 95 .9 server-key cisco123 Switch client 10.1.x client 10.1.98.1. • Access switch config: CoA SRC=10.1.7 <…one entry per PSN…> • After: ISE-PSN-3 aaa server radius dynamic-author PSN 10.1.1.98.99.10 server-key cisco123 PSN 10.1.99.8 client 10.99.1.8 server-key cisco123 Access ISE-PSN-2 F5 LTM client 10.99.99.8 server-key cisco123 ISE-PSN-X © 2013-2014 Cisco and/or its affiliates.1.5 server-key cisco123 client 10.5 PSN • Before: 10.99.6 client 10.

All rights reserved. CoA from behind load balancer © 2013-2014 Cisco and/or its affiliates. Allow NAT for PSN CoA Requests Simplifying WLC CoA Configuration • Before: • After One RADIUS Server entry One RADIUS Server entry required per PSN that may send required per load balancer VIP. Cisco Confidential 96 .

98. All rights reserved.2 VIP: 10.7 ISE-PSN-3 RADIUS COA RADIUS COA SNAT for SRC-IP =10.2 PSN NAD is BAD! 10.2 SRC-IP =10. Cisco Confidential 97 .1.1.99.2 © 2013-2014 Cisco and/or its affiliates.0/24) (10.1.8 LB: 10.99.1.50.1.1.50.2 DST-IP =10.1.1.98.1.1.1.1 SRC-IP =10.98.99.50.7 CoA is Okay! DST-IP =10.99.1.2 Source Source =10.2 Remove NAD is SNAT for NAS-IP =10.50.1 PSN 10.6 Access Device ISE-PSN-2 User RADIUS AUTH RADIUS AUTH COA NAS-IP =10.1.99.8 NAT NATted DST-IP =10.1.5 VLAN 98 VLAN 99 (10.1.7 DST-IP =10.99.1.1.1.50.98.50.8 SRC-IP =10.99.50.99. Load Balancer General NAT Guidelines To NAT or Not To NAT? ISE-PAN-1 ISE-MNT-1 No NAT That is the Question! PAN MnT PSN 10.0/24) ISE-PSN-1 F5 LTM NAS IP: 10.1.

Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD 3.8 ISE-PSN-1  NAS-IP-Address Session: 00aa…99ff  Source IP Address PSN o Session ID Network Access Device F5 LTM ISE-PSN-2  RADIUS Session ID User Username=jdoe@company.1. Audit Session ID for persistence across re-authentications © 2013-2014 Cisco and/or its affiliates.1. All rights reserved.101 PSN  Framed-IP-Address Device o NAD Address 10.10. Load Balancer Persistence (Stickiness) Guidelines Persistence Attributes • Common RADIUS Sticky Attributes o Client Address MAC Address=00:C0:FF:1A:2B:3C  Calling-Station-ID IP Address=10.2 VIP: 10.1.com  Cisco Audit Session ID PSN • Best Practice Recommendations (depends on LB support and design) 1.98. Cisco Confidential 98 . Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3 2.50.

Cisco Confidential 99 . All rights reserved. Configuring RADIUS Persistence RADIUS Profile Example • RADIUS Sticky on Calling-Station-ID (client MAC address) • Simple option but does not support advanced logging and other enhanced parsing options like iRule • Profile must be applied to Standard Virtual Server based on UDP Protocol ltm profile radius /Common/radiusLB { app-service none clients none persist-avp 31 subscriber-aware disabled subscriber-id-type 3gpp-imsi © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 100 . iRule for RADIUS Persistence Based on Client MAC (1of2) Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_DATA { # 0: No Debug Logging 1: Debug Logging set debug 0 • Optional debug logging • Enable for troubleshooting only to reduce processing load # Persist timeout (seconds) set nas_port_type [RADIUS::avp 61 "integer"] if {$nas_port_type equals "19"}{ set persist_ttl 3600 • Configurable persistence timeout if {$debug} {set access_media "Wireless"} based on media type } else { oWireless Default = 1 hour set persist_ttl 28800 oWired Default = 8 hours if {$debug} {set access_media "Wired"} } © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target" } } } © 2013-2014 Cisco and/or its affiliates.Using NAS IP as persist id. iRule for RADIUS Persistence Based on Client MAC (2of2) if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31 "string"] # Normalize MAC address to upper case set mac_up [string toupper $mac] persist uie $mac_up $persist_ttl if {$debug} { set target [persist lookup uie $mac_up] log local0. All rights reserved.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target" } } else { set nas_ip [RADIUS::avp 4 ip4] persist uie $nas_ip $persist_ttl if {$debug} { set target [persist lookup uie $nas_ip] log local0.alert "No MAC Address found . Cisco Confidential 101 .

6 1812 Sat Sep 27 13:55:40 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1 MAC=7c-6d-62- e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless TARGET=/Common/radius_acct_pool 10.99.1. iRule for RADIUS Persistence – Sample Debug Output Sat Sep 27 13:55:43 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc MAC=6C-20- 56-13-E9-FC Normal MAC=6C-20-56-13-E9-FC MEDIA=Wired TARGET=/Common/radius_auth_pool 10.99.2 MEDIA=Wired TARGET= © 2013-2014 Cisco and/or its affiliates.50.1.1.Using NAS IP as persist id.7 1813 Sat Sep 27 13:55:38 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET= Sat Sep 27 13:55:37 EDT 2014 alert f5 tmm[9443] Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found . All rights reserved. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS IP=10. Cisco Confidential 102 .

Cisco Confidential 103 . Ensure NAD Populates RADIUS Attributes Catalyst Switch Example Cisco Catalyst IOS Command Description radius-server attribute 8 include-in-access-req Include Framed-IP-Address (if available) in RADIUS Access Requests radius-server attribute 31 send nas-port-detail Include client IP address for remote console (vty) connections to the switch radius-server attribute 31 mac format ietf upper-case Set the MAC address format to 00-00-40-96-3E-4A (all upper case letters) © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Ensure NAD Populates RADIUS Attributes Cisco WLC Example • WLC sets Calling- Station-ID to MAC Address for RADIUS NAC- enabled WLANs • General recommendation is to set Acct Call Station ID to System MAC Address • Auth Call Station ID Type may not be present in earlier software versions © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104 .

be sure to configure timeout 31 user in ISE or external ID store with username f5-probe limited/no network access privileges. All rights reserved. RADIUS Health Monitors Load Balancer Probes Determine RADIUS Server Health Status • BIG-IP LTM RADIUS monitor has two key timer settings: o Interval = probe frequency (default = 10 sec) o Timeout = total time before monitor fails (default = 31 seconds) Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config: (Four health checks are attempted ltm monitor radius /Common/radius_1812 { before declaring a node failure) debug no defaults-from /Common/radius • Timers: Set low enough to ensure destination *:1812 efficient failover but long enough interval 10 to avoid excessive probing (AAA load). Cisco Confidential 105 . password P@$$w0rd Start with defaults then tune to network. secret P@$$w0rd • User Account: If valid user account to be time-until-up 0 used for monitor. } © 2013-2014 Cisco and/or its affiliates.

All rights reserved.. Successful Health Monitor Requests using Valid Account Yay! It Works!...But now what do I do about all that “noise” in my Live Log? © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 106 .

Cisco Confidential 107 . ISE Collection Filters Filter Successful LTM Health Checks © 2013-2014 Cisco and/or its affiliates. All rights reserved.

F5 LTM Configuration Components for RADIUS LB • RADIUS Auth UDP Profile • RADIUS Acct • RADIUS CoA RADIUS Profile SNAT Pool iRule Persistence Virtual Server Virtual Server (Persistence) Profile Health Monitor Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 108 . All rights reserved.

Configure RADIUS Health Monitor Local Traffic > Monitors • Same monitor can be leveraged for RADIUS Auth. Accounting. Cisco Confidential 109 . and Profiling to reduce probe load for multiple services. © 2013-2014 Cisco and/or its affiliates. • Be sure BIG-IP LTM configured as ISE NAD. All rights reserved.

Optional: Configure UDP Profile for RADIUS Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110 .

Cisco Confidential 111 . Optional: Configure RADIUS Profile Local Traffic > Profiles > Services > RADIUS • Start with default settings • Using a custom profile allows for tuning later if needed without impacting other services based on same parent radiusLB profile © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Configure iRule for RADIUS Persistence Local Traffic > iRules > iRule List • Recommend iRule based on client MAC address • RADIUS Attribute/Value Pair = 31 = Calling-Station-Id • Recommend copy and paste working iRule into text area. © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 112 . All rights reserved.

com/d/tag/irules%20editor • Manage iRules and config files • Syntax checker • Generate HTTP traffic • Quick links to tech resources © 2013-2014 Cisco and/or its affiliates.f5. F5 iRule Editor https://devcentral. Cisco Confidential 113 . All rights reserved.

Cisco Confidential 114 . Configure Persistence Profile for RADIUS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for RADIUS Auth and Accounting. All rights reserved. then enable Match Across Virtual Servers (not recommended) • Specify RADIUS Persistence iRule • iRule persistence timer overrides profile setting. © 2013-2014 Cisco and/or its affiliates.

Configure Server Pool for RADIUS Auth Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. Cisco Confidential 115 . All rights reserved. © 2013-2014 Cisco and/or its affiliates.

Configure Member Nodes in RADIUS Auth Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Server Port: 1812 or 1645 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 116 . All rights reserved.

Cisco Confidential 117 . All rights reserved. Configure Server Pool for RADIUS Accounting Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor (same monitor used for RADIUS Auth) • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. © 2013-2014 Cisco and/or its affiliates.

All rights reserved. Configure Member Nodes in RADIUS Accounting Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port: 1813 or 1646 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 118 .

0. Configure Virtual Server for RADIUS Auth (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. All rights reserved. • Destination = RADIUS Virtual IP • Service Port = 1812 or 1645 RADIUS VIP © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 119 .0/0 (all hosts) or specific network address.0.

Configure Virtual Server for RADIUS Auth (Advanced)
Local Traffic > Virtual Servers

• Protocol = UDP

• Protocol Profile = udp or
custom UDP profile
• RADIUS Profile = radiusLB or
custom RADIUS profile
• Optional: Limit traffic to specific
VLAN(s)
• SNAT = None

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120

Configure Virtual Server RADIUS Auth (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources

• Default Pool = RADIUS Auth Pool

• Default Persistence Profile =
RADIUS persistence profile
• Fallback Persistence Profile:
• RADIUS iRule setting overrides
value set here.
• If not configured in iRule, set
optional value here. Example:
radius_source_addr

Recommend create new
persistence profile based on
Source Address Affinity to allow
custom timers and match settings.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121

Configure Virtual Server for RADIUS Accounting
Local Traffic > Virtual Servers > Virtual Server List
• Same settings as RADIUS Auth Virtual
Server but different service port and pool

RADIUS VIP

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 122

Configure SNAT Pool List for RADIUS CoA
Local Traffic > Address Translation > SNAT Pool List

• CoA traffic is initiated by PSN to
NADs on UDP/1700
• Define SNAT Pool List with RADIUS
Server Virtual IP as a pool member

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123

Cisco Confidential 124 .0. All rights reserved.0 (all hosts) or specific network for all NADs • Service Port = 1700 © 2013-2014 Cisco and/or its affiliates. Configure Virtual Server to SNAT RADIUS CoA (Properties) Local Traffic > Virtual Servers > Virtual Server List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Type = Standard • Source = PSN Network • Destination = 0.0.0.0 / 0.0.

Cisco Confidential 125 . All rights reserved. Configure Virtual Server to SNAT RADIUS CoA (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Optional: Limit traffic to specific VLAN(s) • Source Address Translation = SNAT • SNAT Pool = CoA SNAT Pool List • Resources = None © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 126 . All rights reserved.Scaling Profiling and Database Replication © 2013-2014 Cisco and/or its affiliates.

only locally saved by PSN MatchedPolicyID UpdateTime © 2013-2014 Cisco and/or its affiliates. Whitelist Attributes Attributes that impact profile Significant Attributes AAA-Server NADAddress FirstCollection • Change triggers global replication Calling-Station-ID NAS-IP-Address TimeToProfile Certificate Expiration Date NAS-Port-Id Total Certainty Factor MACADDRESS Certificate Issue Date NAS-Port-Type User-Agent ENDPOINTIP Certificate Issuer Name LastNmapScanTime AC_User_Agent MATCHEDVALUE Certificate Serial Number NmapScanCount cdpCacheAddress ENDPOINTPOLICY Description NmapSubnetScanID cdpCacheCapabilities ENDPOINTPOLICYVERSION DestinationIPAddress 161-udp cdpCacheDeviceId STATICASSIGNMENT Device Identifier OS Version cdpCachePlatform Device Name OUI cdpCacheVersion STATICGROUPASSIGNMENT DeviceRegistrationStatus PolicyVersion ciaddr NMAPSUBNETSCANID PortalUser dhcp-class-identifier EndPointPolicy PORTALUSER EndPointPolicyID PostureApplicable dhcp-requested-address DEVICEREGISTRATIONSTATUS EndPointProfilerServer Product host-name EndPointSource RegistrationTimeStamp hrDeviceDescr Whitelist Attributes FQDN StaticAssignment StaticGroupAssignment ifIndex ip Framed-IP-Address • Change triggers PSN-PSN replication IdentityGroup MDMImei lldpCacheCapabilities and global ownership change IdentityGroupID MDMManufacturer lldpCapabilitiesMapSupported IdentityStoreGUID MDMModel lldpSystemDescription IdentityStoreName MDMOSVersion operating-system Other Attributes L4_DST_PORT MDMPhoneNumber sysDescr • Dropped if whitelist filter enabled. All rights reserved. Significant Attributes vs. MACAddress MDMSerialNumber AUPAccepted MatchedPolicy CreateTime BYODRegistration Otherwise. Cisco Confidential 127 .

PSN includes PSNs. *Secondary node = All nodes except Primary Admin node. Inter-Node Communications TCP/12001 JGroups Tunneled JGroup Connections – Global Cluster MnT (P) MnT (S) MnT MnT • All Secondary nodes* establish connection to Primary PAN (JGroup Controller) over tunneled connection (TCP/12001) for config/database sync. Cisco Confidential 128 . All rights reserved. PAN PAN Admin (P) Admin (S) • Secondary Admin also listens on GLOBAL TCP/12001 but no connection JGROUP established unless primary CONTROLLER fails/secondary promoted • All Secondary nodes participate in the PSN PSN PSN1 PSN2 Global JGroup cluster. MnT and Secondary Admin nodes PSN3 © 2013-2014 Cisco and/or its affiliates.

– triggers JGROUP DHCP IP no database inter-PSN sync replication even of attributes. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled MnT (P) MnT (S) MnT MnT • Node Groups can be used to define local JGroup* clusters where members exchange heartbeat and sync profile data multicast or SSL. PSN Fetch Attributes PSN PSN1 PSN2 • Replication to PAN occurs if Change PSN2 gets more current update significant attribute changes. PSN PSN3 *JGroups: Java toolkit for reliable multicast © 2013-2014 Cisco and/or its affiliates. if Whitelist CONTROLLER Update Address checkwhitelist alwaysattribute changes of occurs regardless t=1 t=0 Change global attribute filter setting. All rights reserved. then LOCAL Ownership for same endpoint and takes sync all attributes via PAN. only whitelist attributes from PSN1 (JGROUP A) synced to all nodes. communications between group/cluster members. PAN PAN Admin (P) Admin (S) • PSN claims endpoint ownership only if GLOBAL PSN1 isincurrent change endpoint whitelist owner attribute. if whitelist JGROUP ownership – fetches all attributes CONTROLLER NODE GROUP A filter enabled. Cisco Confidential 129 .

max 1 hop) L2 or L3 LAN Switching • Reduces sync updates even if different PSNs receive data – expect few whitelist PSN changes and even fewer critical attribute changes. Cisco Confidential 130 . deployment = significant attributes • Profiling sync leverages JGroup channel • Each LB cluster should be a node group.3 no longer uses UDP multicast for JGroup PSN1 PSN PSN PSN2 • ISE 1.2 uses multicast with TTL=2. All rights reserved. [IP change is significant attribute] PSN3 © 2013-2014 Cisco and/or its affiliates. requirement for Balancer Node Group • Node group members should have GE LAN NODE GROUP A (JGROUP A) connectivity (L2 or L3) • ISE 1. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled • General classification data for given endpoint should stay local to node group = whitelist attributes • Node groups continue to provide original • Only certain critical data needs to be shared across entire function of session recovery for failed PSN. LB is NOT a Load but LB is NOT required for node groups.

All rights reserved. then nodes fall back to Global JGroup communication channel. Inter-Node Communications TCP/7800 JGroup Peer Communication TCP/7802 JGroup Failure Detection Local JGroups and Node Groups TCP/12001 JGroups Tunneled MnT MnT PAN PAN • Profiling sync leverages JGroup channels • All replication outside node group must traverse PAN! • If local Multicast fails. PSN1 PSN PSN PSN2 PSN4 PSN PSN PSN5 L2 or L3 LAN Switching NODE GROUP A NODE GROUP B (JGROUP A) (JGROUP B) PSN PSN PSN3 PSN6 © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 131 .

2 uses multicast (TTL=2) and requires multicast configuration on intermediate switches if separated by L3 hop © 2013-2014 Cisco and/or its affiliates. • ISE 1. Configuring Node Groups Recommended for ALL local PSNs! 2) Assign name and available multicast addres • Administration > System > Deployment 1) Create node group 3) Add individual PSNs to node group • Node group members may be L2 / L3 connected • Multicast no longer required in ISE 1. Cisco Confidential 132 .3. All rights reserved.

All rights reserved. consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using… • DHCP IP Helpers • SNMP Traps DO send profile data to single and same PSN or Node • DHCP/HTTP with ERSPAN (Requires validation) • Ensure profile data for a given endpoint is sent to the same PSN Group ! • Same issue as above. ISE Profiling Best Practices Whenever Possible… • Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection. • Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group. but not always possible across different probes • Use node groups and ensure profile data for a given endpoint is sent to same node DO use Device Sensor ! group. 135 Cisco Confidential 135 . • For redundancy. • Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2) Do NOT send profile data to multiple PSNs ! • Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership. • DO enable the Profiler Attribute Filter ! Avoid probes that collect the same endpoint attributes • Example: Device Sensor + SNMP Query/IP Helper • Enable Profiler Attribute Filter © 2013-2014 Cisco and/or its affiliates.

• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS auth. look for key traffic chokepoints such as Internet edge or WLC connection. If used. If used. HA challenges. ISE Profiling Best Practices General Guidelines for Probes • HTTP Probe: • Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN. use intelligent SPAN/tap options or VACL Capture to limit amount of data sent to ISE. avoid short polling intervals. • For polled SNMP queries. Probe: SNMP Traps. make sure probe captures traffic to central DHCP Server. and NetFlow probes ! • Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low session/re-auth timers) or frequent interim accounting updates. All rights reserved. Be sure to set optimal PSN for polling in ISE NAD config. © 2013-2014 Cisco and/or its affiliates. • DHCP Probe: • • Do NOT enable all probes by default ! Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same! Avoid DHCP SPAN. 137 Cisco Confidential 137 . • Avoid SPAN. • NetFlow Probe: Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE. Also difficult to provide HA for SPAN. Avoid • SNMP SPAN.

2.1.8 ip helper-address 10.2. Cisco Confidential 139 .1.2) PSN PSN2 (10.99.2.1. Profiling Redundancy – Duplicating Profile Data Sending Profile Data for the Same Endpoint to the Same Node Group / PSN • Common config is to duplicate IP helper data at each NAD to two different PSNs PSN-CLUSTER1 PSN PSN1 (10.2.8) DC #1 PSN PSN2 (10.99.1.101.1.5) or PSN LB Clusters (10.6) DC #2 interface Vlan10 PSN PSN3 (10.99.6) • Different PSNs receive data and may contend for ownership—increases F5 LTM PSN PSN3 (10.101.100.100.7) F5 LTM ip helper-address <real_DHCP_Server ip helper-address 10.2 © 2013-2014 Cisco and/or its affiliates.5) User (10. All rights reserved.101.98.7) replication int Vlan10 DHCP Request PSN PSN-CLUSTER2 PSN1 (10.98.2.

140 Cisco Confidential 140 .1.2.8 © 2013-2014 Cisco and/or its affiliates.1.8) • Routing metrics determine which VIP DC #1 PSN PSN2 (10.6) DC #2 interface Vlan10 PSN PSN3 (10.98.98.99.99. Scaling Profiling and Replication Using Anycast to Limit Profile Data to a Single PSN and Node Group • Load Balancer VIPs host same target IP for DHCP profile data PSN-CLUSTER1 PSN PSN1 (10.98.101.7) int Vlan10 DHCP Request PSN PSN1 (10.1.1.101.8) PSN PSN2 (10.101.2.7) F5 LTM ip helper-address <real_DHCP_Server ip helper-address 10.1. All rights reserved.99.5) User PSN-CLUSTER2 (10.1.6) receives DHCP from NAD F5 LTM PSN PSN3 (10.5) (10.2.

Cisco Confidential 141 . All rights reserved.Load Balancing Profiling Services © 2013-2014 Cisco and/or its affiliates.

142 Cisco Confidential 142 . SNMP Query data processed by same PSN that terminated RADIUS request for endpoint. All rights reserved. although possible that PSN performing polled query is not same PSN that terminates RADIUS for newly discovered endpoints. Since poll typically conducted at longer intervals. this should not impact more real-time profiling of endpoints. For Your Profiling Services using Load Balancers Reference Which PSN Services Processes Profile Data? • Profiling Probes The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that terminated RADIUS: • DHCP IP Helper to DHCP probe • NetFlow export to NetFlow Probe Option to leverage Anycast to reduce log targets and facilitate HA • SNMP Traps • SNMP Query Probe (triggered) PSNs configured to send SNMP Queries will send query to NAD that sent RADIUS or SNMP Trap which triggered query. © 2013-2014 Cisco and/or its affiliates. • SNMP Query Probe (polled) Not impacted by load balancing. PSN will sync new endpoint data with Admin. Therefore.

or SNMP Query Probe data. DHCP. cannot provide HA for SPAN data unless configure multiple SPAN destinations to separate PSNs. All rights reserved.) Reference Which PSN Services Process Profile Data? • DNS Probe Submitted by same PSN which obtains IP data for endpoint. • HTTP (via URL redirect) URL redirect will point to PSN that terminates RADIUS auth so HTTP data will be parsed by same PSN. • DHCP SPAN or HTTP SPAN Since mirror port is associated to a specific interface on real PSN. • NMAP Probe Submitted by same PSN which obtains data which matches profile rule condition. Cisco Confidential 143 . For Your Profiling Services using Load Balancers (Cont. Typically the same PSN that processes RADIUS. No guarantee that same PSN that collects SPAN data terminates RADIUS session. © 2013-2014 Cisco and/or its affiliates.

7 1.8 Access ISE-PSN-2 Device F5 LTM User 4 PSN 10.98.5 DHCP Response returned from DHCP Server Server 3 ISE-PSN-1 DHCP Request to Helper IP 10.1.1.1.1.8 1 2 PSN 10.1. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3 real DHCP server and to secondary entry = LB VIP 3.1. © 2013-2014 Cisco and/or its affiliates.1.1.7 based on source IP stick (L3 gateway) or DHCP field parsed from request. DHCP request to VIP is load balanced to PSN @ 10.10 2 DHCP PSN 10.99. All rights reserved.10 10.98. Real DHCP server responds and provide client a valid IP address 4. Load Balancing Profiling Services Sample Flow DHCP Request to Helper IP 10.1.99.99. 144 Cisco Confidential 144 .99. Client OS sends DHCP Request 2.6 VIP: 10.1.

98. Load Balancer uses the same “Sticky” as RADIUS based on client MAC address 5. RADIUS Authentication request sent to VIP @ 10.98.1.1.6 NAD RADIUS response from PSN-3 ISE-PSN-2 VIP: 10.7 5 1. All rights reserved.5 MAC: 11:22:33:44:55:66 ISE-PSN-1 F5 LTM RADIUS request to VIP 1 2 User 10.99.1.1. Request is Load Balanced to PSN-3. DHCP Request is sent to VIP @ 10.98.8. ISE-PSN-3 2. DHCP is received by same PSN.8 DHCP Request IP Helper sends DHCP to VIP 3 4 10. Cisco Confidential 145 .99.1. thus optimizing endpoint replication © 2013-2014 Cisco and/or its affiliates.99. Load Balancing Sticky Guidelines Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN Persistence Cache: 11:22:33:44:55:66 -> PSN-3 10.1. and entry added to Persistence Cache 3.8 4.

All rights reserved. iRule for DHCP Persistence Based on Client MAC (1of2) Persistence based on DHCP Option 61 – Client Identifier (MAC Address) • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED priority 100 { # Rule Name and Version shown in the log set static::RULE_NAME "Simple DHCP Parser v0. Cisco Confidential 146 .3" set static::RULE_ID "dhcp_parser" • Optional debug logging # 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to set debug 1 reduce processing load # Persist timeout (seconds) set persist_ttl 7200 • Configurable persistence timeout © 2013-2014 Cisco and/or its affiliates.

iRule for DHCP Persistence Based on Client MAC (2of2) # extract value filed in hexadecimal format binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex set value "" switch $option { Note: Example is excerpt 61 { # Client Identifier only—Not complete iRule binary scan $value_hex a2a* ht id switch $ht { 01 { binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f) set value "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)" set option61 "$value" set mac_up [string toupper $option61] # Normalize MAC } default { set value "$id" persist uie $mac_up $persist_ttl if {$debug}{ set target [persist lookup uie $mac_up] log local0. All rights reserved.debug "$log_prefix_d ***** iRule: $static::RULE_NAME competed ***** MAC=$option61 Normal MAC=$mac_up TARGET=$target“ © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 147 .

3 competed ***** MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D TARGET= © 2013-2014 Cisco and/or its affiliates.1)(debug) ***** iRule: Simple DHCP Parser v0. All rights reserved.1.10.40.1.1)(debug) ***** iRule: Simple DHCP Parser v0.1.3 executed ***** Sat Sep 27 13:39:45 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.3 competed ***** MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET= Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.0. iRule for DHCP Persistence – Sample Debug Output Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1)(debug) BOOTP: 0.1)(debug) ***** iRule: Simple DHCP Parser v0. Cisco Confidential 148 .10.1.10.0.0 00:50:56:a0:0b:3a Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.

255.6 <--. ISE-PSN-2 impact each ip helper-address 10.100 <--.100.255.1 255.100 <--.10.5 <--.1.1.1 255.1.10.99.98.98. Load Balancing Simplifies Device Configuration L3 Switch Example for DHCP Relay • Before ! interface Vlan10 description EMPLOYEE ip address 10.0 ip helper-address 10.255.1.1.255.1.1.99.0 ip helper-address 10.F5 VIP ! © 2013-2014 Cisco and/or its affiliates.100. ISE-PSN-1 Settings ip helper-address 10.1. All rights reserved. ISE-PSN-3 ! L3 interface servicing • After ! DHCP interface Vlan10 endpoints description EMPLOYEE ip address 10.7 <--.Real DHCP Server ip helper-address 10. Cisco Confidential 149 .8 <--. Real DHCP Server ip helper-address 10.

6 version 2c public mac-notification snmp snmp-server host 10.5 version 2c public mac-notification snmp snmp-server host 10.99.1.1.7 version 2c public mac-notification snmp ! • After ! snmp-server trap-source GigabitEthernet1/0/24 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.99. Load Balancing Simplifies Device Configuration Switch Example for SNMP Traps • Before ! snmp-server trap-source GigabitEthernet1/0/24 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification change move snmp-server host 10.1. All rights reserved.8 version 2c public mac-notification snmp ! © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 150 .98.99.1.

All rights reserved. F5 LTM Configuration Components for Profiling LB UDP Profile iRule Persistence (Persistence) Profile Virtual Server Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 151 .

All rights reserved. Cisco Confidential 152 . Optional: Configure UDP Profile for Profiling Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB © 2013-2014 Cisco and/or its affiliates.

All rights reserved. Cisco Confidential 153 . © 2013-2014 Cisco and/or its affiliates. Optional: Configure iRule for DHCP Profiling Persistence Local Traffic > iRules > iRule List • Alternative to basic Source Address-based persistence • Sample iRule based on client MAC address parsed from DHCP Request packets • Allows DHCP for given endpoint to persist to same PSN serving RADIUS for same endpoint • Recommend copy and paste working iRule into text area.

Cisco Confidential 154 . Optional: Configure Persistence Profile for Profiling Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for DHCP Profiling and RADIUS. (Recommend use same IP address) • Specify DHCP Persistence iRule • iRule persistence timer overrides profile setting. then enable Match Across Virtual Servers. © 2013-2014 Cisco and/or its affiliates. All rights reserved.

• Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. Cisco Confidential 155 . Configure Server Pool for DHCP Profiling Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • If PSN not configured for User Services (RADIUS auth). © 2013-2014 Cisco and/or its affiliates. then can use default gateway_icmp monitor. All rights reserved.

Cisco Confidential 156 . All rights reserved. Configure Member Nodes in DHCP Profiling Pool Local Traffic > Pools > Members • Load Balancing Method = Round Robin • Server Port = 67 (DHCP Server) © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 157 . Configure Server Pool for SNMP Trap Profiling Local Traffic > Pools • Same settings as DHCP Profiling Pool except members configured for UDP Port 162. © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential 158 .0.0. All rights reserved.0/0 (all hosts) or specific network address. Configure Virtual Server for DHCP Profiling (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. • Destination = Can be same as RADIUS Virtual IP or unique IP. Be sure to configure DHCP Relays/ IP Helpers to point to this IP address • Service Port = 67 © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 159 . All rights reserved. Configure Virtual Server for DHCP Profiling (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • Optional: Limit traffic to specific VLAN(s) © 2013-2014 Cisco and/or its affiliates.

OR DHCP persistence profile • Fallback Persistence Profile: o DHCP iRule setting overrides value set here. Example: profiling_source_addr • If persistence profile based on Source Address Affinity (source_addr). © 2013-2014 Cisco and/or its affiliates. All rights reserved. set optional value here. Cisco Confidential 160 . recommend create new profile to allow custom timers and “Match Across” settings. Configure Virtual Server for DHCP Profiling (Resources) Local Traffic > Virtual Servers > Resources • Default Pool = DHCP Profiling Pool • Default Persistence Profile = Persistence Profile based on Source Address Affinity. o If not configured in iRule.

Default Persistence Profile should be based on Source Address Affinity (NAD IP address). © 2013-2014 Cisco and/or its affiliates. Additionally. Configure Virtual Server for SNMP Trap Profiling Local Traffic > Virtual Servers • Same settings as DHCP Profiling Virtual Server but different service port and pool. Cisco Confidential 161 . All rights reserved.

Load Balancing Web Services © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 162 . All rights reserved.

1.com DNS 4 DNS Response = 10. All rights reserved.com 5.1.98. RADIUS Authorization received from ise-psn-3 @ 10.com 10...99. 3.99. F5 Load Balancing and URL-Redirected Web Services Sample Flow DNS Lookup = ise-psn-3.7 Server 10.1.99.8. Subject CN = 4. User sends web request directly to same PSN that serviced RADIUS request.1.com:8443/. Requests for same endpoint load balanced to same PSN via RADIUS sticky.1.7 1.1. 2 5 HTTPS response from ise-psn-3.company.company. ise-psn-3.99.8 NAD 10.98. Cisco Confidential 163 .1. © 2013-2014 Cisco and/or its affiliates.company.com:8443/..1.98.company.1.98.8 User 3 VIP: 10.5 ISE-PSN-1 F5 LTM 1 RADIUS request to RADIUS VIP @ 10.8 ISE-PSN-2 https://ise-psn-3.. Client browser redirected and resolves FQDN in URL to real server address.&sessionId=0a012c5a0000.6 RADIUS response from 10.. ISE-PSN-3 2.7 with URL Redirect to ISE Certificate https://ise-psn-3.company.99.. RADIUS Authentication requests sent to VIP 10.

98.98.8 10.com @ 10.98.8 ISE-PSN-2 Sponsor 4 Device 1.1.99. Cisco Confidential 164 . F5 load balances request to PSN based on IP or HTTP sticky ISE-PSN-3 4.company.1. company.company. All rights reserved.99.7 Access VIP: 10.1.5 https://sponsor.1.99.1. HTTPS response received from ise-psn-3 @ 10.1.98.com ISE-PSN-1 F5 LTM 2 https://sponsor.1.1.company.1.com DNS 1 DNS Response = 10. F5 Load Balancing Non-Redirected Web Services Sample Flow DNS Lookup = sponsor.7 2.6 https response from ise-psn-3 @ 10.com to VIP @ 10.company.7 © 2013-2014 Cisco and/or its affiliates.1.com @ 10.99.99.8 10.8 3 3. Browser resolves sponsor.8 Server 10.98. Web request sent to https://sponsor.

All rights reserved.7 .5 .6 https://ise-psn-2.com: https://10.1. Cisco Confidential 166 .1.company..99.1 PSN PSN PSN PSN 10.1 F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X User RADIUS session load-balanced to PSN @ 10.company. Load Balancer NAT Guidelines for Web Traffic URL-Redirected Traffic with Single PSN Interface • No NAT Required • Allow web portal traffic direct to PSN without NAT 10.10.1..99.99.98..6 .6 URL Redirect automatically includes FQDN/Interface IP of same PSN @ 10.6:8443/guestportal/Login.1.1 .1. © 2013-2014 Cisco and/or its affiliates.0/24 . Browser traffic redirected to IP for ise-psn-2.1..0/24 10.99.8 .com:8443/guestportal/Login.0/24 .x .

x .10.x (or any address block that can be statically added to PSN route table) Ensures all Web requests received by PSN web interface are returned out same interface. SNAT on L3 Switch for Dedicated Web Interfaces (ISE 1.91.x User 10.com:8443/guestportal/Login.91. Source NAT web traffic from user networks destined to PSN web interfaces @ 10.6: https://ise-psn-2-guest. URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @ 10.x.91.6.2) URL-Redirected Traffic with Dedicated PSN Interface for Web Portals (Single F5 LTM interface) • Source NAT portal traffic to simplify routing • Maintains Path Isolation 10.7 .. translate to 10.1 F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .1.0/24 RADIUS session load-balanced to PSN @ 10..99.5 .0/24 .1.0/24 .1.1.91.6 .1 .1. Cisco Confidential 167 .5 .1.1 PSN PSN PSN PSN 10.1.8 . © 2013-2014 Cisco and/or its affiliates.1.98.7 . All rights reserved.6 .0/24 10.99.company.

1 User B .x .0/24 .1 .99.1. My User C Devices. URL-Redirected Web Portals/Services: Enable SNAT on F5 IP Forwarding Virtual Servers.7 .6 . SNAT on F5 LTM for Dedicated Web Interfaces (ISE 1.99.5 .1.0/24 F5 LTM .1.1.11.5 .1.6.91.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .98.0/24 10. 10.0/24 Direct-Access Portals: Enable SNAT on Virtual Servers for ISE Sponsor.2) Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces RADIUS session load-balanced to PSN @ 10.6 . All rights reserved.10.1.7 .1 PSN PSN PSN PSN 10.8 .x 10.1.12. © 2013-2014 Cisco and/or its affiliates.0/24Switch 10. and LWA portals.0/24 L3 User A 10. Cisco Confidential 168 .

0.99.0/24 Response to traffic received on an interface sent out same interface if User C default route exists for interface: No SNAT required! Default route 0.6 .x .0/0 10.7 .0.3 Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces RADIUS session load-balanced to PSN @ 10.0.1.12.98.0/24Switch 10.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X .0.1 .1 PSN PSN PSN PSN 10.1.99.91.0/24 F5 LTM .1.1 eth0 Default route 0.5 .99.1. Cisco Confidential 169 . 10. Dedicated Web Interfaces under ISE 1.0/24 10.6. All rights reserved.1.1.91.11.6 .x 10.5 .10.0/24 .1 eth1 © 2013-2014 Cisco and/or its affiliates.0/0 10.1.1.0/24 L3 User A 10.8 .1 User B .7 .1.

Dedicated Web Interfaces under ISE 1.1 eth1 default 10.99.0. Cisco Confidential 170 .99.0 eth0 default 10. All rights reserved.0.0 gateway 10.0.1 • Validate new default route ise13-psn-x/admin# sh ip route Destination Gateway Iface ----------.91. ------.1.91.1.1.0/24 0.1.1.3 Symmetric Traffic Flows • Configure default routes for each interface to support symmetric return traffic ise13-psn-x/admin# config t Enter configuration commands.0. End with CNTL/Z.0. ise13-psn-x/admin(config)# ip route 0.1 eth0 © 2013-2014 Cisco and/or its affiliates.91. one per line.0 0.0.0/24 0.0 eth1 10.0.0. ----- 10.

All rights reserved. F5 LTM Configuration Components for HTTP/S LB TCP Profile Persistence Profile Virtual Server Health Monitor Pool List Member Nodes © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 174 .

Configure HTTPS Health Monitor
Local Traffic > Monitors

• Configure Send and Receive Strings appropriate to
ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175

HTTPS Health Monitor Examples
Local Traffic > Monitors

• ISE 1.2 Example
• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK

• ISE 1.3 Example
• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176

Optional: Configure TCP Profile for HTTPS
Local Traffic > Profiles > Protocol > TCP

• Start with default Idle Timeout

• Using a custom profile allows for
tuning later if needed without
impacting other services based on
same parent TCP profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177

Configure Persistence Profile for HTTPS
Local Traffic > Profiles > Persistence

• Enable Match Across Services

• If different Virtual Server IP
addresses used for Web Services,
then enable Match Across Virtual
Servers

Generally recommend use same
VIP address for all portals
• Timeout = Persistence timer

Value of 1200 seconds = 20
minutes (default Sponsor Portal idle
timeout setting in ISE)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178

Configure Server Pool for Web Services Local Traffic > Pools > Pool List • Health Monitor = HTTPS Monitor • Action on Service Down = None © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 179 . All rights reserved.

Configure Member Nodes in Web Services Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port = 0 (all ports) © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 180 .

0/0 (all hosts) or specific network address.0. Cisco Confidential 181 . All rights reserved. Configure Virtual Server for Web Portals (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0.0. • Destination = Web Portal Virtual IP • Service Port = Web Portal Port configured in ISE (default 8443) © 2013-2014 Cisco and/or its affiliates.

3): None or Auto Map © 2013-2014 Cisco and/or its affiliates. Configure Virtual Server for HTTPS Portals (Advanced) Local Traffic > Virtual Servers • Protocol = TCP • Protocol Profile = tcp or custom TCP profile • Optional: Limit traffic to specific VLAN(s) • Source Address Translation (SNAT) • Single PSN interface: None • Dedicated PSN interface (ISE 1. All rights reserved.2): Auto Map • Dedicated PSN interface (ISE 1. Cisco Confidential 182 .

All rights reserved. Configure Virtual Server HTTPS Portals (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = Web Portals Pool • Default Persistence Profile = HTTPS persistence profile • Fallback Persistence Profile: Not required © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 183 .

All rights reserved. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) © 2013-2014 Cisco and/or its affiliates. • Service Port = 443 (HTTPS) Default HTTPS port used in initial portal request by end user. Cisco Confidential 184 . Configure Virtual Server for Web Portals on TCP/443 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTPS port 443 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL.

• Service Port = 80 (HTTP) Default HTTP port used in initial portal request by end user. Configure Virtual Server for Web Portals on TCP/80 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTP port 80 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. Cisco Confidential 185 . • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) © 2013-2014 Cisco and/or its affiliates. All rights reserved.

© 2013-2014 Cisco and/or its affiliates. • Under Virtual Server for HTTP (TCP/80): • Specify HTTP Profile under Advanced Configuration • Specify new HTTP Class under Resources > HTTP Class Profiles. Configure Virtual Server for Web Portals on TCP/80 Optional HTTP -> HTTPS Redirect by F5 LTM To configure F5 LTM to perform automatic HTTP to HTTPS redirect instead of PSNs: • Configure new http profile under Profiles > Services > HTTP using default settings • Configure new http class under Profiles > Protocol > HTTP Class. All rights reserved. Cisco Confidential 186 . Under Actions. set redirect URL.

Virtual Server List © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 187 .

All rights reserved. Server Pool List © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 188 .

Cisco Confidential 189 .Global Load Balancing Considerations © 2013-2014 Cisco and/or its affiliates. All rights reserved.

12 F5 BIG-IP GTM 10. All rights reserved.1.100.12 sponsor IN A 10.15 10.com? sponsor IN A 10.1.2.14 10.1.99.99.60.1.5.2.12 10.2. F5 BIG-IP GTM: Load Balancing Web Requests Client-Based Load Balancing/Distribution Based on DNS Response • Integrate Global LB using F5 BIG-IP GTM with Local LB using F5 BIG-IP LTM ISE-PSN-14 ISE-PSN-15 F5 LTM F5 LTM PSN PSN 10.15 sponsor.100.221 © 2013-2014 Cisco and/or its affiliates.2.99.99.com? DNS SOA for company.2.14 What is IP address for sponsor.100.company.13 What is IP address for sponsor IN A 10.100.company.15 sponsor IN A 10.com 10.100.2. Cisco Confidential 191 .105 10.1.

company.1. F5 BIG-IP GTM: Load Balancing Web Requests Global Load Balancing/Distribution Based on Routing and DNS Response • Example combines Anycast as DNS response ISE-PSN-14 ISE-PSN-15 F5 LTM F5 LTM PSN PSN 10.12 sponsor.1.12 10.60.1.99.12 F5 BIG-IP GTM 10.99. All rights reserved.99.12 sponsor IN A 10.12 What is IP address for sponsor.1.99.12 mydevices IN A 10.5.2.1.1.99.1.12 10.com? lwa-portal2 IN A 10.12 10.com? DNS SOA for company.99.company.1.99. Cisco Confidential 192 .1.99.1.221 © 2013-2014 Cisco and/or its affiliates.12 What is IP address for lwa-portal1 IN A 10.com 10.99.105 10.

8.1. • Fallback to secondary servers if primary fails RADIUS Auth PSN PSN1 (10.2.8.4.7.2.3 auth-port 1812 acct-port 1813 radius-server host 10.5. All rights reserved. Basic NAD-Based RADIUS Server Redundancy Multiple RADIUS Servers Defined in Access Device • Configure Access Devices with multiple RADIUS Servers.3) PSN PSN2 (10.9) radius-server host 10.7. Cisco Confidential 193 .6 auth-port 1812 acct-port 1813 radius-server host 10.6) User Network Access Device PSN PSN3 (10.4.9 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates.5.1.

99.101.2) PSN PSN2 (10.1.2.7) radius-server host 10.8) DC #1 • Fallback to secondary DC PSN PSN2 (10.98.6) if primary DC fails PSN PSN3 (10.100.6) DC #2 PSN PSN3 (10.5) LB cluster VIP as a RADIUS Server.98.1.2.1.100.5) User (10. All rights reserved.101.2 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates.2.99.1. NAD-Based Redundancy to Different LTM LB Clusters RADIUS Example – Different RADIUS VIP Addresses • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10.1.2.7) Network Access Device RADIUS Auth PSN F5-LTM2 PSN1 (10.8 auth-port 1812 acct-port 1813 radius-server host 10. Cisco Confidential 194 .99. (10.101.2.

98.1.99.8) PSN PSN2 (10.5) LB cluster VIP as a RADIUS Server.98.8 auth-port 1812 acct-port 1813 © 2013-2014 Cisco and/or its affiliates. All rights reserved.8) DC #1 • Fallback to secondary DC PSN PSN2 (10.99.101.101.1.6) DC #2 PSN PSN3 (10.99.7) radius-server host 10.2.98.1.7) Network Access Device RADIUS Auth PSN F5-LTM2 PSN1 (10.2.1.101.6) if primary DC fails PSN PSN3 (10.5) User (10.1. Cisco Confidential 195 . NAD-Based Redundancy to Different LTM LB Clusters RADIUS Example – Single RADIUS VIP Address using Anycast • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10. (10.1.2.

(10.2.C.11) DC #1 • Both Data Centers receive copy PSN PSN2 (10.5) cluster VIP as an IP Helper. All rights reserved.101.1.1.99. Cisco Confidential 196 .0 ip helper-address X.98.X # Real ip helper-address 10.99.99.101.6) DC #2 interface VLAN 10 PSN PSN3 (10.2.100.6) of DHCP Profiling data PSN PSN3 (10.101.2.1.B.NAD-Based Redundancy to Different LTM LB Clusters Profiling Example – Different DHCP VIP Addresses • Configure access devices with each PSN PSN F5-LTM1 PSN1 (10.11 # LTM1 ip helper-address 10.5) User (10.100.255.7) Network Access Device DHCP Relay PSN F5-LTM2 PSN1 (10.3) PSN PSN2 (10.7) ip address A.2.3 # LTM2 © 2013-2014 Cisco and/or its affiliates.255.1.X.2.98.D 255.1.X.

0 ip helper-address X.99.101.X.7) Network Access Device DHCP Relay PSN F5-LTM2 PSN1 (10.98.255.255.1.7) interface VLAN 10 ip address A.D 255.X # Real ip helper-address 10.1.2.101.2.98.11) PSN PSN2 (10. Cisco Confidential 197 .1.1.6) primary DC fails PSN PSN3 (10.5) PSN cluster VIP as an IP Helper.B.1.5) User (10.X.99. All rights reserved.1. NAD-Based Redundancy to Different LTM LB Clusters Profiling Example – Single DHCP VIP Address using Anycast • Configure access devices with the single PSN F5-LTM1 PSN1 (10.11 # Anycast © 2013-2014 Cisco and/or its affiliates.2.99.C. (10.101.98.11) DC #1 • Fallback to secondary DC if routing to PSN PSN2 (10.6) DC #2 PSN PSN3 (10.

Cisco Confidential 198 . All rights reserved.Monitoring and Troubleshooting © 2013-2014 Cisco and/or its affiliates.

All rights reserved.8 Requests evenly distributed across real servers: ise-psn-1 ise-psn-2 ise-psn-3 © 2013-2014 Cisco and/or its affiliates. Live Log Output for Load Balanced Sessions Synthetic Transactions • Batch of test authentications generated from Catalyst switch: # test aaa group radius radtest cisco123 new-code count 100 All RADIUS sent to LB VIP @ 10.1.98. Cisco Confidential 199 .

1.5.7 2• All PC auth is load balanced to ise-psn-1 @ 10. Request can be load balanced to any PSN.1. 3 4 2 1 © 2013-2014 Cisco and/or its affiliates. 200 Cisco Confidential 200 .99. Live Log Output for Load Balanced Sessions Real Transactions • All RADIUS sent to LB VIP @ 10. All rights reserved. URL Redirect traffic sent to same PSN.98. 3• CoA is sent from same PSN that is handling the auth session. 4• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address.8 1• All phone auth is load balanced from VIP to ise-psn-3 @ 10.99.1. Not required to pull dACL from same PSN as auth.

• ISE Authentications Live Log • ISE Reports • ISE Packet Capture using TCP Dump • Logging Suppression and Collection Filters © 2013-2014 Cisco and/or its affiliates. • Verify Identity Stores such as AD and LDAP are connected to PSNs and traffic is not being dropped. • Verify the RADIUS Server status from the NADs. Cisco ISE Monitoring and Troubleshooting • Verify Operational Status of Cisco Components • Validate ISE Nodes Online and Connected • Check that PSNs are synchronized under Administration > Deployment. All rights reserved. Cisco Confidential 201 .

Cisco Confidential 202 . Cisco ISE Monitoring and Troubleshooting Verify ISE Node Status • Check Node Status from ISE Dashboard and under Administration > Deployment © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Cisco ISE Monitoring and Troubleshooting Verify Health Monitor Is Authenticating Successfully • Are Probes Failing? © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 203 . All rights reserved.

is identity store connected? © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 204 . All rights reserved. Cisco ISE Monitoring and Troubleshooting Verify Health Monitor Is Authenticating Successfully • If internal user used. is account enabled? Is password correct? • If external user store used.

All rights reserved. F5 BIG-IP LTM Monitoring and Troubleshooting • Verify Operational Status of F5 Components • Virtual Server Status • Pool Member Status • Health Monitors • Persistence Records • iRule Debug and View Local Traffic Logs • Packet Capture using TCP Dump © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 205 .

cluster impacted but Server is still up. F5 BIG-IP LTM Monitoring and Troubleshooting Verify Virtual Server and Pool Member Status • Virtual Server Status • Pool Member Status If node down. then all Pool Members are down © 2013-2014 Cisco and/or its affiliates. If Virtual Server down. All rights reserved. Cisco Confidential 206 . verify persist entries cleared. If connections fail.

All rights reserved. Cisco Confidential 207 . F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 Web Interface • Persistence Records —Bad Example • MAC addresses are not normalized so separate persist entries created © 2013-2014 Cisco and/or its affiliates.

Cisco Confidential 208 . All rights reserved. F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 Web Interface • Persistence Records —Good Example © 2013-2014 Cisco and/or its affiliates.

1.1.8:1812 10.1.99.98.98.98.1.99.1.99.8:1812 10.8:1812 10.98.99.8:1812 10.15:1812 0 universal 10.1.8:1812 10. F5 BIG-IP LTM Monitoring and Troubleshooting Viewing Persistence Records from the F5 BIG-IP LTM Console Interface • Show Persistence Records for RADIUS Virtual Server root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence persist-records virtual ise_radius_auth Sys::Persistent Connections universal 10. All rights reserved.99.17:1812 0 universal 10.16:1812 0 Total records returned: 1 © 2013-2014 Cisco and/or its affiliates.1.1.1.17:1812 0 Total records returned: 5 • Show Persistence Records for Specific Client Based on MAC address as Persist Key root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence persist-records virtual ise_radius_auth mode universal key 7C-6D-62-E3-D5-05 Sys::Persistent Connections universal 10.16:1812 0 universal 10. Cisco Confidential 209 .1.8:1812 10.98.1.99.15:1812 0 universal 10.1.98.

Cisco Confidential 210 . All rights reserved. F5 BIG-IP LTM Monitoring and Troubleshooting Clearing Persistence Records and Connections from the F5 BIG-IP LTM Console Interface • Delete Persistence Records for RADIUS Virtual Server root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence persist-records virtual ise_radius_auth • Delete All Persistence Records root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence persist-records • Delete Connections for RADIUS Auth Services root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection cs- server-port 1812 • Delete All Connections root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection © 2013-2014 Cisco and/or its affiliates.

Routing. All rights reserved. Network Topology. and Addressing Review Key Components • Clients / Endpoints • Network Access Devices • Intermediate infrastructure • BIG-IP LTM appliances • ISE PSN appliances • Supporting services such as DNS. AD/LDAP. Cisco Confidential 211 . NTP. and Admin and MnT nodes © 2013-2014 Cisco and/or its affiliates.

© 2013-2014 Cisco and/or its affiliates. Routing. routing tables. Network Topology. • Take into special consideration where NAT may be deployed and addresses change. Cisco Confidential 212 . and ARP tables. and Addressing Review Other Troubleshooting Checklist Items • Map out the expected path for each flow. This can sometimes cause confusion when analyzing packet captures. All rights reserved. logs and packet captures. note that packet captures may show both ingress and egress packets where MAC addresses change but IP addresses do not. • If F5 appliance trunks multiple VLANs. • Validate actual path taken by packets by reviewing configuration files. • Verify symmetric path is taken and that no packets are being dropped using component logs and debugs and packet captures.

Summary © 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 214 .

Cisco ISE / F5 BIG-IP Load Balancing Summary Review • Cisco ISE is a comprehensive. and database replication by ensuring same PSN services requests • Simplify configuration management for network devices • Improve overall user experience © 2013-2014 Cisco and/or its affiliates. Cisco Confidential 215 . Profiling. and Web Service performance. and availability • Optimize ISE AAA. • F5 BIG-IP Global Traffic Manager (GTM) is a global load balancing solution that leverages standard DNS to help ensure that users and applications are directed to the most available and optimal server • Integrating F5 BIG-IP load balancing solutions with ISE can: • Significantly improve ISE RADIUS. • F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that incorporates many advanced security and traffic optimization features. scalability. context-based policy management system that can scale services through the deployment of multiple Policy Service Nodes (PSNs). profiling. All rights reserved.

com/docs/DOC-30977  Tech Zone: https://techzone.cisco.com/sacise Website: sac.html © 2013-2014 Cisco and/or its affiliates.com  Tech Talks – Security Deep Dive Training Series: https://communities.cisco. All rights reserved.24 x 7 All countries.com Phone: +1-408-902-4872 (International) 800-225-0905 (US Toll Free ) 8-902-4872 (within Cisco) Live Chat: http://tinyurl.cisco.cisco.cisco. All timezones Email: sac-support@cisco.com (Cisco Internal)  Cisco Support Communities: supportforums.Cisco Support References  Your local Cisco Channel/Security SE  Sales Assistance Center (SAC) -. Cisco Confidential 216 .com/t5/AAA-and-Identity-Management/ct-p/aaa  ISE and TrustSec “How-To” and Design Guides: http://www.com/c/en/us/solutions/enterprisehttps://www.scribd.com/design-zone-security/landing_DesignZone_TrustSec.

F5 Support References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
• BIG-IP LTM Support forum
https://support.f5.com/kb/en-us/products/big-ip_ltm.html
• DevCentral Forum
https://devcentral.f5.com/
• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
• F5 University – LTM Training
https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Follow us on Twitter @f5Networks  Official F5 Networks Channel

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 217

DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation

Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs

Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring
Pack

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 218

 F5 BIG-IP Product Trials – Trial, Eval, and Lab Licenses:
https://f5.com/products/trials/product-trials

 Cisco dCloud: http://dcloud.cisco.com/
 ISE / NFR POC Kit on MarketPlace: http://cisco.mediuscorp.com/ise
 ISE Configured Limited Deployment (COLD) Program: https://communities.cisco.com/docs/DOC-32999

 QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE
 Public – Scheduled and On-Demand ISE Demos:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 220

Questions? .

.Thank you.