You are on page 1of 65

Configuring F5 LTM

for Load Balancing Cisco Identity
Service Engine (ISE)

Craig Hyps
Principal Technical Marketing Engineer, Cisco Systems

• Cisco Communities
https://communities.cisco.com/docs/DOC-64434

• Cisco and F5 Deployment Guide: ISE
Load Balancing using BIG-IP:
https://communities.cisco.com/docs/DOC-68198

• Linked from F5 website under Cisco
Alliance page > White Papers:
https://f5.com/solutions/technology-alliances/cisco

F5 LTM-Cisco ISE
Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Forwarding Non-LB Traffic

1.1.1 10.1.2 VIP: 10.99.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10.1.99.50.99. All rights reserved.1. Cisco Public 4 .1.99.5 (10. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.8 LB: 10.98.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 F5 LTM-Cisco ISE 4 Config © 2017 Cisco and/or its affiliates.0/24) (10.1.1.98.99.0/24 ISE-PSN-1 ) NAS IP: 10.

All rights reserved. pxGrid. DNS. SCP. OCSP checks. Posture. and Client Provisioning. • Repository and file management access initiated from PSN including FTP. SNMP. SSH. RSA.Non-LB Traffic that Requires IP Forwarding Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA • PAN/MnT node communications • All management traffic to/from the PSN real IP addresses such as HTTPS. • Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP. and HTTPS. Cisco Public 5 . and Syslog. MDM. SNMP queries) and URL-Redirection such as CWA. NTP. HTTP. SFTP. • All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed Services. external RADIUS servers (token or foreign proxy). DRW/Hotspot. and external CA communications (CRL downloads. LDAP. partner MDM integration. • RADIUS CoA from PSNs to network access devices. TFTP. NFS. • All external AAA-related traffic to/from the PSN real IP addresses such as AD. SMTP. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. and REST/ERS API communications. SCEP proxy).

0.0.Virtual Server to Forward General Inbound IP Traffic General Properties • Applies to connections initiated from outside (external) network • Type = Forwarding (IP) • Source = All traffic (0. • Destination = PSN Network Addresses • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0/0) or limit to specific network. Cisco Public 6 . All rights reserved.

• No SNAT F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.Virtual Server to Forward General Inbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). Cisco Public 7 .

Virtual Server to Forward General Outbound IP Traffic General Properties • Applies to connections initiated from PSN (internal) network • Type = Forwarding (IP) • Source = PSN Network Addresses • Destination = All traffic (0.0.0.0/0. • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0. All rights reserved.0.0) or limit to specific network. Cisco Public 8 .

Virtual Server to Forward General Outbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). Cisco Public 9 . All rights reserved. • No SNAT F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved.Example Inbound / Outbound IP Forwarding Servers F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 10 .

Load Balancing RADIUS .

Cisco Public 12 .F5 LTM Configuration Components for RADIUS LB • RADIUS Auth • RADIUS Acct UDP Profile • RADIUS CoA RADIUS Profile SNAT Pool iRule Persistence Virtual Server Virtual Server (Persistence) Profile Health Monitor Pool List Member Nodes F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Public 13 . } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. password P@$$w0rd Start with defaults then tune to network. All rights reserved. secret P@$$w0rd • User Account: If valid user account to be time-until-up 0 used for monitor.RADIUS Health Monitors Load Balancer Probes Determine RADIUS Server Health Status • BIG-IP LTM RADIUS monitor has two key timer settings: o Interval = probe frequency (default = 10 sec) o Timeout = total time before monitor fails (default = 31 seconds) Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config: (Four health checks are attempted ltm monitor radius /Common/radius_1812 { before declaring a node failure) debug no defaults-from /Common/radius • Timers: Set low enough to ensure destination *:1812 efficient failover but long enough interval 10 to avoid excessive probing (AAA load). be sure to configure timeout 31 user in ISE or external ID store with username f5-probe limited/no network access privileges.

All rights reserved. Accounting. and Profiling to reduce probe load for multiple services. Cisco Public 14 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Configure RADIUS Health Monitor Local Traffic > Monitors • Same monitor can be leveraged for RADIUS Auth. • Be sure BIG-IP LTM configured as ISE NAD.

Cisco Public 15 . All rights reserved.Optional: Configure UDP Profile for RADIUS Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Optional: Configure RADIUS Profile Local Traffic > Profiles > Services > RADIUS • Start with default settings • Using a custom profile allows for tuning later if needed without impacting other services based on same parent radiusLB profile F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 .

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 17 . All rights reserved.Configure iRule for RADIUS Persistence Local Traffic > iRules > iRule List • Recommend iRule based on client MAC address • RADIUS Attribute/Value Pair = 31 = Calling-Station-Id • Recommend copy and paste working iRule into text area.

All rights reserved.f5.F5 iRule Editor For Your Reference https://devcentral.com/d/tag/irules%20editor • Manage iRules and config files • Syntax checker • Generate HTTP traffic • Quick links to tech resources F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 18 .

All rights reserved.Configuring RADIUS Persistence RADIUS Profile Example • RADIUS Sticky on Calling-Station-ID (client MAC address) • Simple option but does not support advanced logging and other enhanced parsing options like iRule • Profile must be applied to Standard Virtual Server based on UDP Protocol ltm profile radius /Common/radiusLB { app-service none clients none persist-avp 31 subscriber-aware disabled subscriber-id-type 3gpp-imsi F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 19 .

Cisco Public 20 . All rights reserved.iRule for RADIUS Persistence Based on Client MAC Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED { # 0: No Debug Logging 1: Debug Logging set debug 0 • Optional debug logging • Enable for troubleshooting only to reduce processing load # Persist timeout (seconds) set nas_port_type [RADIUS::avp 61 "integer"] if {$nas_port_type equals "19"}{ set persist_ttl 3600 • Configurable persistence timeout if {$debug} {set access_media "Wireless"} based on media type } else { oWireless Default = 1 hour set persist_ttl 28800 oWired Default = 8 hours if {$debug} {set access_media "Wired"} } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

RADIUS Persistence iRule Based on MAC (cont. All rights reserved. Cisco Public 21 .alert "No MAC Address found .Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target" } } } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.) if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31 "string"] # Normalize MAC address to upper case set mac_up [string toupper $mac] persist uie $mac_up $persist_ttl if {$debug} { set target [persist lookup uie $mac_up] log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target" } } else { set nas_ip [RADIUS::avp 4 ip4] persist uie $nas_ip $persist_ttl if {$debug} { set target [persist lookup uie "$nas_ip any virtual"] log local0.

then enable Match Across Virtual Servers (not recommended) • Specify RADIUS Persistence iRule • iRule persistence timer overrides profile setting. All rights reserved. Cisco Public 22 .Configure Persistence Profile for RADIUS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for RADIUS Auth and Accounting. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved.Configure Server Pool for RADIUS Auth Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. Cisco Public 23 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Cisco Public 24 . All rights reserved.Configure Member Nodes in RADIUS Auth Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Server Port: 1812 or 1645 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 25 .Configure Server Pool for RADIUS Accounting Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor (same monitor used for RADIUS Auth) • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server.

All rights reserved.Configure Member Nodes in RADIUS Accounting Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port: 1813 or 1646 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 26 .

• Destination = RADIUS Virtual IP • Service Port = 1812 or 1645 RADIUS VIP F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Configure Virtual Server for RADIUS Auth (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0.0. Cisco Public 27 . All rights reserved.0/0 (all hosts) or specific network address.0.

Configure Virtual Server for RADIUS Auth (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • RADIUS Profile = radiusLB or custom RADIUS profile • Optional: Limit traffic to specific VLAN(s) • SNAT = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 .

• If not configured in iRule. All rights reserved. set optional value here.Configure Virtual Server RADIUS Auth (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = RADIUS Auth Pool • Default Persistence Profile = RADIUS persistence profile • Fallback Persistence Profile: • RADIUS iRule setting overrides value set here. Cisco Public 29 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Example: radius_source_addr Recommend create new persistence profile based on Source Address Affinity to allow custom timers and match settings.

Cisco Public 30 .Configure Virtual Server for RADIUS Accounting Local Traffic > Virtual Servers > Virtual Server List • Same settings as RADIUS Auth Virtual Server but different service port and pool RADIUS VIP F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Public 31 . All rights reserved.Configure SNAT Pool List for RADIUS CoA Local Traffic > Address Translation > SNAT Pool List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Define SNAT Pool List with RADIUS Server Virtual IP as a pool member F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure Virtual Server to SNAT RADIUS CoA (Properties) Local Traffic > Virtual Servers > Virtual Server List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Type = Standard • Source = PSN Network • Destination = 0. All rights reserved.0.0.0.0.0 / 0. Cisco Public 32 .0 (all hosts) or specific network for all NADs • Service Port = 1700 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. Cisco Public 33 .Configure Virtual Server to SNAT RADIUS CoA (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Optional: Limit traffic to specific VLAN(s) • Source Address Translation = SNAT • SNAT Pool = CoA SNAT Pool List • Resources = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Load Balancing ISE Profiling .

All rights reserved. Cisco Public 35 .F5 LTM Configuration Components for Profiling LB UDP Profile iRule Persistence (Persistence) Profile Virtual Server Pool List Member Nodes F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure UDP Profile for Profiling Local Traffic > Profiles > Protocol > UDP • Set Idle Timeout to Immediate Profiling traffic from DHCP and SNMP Traps are one-way flows to PSNs—no response sent to these packets. All rights reserved. • Be sure to create new UDP profile to ensure these settings are applied only to Profiling. • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 36 .

3" set static::RULE_ID "dhcp_parser" • Optional debug logging # 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to set debug 1 reduce processing load # Persist timeout (seconds) set persist_ttl 7200 • Configurable persistence timeout F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.iRule for DHCP Persistence Based on Client MAC (1 of 2) Persistence based on DHCP Option 61 – Client Identifier (MAC Address) • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED priority 100 { # Rule Name and Version shown in the log set static::RULE_NAME "Simple DHCP Parser v0. All rights reserved. Cisco Public 37 .

debug "$log_prefix_d ***** iRule: $static::RULE_NAME completed ***** OPTION61=$value TARGET=[persist lookup uie "$value any virtual"]" F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 38 . iRule for DHCP Persistence Based on Client MAC (2 of 2) # extract value filed in hexadecimal format binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex set value "" switch $option { Note: Example is excerpt 61 { # Client Identifier only—Not complete iRule binary scan $value_hex a2a* ht id switch $ht { 01 { binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f) set value [string toupper "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"] } # Normalize MAC address to upper case default { set value "$id” } } persist uie $value $static::persist_ttl if {$static::debug}{ log local0. All rights reserved.

10.1)(debug) ***** iRule: Simple DHCP Parser v0.1)(debug) ***** iRule: Simple DHCP Parser v0.0.1.3 executed ***** Sat Sep 27 13:39:45 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.3 competed ***** MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D Config TARGET= F5 LTM-Cisco ISE © 2017 Cisco and/or its affiliates. All rights reserved.10. Cisco Public 39 .0. iRule for DHCP Persistence – Sample Debug Output Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.10.1.0 00:50:56:a0:0b:3a Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.3 competed ***** MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET= Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.1)(debug) BOOTP: 0.40.1.1)(debug) ***** iRule: Simple DHCP Parser v0.

Optional: Configure iRule for DHCP Profiling Persistence Local Traffic > iRules > iRule List • Alternative to basic Source Address-based persistence • Sample iRule based on client MAC address parsed from DHCP Request packets • Allows DHCP for given endpoint to persist to same PSN serving RADIUS for same endpoint • Recommend copy and paste working iRule into text area. All rights reserved. Cisco Public 40 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

(Recommend use same IP address) • Specify DHCP Persistence iRule • iRule persistence timer overrides profile setting. All rights reserved.Optional: Configure Persistence Profile for Profiling Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for DHCP Profiling and RADIUS. Cisco Public 41 . then enable Match Across Virtual Servers. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Cisco Public 42 . • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. then can use default gateway_icmp monitor.Configure Server Pool for DHCP Profiling Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • If PSN not configured for User Services (RADIUS auth).

All rights reserved.Configure Member Nodes in DHCP Profiling Pool Local Traffic > Pools > Members • Load Balancing Method = Round Robin • Server Port = 67 (DHCP Server) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 43 .

All rights reserved. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 44 .Configure Server Pool for SNMP Trap Profiling Local Traffic > Pools • Same settings as DHCP Profiling Pool except members configured for UDP Port 162.

• Destination = Can be same as RADIUS Virtual IP or unique IP. All rights reserved.0/0 (all hosts) or specific network address. Be sure to configure DHCP Relays/ IP Helpers to point to this IP address • Service Port = 67 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0.0. Cisco Public 45 .Configure Virtual Server for DHCP Profiling (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0.

All rights reserved. Cisco Public 46 .Configure Virtual Server for DHCP Profiling (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • Optional: Limit traffic to specific VLAN(s) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

OR DHCP persistence profile • Fallback Persistence Profile: o DHCP iRule setting overrides value set here. recommend create new profile to allow custom timers and “Match Across” settings. o If not configured in iRule. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Configure Virtual Server for DHCP Profiling (Resources) Local Traffic > Virtual Servers > Resources • Default Pool = DHCP Profiling Pool • Default Persistence Profile = Persistence Profile based on Source Address Affinity. Example: profiling_source_addr • If persistence profile based on Source Address Affinity (source_addr). set optional value here. Cisco Public 47 . All rights reserved.

Default Persistence Profile should be based on Source Address Affinity (NAD IP address). F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.Configure Virtual Server for SNMP Trap Profiling Local Traffic > Virtual Servers • Same settings as DHCP Profiling Virtual Server but different service port and pool. Cisco Public 48 . Additionally.

Load Balancing ISE Web Services .

F5 LTM Configuration Components for HTTP/S LB

TCP Profile

Persistence
Profile
Virtual Server

Health Monitor Pool List

Member Nodes

F5 LTM-Cisco ISE
Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Configure HTTPS Health Monitor
Local Traffic > Monitors

• Configure Send and Receive Strings appropriate to
ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

HTTPS Health Monitor Examples
Local Traffic > Monitors

• ISE 1.2 Example
• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK

• ISE 1.3+ Example
• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Optional: Configure TCP Profile for HTTPS Local Traffic > Profiles > Protocol > TCP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent TCP profile F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53 .

Configure Persistence Profile for HTTPS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for Web Services. All rights reserved. Cisco Public 54 . then enable Match Across Virtual Servers Generally recommend use same VIP address for all portals • Timeout = Persistence timer Value of 1200 seconds = 20 minutes (default Sponsor Portal idle timeout setting in ISE) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved.Configure Server Pool for Web Services Local Traffic > Pools > Pool List • Health Monitor = HTTPS Monitor • Action on Service Down = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 55 .

Cisco Public 56 .Configure Member Nodes in Web Services Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port = 0 (all ports) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

0/0 (all hosts) or specific network address. Cisco Public 57 .Configure Virtual Server for Web Portals (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. All rights reserved.0.0. • Destination = Web Portal Virtual IP • Service Port = Web Portal Port configured in ISE (default 8443) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure Virtual Server for HTTPS Portals (Advanced) Local Traffic > Virtual Servers • Protocol = TCP • Protocol Profile = tcp or custom TCP profile • Optional: Limit traffic to specific VLAN(s) • Source Address Translation (SNAT) • Single PSN interface: None • Dedicated PSN interface (ISE 1. All rights reserved.2): Auto Map • Dedicated PSN interface (ISE 1. Cisco Public 58 .3): None or Auto Map F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Cisco Public 59 .Configure Virtual Server HTTPS Portals (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = Web Portals Pool • Default Persistence Profile = HTTPS persistence profile • Fallback Persistence Profile: Not required F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

Configure Virtual Server for Web Portals on TCP/443 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTPS port 443 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 60 . • Service Port = 443 (HTTPS) Default HTTPS port used in initial portal request by end user. All rights reserved.

Configure Virtual Server for Web Portals on TCP/80 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTP port 80 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. • Service Port = 80 (HTTP) Default HTTP port used in initial portal request by end user. Cisco Public 61 . All rights reserved. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

set redirect URL.Configure Virtual Server for Web Portals on TCP/80 Optional HTTP -> HTTPS Redirect by F5 LTM To configure F5 LTM to perform automatic HTTP to HTTPS redirect instead of PSNs: • Configure new http profile under Profiles > Services > HTTP using default settings • Configure new http class under Profiles > Protocol > HTTP Class. All rights reserved. Cisco Public 62 . Under Actions. • Under Virtual Server for HTTP (TCP/80): • Specify HTTP Profile under Advanced Configuration • Specify new HTTP Class under Resources > HTTP Class Profiles. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Virtual Server List F5 LTM-Cisco ISE Config © © 2017 2017 Cisco Cisco and/or and/or its its affiliates. reserved. All All rights rights reserved. affiliates. Cisco Cisco Public Public 63 .

All rights reserved. Cisco Public 64 .Server Pool List F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Thank You .