You are on page 1of 65

Configuring F5 LTM

for Load Balancing Cisco Identity
Service Engine (ISE)

Craig Hyps
Principal Technical Marketing Engineer, Cisco Systems

• Cisco Communities
https://communities.cisco.com/docs/DOC-64434

• Cisco and F5 Deployment Guide: ISE
Load Balancing using BIG-IP:
https://communities.cisco.com/docs/DOC-68198

• Linked from F5 website under Cisco
Alliance page > White Papers:
https://f5.com/solutions/technology-alliances/cisco

F5 LTM-Cisco ISE
Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

Forwarding Non-LB Traffic

99.2 VIP: 10.1.99.50. All rights reserved.0/24) (10.1. Cisco Public 4 .0/24 ISE-PSN-1 ) NAS IP: 10. High-Level Load Balancing Diagram DNS NTP External SMTP ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP VLAN 98 VLAN 99 10.6 Network Access ISE-PSN-2 End User/Device Device F5 LTM 10.1.1.7 ISE-PSN-3 ISE-PAN-2 ISE-MNT-2 F5 LTM-Cisco ISE 4 Config © 2017 Cisco and/or its affiliates.1.98.99.99.99.98.8 LB: 10.1.1.1.5 (10.1 10.

• RADIUS CoA from PSNs to network access devices. and Client Provisioning. SNMP. and Syslog. LDAP. DNS. Posture. partner MDM integration. • All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed Services. All rights reserved. NFS. • All external AAA-related traffic to/from the PSN real IP addresses such as AD. SCP. SCEP proxy). SSH. and external CA communications (CRL downloads. pxGrid. DRW/Hotspot.Non-LB Traffic that Requires IP Forwarding Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA • PAN/MnT node communications • All management traffic to/from the PSN real IP addresses such as HTTPS. OCSP checks. • Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP. SNMP queries) and URL-Redirection such as CWA. SFTP. and REST/ERS API communications. NTP. Cisco Public 5 . and HTTPS. external RADIUS servers (token or foreign proxy). F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. HTTP. TFTP. MDM. SMTP. • Repository and file management access initiated from PSN including FTP. RSA.

Cisco Public 6 .0/0) or limit to specific network.0.Virtual Server to Forward General Inbound IP Traffic General Properties • Applies to connections initiated from outside (external) network • Type = Forwarding (IP) • Source = All traffic (0. All rights reserved.0. • Destination = PSN Network Addresses • Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Virtual Server to Forward General Inbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). All rights reserved. Cisco Public 7 . • No SNAT F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

• Service Port = 0 (All Ports) • Availability = Unknown (No service validation via health monitors) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0.0.0) or limit to specific network.0/0.0.0. Cisco Public 8 . All rights reserved.Virtual Server to Forward General Outbound IP Traffic General Properties • Applies to connections initiated from PSN (internal) network • Type = Forwarding (IP) • Source = PSN Network Addresses • Destination = All traffic (0.

All rights reserved. • No SNAT F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Virtual Server to Forward General Outbound IP Traffic Configuration (Advanced) • Protocol = All Protocols • Protocol Profile = fastL4 • Optionally limit to specific ingress VLAN(s). Cisco Public 9 .

Cisco Public 10 . All rights reserved.Example Inbound / Outbound IP Forwarding Servers F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Load Balancing RADIUS .

Cisco Public 12 . All rights reserved.F5 LTM Configuration Components for RADIUS LB • RADIUS Auth • RADIUS Acct UDP Profile • RADIUS CoA RADIUS Profile SNAT Pool iRule Persistence Virtual Server Virtual Server (Persistence) Profile Health Monitor Pool List Member Nodes F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. secret P@$$w0rd • User Account: If valid user account to be time-until-up 0 used for monitor. } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.RADIUS Health Monitors Load Balancer Probes Determine RADIUS Server Health Status • BIG-IP LTM RADIUS monitor has two key timer settings: o Interval = probe frequency (default = 10 sec) o Timeout = total time before monitor fails (default = 31 seconds) Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config: (Four health checks are attempted ltm monitor radius /Common/radius_1812 { before declaring a node failure) debug no defaults-from /Common/radius • Timers: Set low enough to ensure destination *:1812 efficient failover but long enough interval 10 to avoid excessive probing (AAA load). Cisco Public 13 . be sure to configure timeout 31 user in ISE or external ID store with username f5-probe limited/no network access privileges. password P@$$w0rd Start with defaults then tune to network.

All rights reserved. Cisco Public 14 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. and Profiling to reduce probe load for multiple services. • Be sure BIG-IP LTM configured as ISE NAD.Configure RADIUS Health Monitor Local Traffic > Monitors • Same monitor can be leveraged for RADIUS Auth. Accounting.

Cisco Public 15 . All rights reserved.Optional: Configure UDP Profile for RADIUS Local Traffic > Profiles > Protocol > UDP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Optional: Configure RADIUS Profile Local Traffic > Profiles > Services > RADIUS • Start with default settings • Using a custom profile allows for tuning later if needed without impacting other services based on same parent radiusLB profile F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16 .

All rights reserved.Configure iRule for RADIUS Persistence Local Traffic > iRules > iRule List • Recommend iRule based on client MAC address • RADIUS Attribute/Value Pair = 31 = Calling-Station-Id • Recommend copy and paste working iRule into text area. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 17 .

com/d/tag/irules%20editor • Manage iRules and config files • Syntax checker • Generate HTTP traffic • Quick links to tech resources F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.F5 iRule Editor For Your Reference https://devcentral. Cisco Public 18 .f5.

Cisco Public 19 .Configuring RADIUS Persistence RADIUS Profile Example • RADIUS Sticky on Calling-Station-ID (client MAC address) • Simple option but does not support advanced logging and other enhanced parsing options like iRule • Profile must be applied to Standard Virtual Server based on UDP Protocol ltm profile radius /Common/radiusLB { app-service none clients none persist-avp 31 subscriber-aware disabled subscriber-id-type 3gpp-imsi F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

iRule for RADIUS Persistence Based on Client MAC Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED { # 0: No Debug Logging 1: Debug Logging set debug 0 • Optional debug logging • Enable for troubleshooting only to reduce processing load # Persist timeout (seconds) set nas_port_type [RADIUS::avp 61 "integer"] if {$nas_port_type equals "19"}{ set persist_ttl 3600 • Configurable persistence timeout if {$debug} {set access_media "Wireless"} based on media type } else { oWireless Default = 1 hour set persist_ttl 28800 oWired Default = 8 hours if {$debug} {set access_media "Wired"} } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20 .

alert "No MAC Address found .) if {[RADIUS::avp 31] ne "" }{ set mac [RADIUS::avp 31 "string"] # Normalize MAC address to upper case set mac_up [string toupper $mac] persist uie $mac_up $persist_ttl if {$debug} { set target [persist lookup uie $mac_up] log local0. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target" } } } F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target" } } else { set nas_ip [RADIUS::avp 4 ip4] persist uie $nas_ip $persist_ttl if {$debug} { set target [persist lookup uie "$nas_ip any virtual"] log local0.Using NAS IP as persist id. Cisco Public 21 .RADIUS Persistence iRule Based on MAC (cont. All rights reserved.

Configure Persistence Profile for RADIUS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for RADIUS Auth and Accounting. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. then enable Match Across Virtual Servers (not recommended) • Specify RADIUS Persistence iRule • iRule persistence timer overrides profile setting. All rights reserved. Cisco Public 22 .

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.Configure Server Pool for RADIUS Auth Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. Cisco Public 23 .

All rights reserved. Cisco Public 24 .Configure Member Nodes in RADIUS Auth Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Server Port: 1812 or 1645 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Cisco Public 25 .Configure Server Pool for RADIUS Accounting Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor (same monitor used for RADIUS Auth) • SNAT = No • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

All rights reserved.Configure Member Nodes in RADIUS Accounting Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port: 1813 or 1646 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 26 .

Cisco Public 27 .0/0 (all hosts) or specific network address.0. All rights reserved.0.Configure Virtual Server for RADIUS Auth (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. • Destination = RADIUS Virtual IP • Service Port = 1812 or 1645 RADIUS VIP F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure Virtual Server for RADIUS Auth (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • RADIUS Profile = radiusLB or custom RADIUS profile • Optional: Limit traffic to specific VLAN(s) • SNAT = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28 .

• If not configured in iRule. set optional value here. All rights reserved. Cisco Public 29 . Example: radius_source_addr Recommend create new persistence profile based on Source Address Affinity to allow custom timers and match settings.Configure Virtual Server RADIUS Auth (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = RADIUS Auth Pool • Default Persistence Profile = RADIUS persistence profile • Fallback Persistence Profile: • RADIUS iRule setting overrides value set here. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure Virtual Server for RADIUS Accounting Local Traffic > Virtual Servers > Virtual Server List • Same settings as RADIUS Auth Virtual Server but different service port and pool RADIUS VIP F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 30 . All rights reserved.

All rights reserved.Configure SNAT Pool List for RADIUS CoA Local Traffic > Address Translation > SNAT Pool List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Define SNAT Pool List with RADIUS Server Virtual IP as a pool member F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 31 .

0 (all hosts) or specific network for all NADs • Service Port = 1700 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0 / 0. Cisco Public 32 .Configure Virtual Server to SNAT RADIUS CoA (Properties) Local Traffic > Virtual Servers > Virtual Server List • CoA traffic is initiated by PSN to NADs on UDP/1700 • Type = Standard • Source = PSN Network • Destination = 0. All rights reserved.0.0.0.0.

Cisco Public 33 . All rights reserved.Configure Virtual Server to SNAT RADIUS CoA (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Optional: Limit traffic to specific VLAN(s) • Source Address Translation = SNAT • SNAT Pool = CoA SNAT Pool List • Resources = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Load Balancing ISE Profiling .

Cisco Public 35 . All rights reserved.F5 LTM Configuration Components for Profiling LB UDP Profile iRule Persistence (Persistence) Profile Virtual Server Pool List Member Nodes F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. • Be sure to create new UDP profile to ensure these settings are applied only to Profiling. Cisco Public 36 .Configure UDP Profile for Profiling Local Traffic > Profiles > Protocol > UDP • Set Idle Timeout to Immediate Profiling traffic from DHCP and SNMP Traps are one-way flows to PSNs—no response sent to these packets. • Using a custom profile allows for tuning later if needed without impacting other services based on same parent UDP profile • Disable Datagram LB F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

iRule for DHCP Persistence Based on Client MAC (1 of 2) Persistence based on DHCP Option 61 – Client Identifier (MAC Address) • iRule assigned to Persistence Profile • Persistence Profile assigned to Virtual Server under Resources section when CLIENT_ACCEPTED priority 100 { # Rule Name and Version shown in the log set static::RULE_NAME "Simple DHCP Parser v0.3" set static::RULE_ID "dhcp_parser" • Optional debug logging # 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to set debug 1 reduce processing load # Persist timeout (seconds) set persist_ttl 7200 • Configurable persistence timeout F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. Cisco Public 37 . All rights reserved.

Cisco Public 38 . iRule for DHCP Persistence Based on Client MAC (2 of 2) # extract value filed in hexadecimal format binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex set value "" switch $option { Note: Example is excerpt 61 { # Client Identifier only—Not complete iRule binary scan $value_hex a2a* ht id switch $ht { 01 { binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f) set value [string toupper "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"] } # Normalize MAC address to upper case default { set value "$id” } } persist uie $value $static::persist_ttl if {$static::debug}{ log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME completed ***** OPTION61=$value TARGET=[persist lookup uie "$value any virtual"]" F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

0.10. Cisco Public 39 .3 competed ***** MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D Config TARGET= F5 LTM-Cisco ISE © 2017 Cisco and/or its affiliates.10. iRule for DHCP Persistence – Sample Debug Output Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.3 executed ***** Sat Sep 27 13:39:45 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1)(debug) ***** iRule: Simple DHCP Parser v0.1)(debug) ***** iRule: Simple DHCP Parser v0. All rights reserved.1)(debug) ***** iRule: Simple DHCP Parser v0.1)(debug) BOOTP: 0.1.40.1.0.3 competed ***** MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET= Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1.0 00:50:56:a0:0b:3a Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443] Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.

Cisco Public 40 .Optional: Configure iRule for DHCP Profiling Persistence Local Traffic > iRules > iRule List • Alternative to basic Source Address-based persistence • Sample iRule based on client MAC address parsed from DHCP Request packets • Allows DHCP for given endpoint to persist to same PSN serving RADIUS for same endpoint • Recommend copy and paste working iRule into text area. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Public 41 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. then enable Match Across Virtual Servers.Optional: Configure Persistence Profile for Profiling Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for DHCP Profiling and RADIUS. All rights reserved. (Recommend use same IP address) • Specify DHCP Persistence iRule • iRule persistence timer overrides profile setting.

then can use default gateway_icmp monitor. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Configure Server Pool for DHCP Profiling Local Traffic > Pools > Pool List • Health Monitor = RADIUS Monitor • If PSN not configured for User Services (RADIUS auth). Cisco Public 42 . All rights reserved. • Action on Service Down = Reselect • Ensures existing connections are moved to an alternate server.

Cisco Public 43 . All rights reserved.Configure Member Nodes in DHCP Profiling Pool Local Traffic > Pools > Members • Load Balancing Method = Round Robin • Server Port = 67 (DHCP Server) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.Configure Server Pool for SNMP Trap Profiling Local Traffic > Pools • Same settings as DHCP Profiling Pool except members configured for UDP Port 162. Cisco Public 44 .

0.0/0 (all hosts) or specific network address. Cisco Public 45 .Configure Virtual Server for DHCP Profiling (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. Be sure to configure DHCP Relays/ IP Helpers to point to this IP address • Service Port = 67 F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.0. • Destination = Can be same as RADIUS Virtual IP or unique IP. All rights reserved.

Configure Virtual Server for DHCP Profiling (Advanced) Local Traffic > Virtual Servers • Protocol = UDP • Protocol Profile = udp or custom UDP profile • Optional: Limit traffic to specific VLAN(s) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46 .

Configure Virtual Server for DHCP Profiling (Resources) Local Traffic > Virtual Servers > Resources • Default Pool = DHCP Profiling Pool • Default Persistence Profile = Persistence Profile based on Source Address Affinity. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. set optional value here. o If not configured in iRule. OR DHCP persistence profile • Fallback Persistence Profile: o DHCP iRule setting overrides value set here. All rights reserved. Example: profiling_source_addr • If persistence profile based on Source Address Affinity (source_addr). Cisco Public 47 . recommend create new profile to allow custom timers and “Match Across” settings.

Cisco Public 48 . F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.Configure Virtual Server for SNMP Trap Profiling Local Traffic > Virtual Servers • Same settings as DHCP Profiling Virtual Server but different service port and pool. Additionally. Default Persistence Profile should be based on Source Address Affinity (NAD IP address). All rights reserved.

Load Balancing ISE Web Services .

F5 LTM Configuration Components for HTTP/S LB

TCP Profile

Persistence
Profile
Virtual Server

Health Monitor Pool List

Member Nodes

F5 LTM-Cisco ISE
Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Configure HTTPS Health Monitor
Local Traffic > Monitors

• Configure Send and Receive Strings appropriate to
ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

HTTPS Health Monitor Examples
Local Traffic > Monitors

• ISE 1.2 Example
• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK

• ISE 1.3+ Example
• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK

F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Cisco Public 53 .Optional: Configure TCP Profile for HTTPS Local Traffic > Profiles > Protocol > TCP • Start with default Idle Timeout • Using a custom profile allows for tuning later if needed without impacting other services based on same parent TCP profile F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

Cisco Public 54 . then enable Match Across Virtual Servers Generally recommend use same VIP address for all portals • Timeout = Persistence timer Value of 1200 seconds = 20 minutes (default Sponsor Portal idle timeout setting in ISE) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.Configure Persistence Profile for HTTPS Local Traffic > Profiles > Persistence • Enable Match Across Services • If different Virtual Server IP addresses used for Web Services.

All rights reserved. Cisco Public 55 .Configure Server Pool for Web Services Local Traffic > Pools > Pool List • Health Monitor = HTTPS Monitor • Action on Service Down = None F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Cisco Public 56 . All rights reserved.Configure Member Nodes in Web Services Pool Local Traffic > Pools > Pool List > Members • Load Balancing Method options: • Least Connections (node) • Least Connections (member) • Fastest (application) • Server Port = 0 (all ports) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

0.0/0 (all hosts) or specific network address.0.Configure Virtual Server for Web Portals (Properties) Local Traffic > Virtual Servers > Virtual Server List • Type = Standard • Source = 0. Cisco Public 57 . • Destination = Web Portal Virtual IP • Service Port = Web Portal Port configured in ISE (default 8443) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved.

3): None or Auto Map F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58 .Configure Virtual Server for HTTPS Portals (Advanced) Local Traffic > Virtual Servers • Protocol = TCP • Protocol Profile = tcp or custom TCP profile • Optional: Limit traffic to specific VLAN(s) • Source Address Translation (SNAT) • Single PSN interface: None • Dedicated PSN interface (ISE 1.2): Auto Map • Dedicated PSN interface (ISE 1.

Cisco Public 59 . All rights reserved.Configure Virtual Server HTTPS Portals (Resources) Local Traffic > Virtual Servers > Virtual Server List > Resources • Default Pool = Web Portals Pool • Default Persistence Profile = HTTPS persistence profile • Fallback Persistence Profile: Not required F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Configure Virtual Server for Web Portals on TCP/443 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTPS port 443 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. All rights reserved. Cisco Public 60 . • Service Port = 443 (HTTPS) Default HTTPS port used in initial portal request by end user. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. • Service Port = 80 (HTTP) Default HTTP port used in initial portal request by end user. Cisco Public 61 .Configure Virtual Server for Web Portals on TCP/80 Local Traffic > Virtual Servers > Virtual Server List • Virtual Server used to forward web traffic sent to portal FQDN on default HTTP port 80 • PSNs will automatically redirect traffic to FQDN to specific portal port / URL. • All other Virtual Server settings the same port-specific Virtual Server (Example: ise_https8443_portals) F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

All rights reserved. • Under Virtual Server for HTTP (TCP/80): • Specify HTTP Profile under Advanced Configuration • Specify new HTTP Class under Resources > HTTP Class Profiles. Cisco Public 62 .Configure Virtual Server for Web Portals on TCP/80 Optional HTTP -> HTTPS Redirect by F5 LTM To configure F5 LTM to perform automatic HTTP to HTTPS redirect instead of PSNs: • Configure new http profile under Profiles > Services > HTTP using default settings • Configure new http class under Profiles > Protocol > HTTP Class. F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates. set redirect URL. Under Actions.

reserved.Virtual Server List F5 LTM-Cisco ISE Config © © 2017 2017 Cisco Cisco and/or and/or its its affiliates. Cisco Cisco Public Public 63 . affiliates. All All rights rights reserved.

Cisco Public 64 . All rights reserved.Server Pool List F5 LTM-Cisco ISE Config © 2017 Cisco and/or its affiliates.

Thank You .