DeployingF5LoadBalancerswithCiscoISE Techalk Security Dec04 2014

ISE 1.
3 F5-ISE Load Balancing

Deep Dive
• Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer
• Faraz Siddiqui, F5 Networks, Solution Architect
• December 4, 2014
Agenda
 Introducing F5 BIG-IP and Cisco ISE Solution Components

 Joint Solution Overview – Deployment Model, Topology, and Traffic Flow
 Configuration Prerequisites (Starting Point for LB Deployment)
 Forwarding Non-LB Traffic
 Load Balancing RADIUS
 Load Balancing Profiling Services
 Load Balancing Web Services
 Global Load Balancing Considerations
 Monitoring and Troubleshooting
 Summary
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
F5 BIG-IP Solution
Components
F5 BIG-IP Product
Good, Better, Best Platforms
New VIPRION 2200 VIPRION 2400

25M 200M 1Gbps 3Gbps 5Gbps New 10Gbps
2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800
Virtual Physical Hybrid

F5 virtual editions F5 physical ADCs Physical + virtual =
Provide flexible deployment options for High-performance with specialized and hybrid ADC infrastructure
virtual environments and the cloud dedicated hardware Ultimate flexibility and performance
Virtual ADC is best for: Physical ADC is best for: Hybrid ADC is best for:
• Accelerated deployment • Fastest performance • Transitioning from physical to
• Maximizing data center efficiency • Highest scale virtual and private data center to
• Private and public cloud deployments • SSL offload, compression, and DoS mitigation cloud
• Application or tenant-based pods • An all F5 solution: integrated HW+SW • Cloud bursting
• Keeping security close to the app • Edge and front door services • Splitting large workloads
• Lab, test, and QA deployments • Purpose-built isolation for application delivery • Tiered levels of service
workloads
Understanding F5 BIG-IP
Components
Understanding F5 Components
BIG-IP
BIG-IP is the name of the platform produced by
F5, provide Application Delivery Controller (ADC)
functionality. F5 BIG-IP offers virtual, appliance
Virtual Edition Appliance Chassis or chassis form factor
LTM is the Local Traffic Manager, it is a licensed

LTM software module run inside a F5 BIG-IP. LTM
handles server load balancing function.
Virtual Server is the traffic management object

on the BIG-IP system that represented by an IP
address and a service. VIP is configured in the
virtual server
BIG-IP LTM Components: Nodes
A node is a physical or logical

(for example, VMWare) server
in the internal network
A node is represented by the
IP address of the server
172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
BIG-IP LTM Components: Pool Members
A pool member is a service running on a node, A node can host multiple pool
represented by the IP address of the node and members
service (port) number
172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3
BIG-IP LTM Components: Pools
Each pool has its own load

balancing method
A pool is a logical grouping of pool A node can be a member of

members that represents an multiple pools
application
172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0 8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3
BIG-IP LTM Components: Virtual Servers
NOTE: BIG-IP
NOTE: LTM isvirtual
Multiple a default denycan
servers device; the virtual server Each virtual server will uniquely process
is the most common way allow Arequests
client
reference the same pools, pool members, virtual server is an IP address and
to pass service
client request that match its IP address and
and/ or nodes through (port) combination that listens for client port
requests
10 .2 .2 .10 0 :80 10 .2 .2 .10 0 :4 43
Each virtual server then directs the

10 .2 .2 .2 2 5 :80 80 traffic, usually to an application pool
The virtual server translates the

destination IP address and port to the
selected pool member
172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0 8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3
Monitors
• A monitor is a test;
• Of a specific application. For an expected response. Within a given
time
• All BIG-IP have to things in common
• Interval
• The time between each check
• Timeout
• The time required for a successful check to be received before BIG-IP
marks the node as unavailable
• BIG-IP LTM can use composite monitors, so it can apply multiple checks
• It can use all or some of the monitors to determine member status
• Monitors can also use reverse logic
• Monitors are served from the Self IP addresses
How Active Monitors Work
BIG-IP LTM continues to

direct traffic to the remaining
pool members while
continuing to monitor the
10.2.2.100:80 10.2.2.100:443
offline pool member or node
Monitors check the status of
a pool member or node on Are you up? When the pool member or
an ongoing basis, at a set Ifnode responds,
a pool memberBIG-IP LTMbeing
or node
interval marks it as available
monitored andrespond
does not starts
directing traffic
within the to the pool
set interval, BIG-IP
LTMmember
marks it offline
172.20.10.1 Yes 172.20.10.2 Yes 172.20.10.3 Yes 172.20.10.4

172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080
172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
What is an iRule?
What are iRules?
• The programming language integrated into

the TMOS® architecture
• iRules work at wire-speed
• Based on the industry standard Tool
Command Language (TCL)
• Provide the ability to intercept, inspect,
transform, direct, and track inbound or
outbound application traffic
• Core of the F5 “secret sauce” and key
differentiator
How do iRules Work?
• Respond to events, such as:
• HTTP_REQUEST
• HTTP_RESPONSE
• CLIENT_ACCEPTED Modified
Requests
HTTP_RESPONSE
HTTP_REQUEST Response
• Enable you to perform deep packet inspection (entire iRule triggered
header and payload) HTTP events fired
• Provide a full scripting language that enables

bidirectional and granular control of: Response
Modified
• Inspection Request
• Alteration
• Delivery of application traffic on a packet-by-packet
basis
Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect,
modify, and route traffic at nearly any point in the traffic flow, regardless of
direction
Key Elements of an iRule
Event Declarations
• Define when the code executes
• Every iRule has an event
when HTTP_REQUEST {
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
} Operators
Commands • Define under which conditions BIG-IP LTM
• Define the action to perform performs an action
iRules Events
• Events are actions that trigger the processing of the iRule
• Examples
• HTTP_REQUEST
• HTTP_RESPONSE
• CLIENT_ACCEPTED
• LB_FAILED
when HTTP_REQUEST {
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
}
Persistence
• Persistence
• Directs a client back to the same server after the
initial load balancing decision has been made
• Is required for stateful applications
• such as e-commerce shopping carts
• May skew load balancing statistics
• Universal Persistence
• iRules can create persistence records based on
anything in the clients request
• Such as, sessionid, username, etc.
Radius Persistence
• Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN
which includes additional RADIUS transactions that may occur during the initial connection phase
such as re-authentication following CoA.
• It is advantageous for this persistence to continue after initial session establishment to allow re-
authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN
Using Persistence Profiles Using iRules for Radius Persistence

• Persist Attribute • iRules form the crucial pillar behind the
• Default Persistence Profile operational and configurational flexibility for
• Fallback Persistence Profile enabling load balancing of any device, in
this case, the Cisco ISE
BIG-IP Listeners
Traffic Flow
How Does Traffic Enter a BIG-IP?
• Routing to a listener on the BIG-IP
• Listeners are
• Self IPs
Internet
• SNATs
• NATs
• Virtual Servers
10.2.2.1
10.2.2.100:80 External VLAN 10.2.2.50
NAT to 192.168.4.8
Packet Processing Priority
1. Existing connection in connection table
2. Packet filter rule
3. Virtual server
4. SNAT
5. NAT
6. Self-IP
7. Drop
Load Balancing
• A load balancing method is an algorithm or formula used to determine which pool member to send
traffic to
• Load balancing is connection based
• Static load balancing methods distribute connections in a fixed manner
• Round Robin (RR)
• Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/ nodes whose ratio has not been met
• Dynamic load balancing methods take into account one or more factors, such as the current
connection count
• It is important to experiment with different load balancing methods and select the one that offers
the best performance in your particular environment
Dynamic Load Balancing Methods
• Least Connections
• Fewest L4 connections when load balancing decision is being made
• Recommended when servers have similar capabilities
• Very commonly used
• Fastest
• Balances based upon the number of outstanding L7 requests and then L4 connections
• Requires a L7 profile on the virtual server, else its just Least Connection
• Observed
• Calculates a ratio each second based on the number of L4 connections
• Not recommended for large pools
Load Balancing a Service (Member)
With each new client request, BIG-IP
Internet LTM verifies which pool member has
the fewest active connections
1 8 .2 0 0 .1 5 0 .1 0
In this example, the HTTP pool is
configured with the Least Connections
(member) method
10 .2 .2 .10 0 :80 BIG-IP LTM directs the request to the

pool member with the least number of
connections
Current connection counts for

each pool member are
displayed in red
1 7 2 .2 0 .1 0 .1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22
F5 BIG-IP and Cisco ISE
Joint Solution Benefits
F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
• Provide Bring Your Own Device (BYOD) endpoint scalability
• Deliver customizable policies for identity management of enterprise users and user devices
• Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
• Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers
References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-

ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
• BIG-IP LTM Support forum

https://support.f5.com/kb/en-us/products/big-ip_ltm.html
• DevCentral Forum
https://devcentral.f5.com/
• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
• F5 University – LTM Training

https://login.f5.com/resource/login.jsp?ctx=719748&referral=university
Follow us on Twitter @f5Networks  Official F5 Networks Channel
Load Balancing - 101
Load Balancing
• A load balancing method is an algorithm or formula used to determine which pool
member to send traffic to
• Load balancing is connection based
• Static load balancing methods distribute connections in a fixed manner

• Round Robin (RR)
• Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/nodes whose ratio has not been met
• Dynamic load balancing methods take into account one or more factors, such as the
current connection count
• It is important to experiment with different load balancing methods and select the one that
offers the best performance in your particular environment
Dynamic Load Balancing Methods
• Fewest L4 connections when load balancing decision is being made
• Very commonly used
• Fastest
• Balances based upon the number of outstanding L7 requests and then L4 connections
• Requires an L7 profile on the virtual server, else its just Least Connections
• Observed
• Calculates a ratio each second based on the number of L4 connections
• Not recommended for large pools
Load Balancing a Service (Member)
With each new client request, BIG-
Internet IP LTM verifies which pool
member has the fewest active
18.200.150.10
In connections
this example, the HTTP pool is
(member) method
10.2.2.100:80 BIG-IP LTM directs the request to

the pool member with the least
number of connections
Current connection counts

for each pool member are
displayed in red
1 7 2 .2 0 .1 0 .1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22
Load Balancing an IP Address (Node)
Internet
18.200.150.10
In this example, the HTTP pool is
(node) method
With
Witheach
eachnew
newclient
end-user
request,
request,
BIG- 10.2.2.100:80
IPBIG-IP
LTM
BIG-IP verifies
LTM LTM verifies
which
directs node
which has
the request node
to the
has fewest
the fewest
active
active
connections
connections
the node with the least number of
connections
This takes into account all Current connection counts

services running on the node for each pool member are
displayed in red
45 54 58
172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22
Pool Failure Mechanisms
• Fallback Host (for HTTP and HTTPS applications)
• Is the server of last resort if all pool members are unavailable
• Returns HTTP redirect (http 302) to client
• Configured in the HTTP profile, the fallback host is not monitored
• Priority Group Activation

• Can dynamically pull in new members into the pool
• Pulls lower priority groups into higher priority groups Backup Servers
Running WWW and FTP
• Pulls in all members of a priority group together Priority = 1
web_pool ftp_pool
Priority = 5 Priority = 5
Activation < 2 Activation < 3
F5 BIG-IP and Cisco ISE
Joint Solution Benefits
• F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
• Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
• Provide Bring Your Own Device (BYOD) endpoint scalability
• Deliver customizable policies for identity management of enterprise users and user devices
• Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
• Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers
References
• BIG-IP LTM Configuration Guide

https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html


DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
Tools and Frameworks

• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring Pack
Cisco ISE Solution
Components
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control
Who What Where When How
Security Policy Attributes
Identity
Context Cisco® ISE
Business-Relevant
Policies
Wired Wireless VPN
Virtual machine client, IP device, guest, employee, and remote user

Replaces AAA and RADIUS, NAC, guest management, and device identity servers
ISE Node Types
 Policy Service Node (PSN) Can run in a single host

– Makes policy decisions
– RADIUS server & provides endpoint/user services
 Policy Administration Node (PAN)

– Interface to configure policies and manage ISE deployment
– Writeable access to the database
 Monitoring & Troubleshooting Node (MnT)

– Interface to reporting and logging
– Destination for syslog from other ISE nodes and NADs
 Inline Posture Node (IPN)

– Enforces posture policy for legacy or 3rd-party NADs
Admin
ISE Communications
Network Access Policy Service Node Policy Administration Monitoring and

Device The “Work-Horse”: Node: All Management Troubleshooting
Access-Layer Devices RADIUS, Profiling, UI Activities & Logging and
Enforcement Point for WebAuth, Posture, Sponsor synchronizing all ISE Reporting Data
all Policy Portal Client Provisioning Nodes
NAD PSN PAN MnT
Policy Sync
RADIUS from NAD to PSN
PSN queries
RADIUS reply from PSN to NAD external database
User directly
RADIUS Accounting syslog
syslog
syslog
Example ISE Deployment
Admin (P) Monitor (P) Policy Services Cluster Distributed

Admin (S) Monitor (S) Policy Services
PAN MnT PSN PSN PSN PSN
PAN MnT PSN PSN
HA Inline AD/LDAP
Posture Nodes (External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
IPN
IPN
Center A
WLC
Non-CoA 802.1X
ASA VPN
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X
Branch B
Branch A
Switch Switch
AP 802.1X AP
802.1X
Scaling by Deployment, Platform, and Persona
• Max Concurrent Endpoint Counts by Deployment Model and Platform
Max # Dedicated
Deployment Model Platform Max # Endpoints per Deployment
PSNs
Standalone (all personas on 33xx 2,000 0
same node) 3415 5,000 0
(2 nodes redundant) 3495 10,000 0
3355 as Admin+MNT 5,000 5
Admin + MnT on same node;
3395 as Admin+MNT 10,000 5
Dedicated PSN
(Minimum 4 nodes redundant) 3415 as Admin+MNT 5,000 5
3495 as Admin+MNT 10,000 5
Dedicated Admin and MnT nodes 3395 as Admin and MNT 100,000 40
(Minimum 6 nodes redundant) 3495 as Admin and MNT 250,000 40
Scaling per PSN Platform Max # Endpoints per PSN

ISE-3315 3,000
Dedicated Policy nodes ISE-3355 6,000
(Max Endpoints Gated by Total ISE-3395 10,000
Deployment Size) SNS-3415 5,000
SNS-3495 20,000
Joint Solution Overview –
Deployment Model,
Topology, and Traffic Flow
Scaling RADIUS, Web, and Profiling with BIG-IP LTM
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).
• Access Devices send RADIUS AAA requests to LB virtual IP.
ISE PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)
F5 BIG-IP
LTM (Load
Balancers)
Virtual IP
Network
Access
Devices
Scaling Global Sponsor / MyDevices with BIG-IP GTM
DNS SERVER: DOMAIN =
COMPANY.COM
F5 BIG-IP GTM
MnT MnT
(Global LB) SPONSOR
PAN PAN
10.1.0.100, 10.2.0.100, 10.3.0.100
MYDEVICES
10.1.0.100, 10.2.0.100, 10.3.0.100
ISE-PSN-1 10.1.1.1
ISE-PSN-2 10.1.1.2
PSN PSN PSN
ISE-PSN-3 10.1.1.3
PSN PSN PSN
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
F5 BIG-IP LTM ISE-PSN-6 10.2.1.6
(Local LB) F5 BIG-IP ISE-PSN-7 10.3.1.7
10.1.0.100 LTM ISE-PSN-8 10.3.1.8
10.2.0.100 (Local LB) ISE-PSN-9 10.3.1.9
PSN PSN PSN
Use Global Load Balancing (GTM) to direct traffic to closest VIP.

Local Web Load-balancing (LTM) distributes request to single PSN. F5 BIG-IP
LTM
Load Balancing simplifies and scales ISE Web Portal Services 10.3.0.100 (Local LB)
Load Balancing ISE Policy Services
• RADIUS Authentication and Accounting Services

Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky
algorithm determines method to ensure same Policy Service node services same endpoint.
• URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native

Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name
substituted for ‘ip’ variable in URL.
• Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.
• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS

LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than
one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
F5 LTM
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.99.7
from 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
User
Device 4 5 PSN-CLUSTER
PSN
10.1.99.7
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP 10.1.98.8
ISE-PSN-3
3
3. Requests for same endpoint load balanced to same PSN via sticky based
on RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS Response received from real server ise-psn-3 @ 10.1.99.7
5. RADIUS Accounting sent to/from same PSN based on sticky
Load Balancing with URL-Redirection
Sample Flow
DNS Lookup = ise-psn-3.company.com

DNS
4 DNS Response = 10.1.99.7 Server
PSN
10.1.99.5
ISE-PSN-1
F5 LTM
1 RADIUS request to psn-cluster.company.com
PSN
10.1.99.6
RADIUS response from ise-psn-3.company.com
3
Device https://ise-psn-3.company.com:8443/... PSN-CLUSTER
User
2
5 HTTPS response from ise-psn-3.company.com PSN
10.1.99.7
1. RADIUS Authentication requests sent to VIP 10.1.98.8. ISE-PSN-3

2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to ISE Certificate
https://ise-psn-3.company.com:8443/... Subject CN =
4. Client browser redirected and resolves FQDN in URL to real server address. ise-psn-3.company.com
5. User sends web request directly to same PSN that serviced RADIUS request.
Load Balancing Non-Redirected Web Services
Sample Flow
DNS Lookup = sponsor.company.com

DNS PSN
1 DNS Response = 10.1.98.8 Server 10.1.99.5
https://sponsor.company.com ISE-PSN-1
F5 LTM
2 https://sponsor. company.com @ 10.1.98.8
PSN
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Sponsor 4 Device PSN-CLUSTER
Certificate OK! 5 PSN
Requested URL = sponsor.company.com 10.1.99.7
Certificate SAN = sponsor.company.com
ISE-PSN-3 3
ISE Certificate 1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8
Subject = 2. Web request sent to https://sponsor.company.com @ 10.1.98.8
ise-psn-3.company.com 3. ACE load balances request to PSN based on IP or HTTP sticky
SAN= 4. HTTPS response received from ise-psn-3 @ 10.1.99.7
ise-psn-3.company.com 5. Certificate SAN includes FQDN for both sponsor and ise-psn-3.
sponsor.company.com
Load Balancing Profiling Services
Sample Flow
DHCP Request to Helper IP 10.1.1.10

2 DHCP PSN
10.1.99.5
DHCP Response returned from DHCP Server Server
3
ISE-PSN-1
F5 LTM
1 2 PSN
10.1.99.6
VIP: 10.1.98.8
Access PSN-CLUSTER ISE-PSN-2
Device
User
4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 53 Cisco Confidential 53
High-Level Load Balancing Diagram
DNS
NTP
External SMTP
ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP
VLAN 98 VLAN 99 10.1.99.5

(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1
NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1

10.1.99.6
Network Access ISE-PSN-2
End User/Device Device F5 LTM
10.1.99.7
ISE-PSN-3
ISE-PAN-2 ISE-MNT-2
54
Traffic Flow—Fully Inline: Physically Separation
Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic
Flow recommended—
• BIG-IP LTM is directly inline between ISE PSNs and rest of network
physical or logical
• All traffic flows through Load Balancer including RADIUS, PAN/MnT,
Profiling, Web Services, Management, Feed
Services, MDM, AD, LDAP… VLAN 98 VLAN 99 10.1.99.5
(External) (Internal) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
10.1.98.1 10.1.98.2 10.1.99.1
10.1.99.6
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3
MDM
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
F5 LTM
• BIG-IP LTM is directly inline between ISE PSNs
and rest of network. VIP: 10.1.98.8
• All traffic flows through LB including RADIUS, 10.1.98.2 10.1.99.1

PAN/MnT, Profiling, Web Services, Management, VLAN 98 VLAN 99 10.1.99.5
Feed Services, MDM, AD, LDAP… (External) (Internal)
ISE-PSN-1
10.1.98.1
NAS IP: 10.1.50.2
10.1.99.6
End User/Device Device Network
Switch
DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger ISE-PSN-3
SMTP MDM
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
F5 LTM
10.1.98.2
• All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LTM VIP 10.1.98.5
VIP: 10.1.98.8
• Other inbound non-LB traffic bypasses LTM ISE-PSN-1
including redirected Web Services, PAN/MnT, VLAN 98
Management, Feed Services, MDM, AD, LDAP… 10.1.98.6
• All outbound traffic from PSNs NAS IP: 10.1.50.2 ISE-PSN-2

10.1.98.1
sent to LTM as DFGW.
10.1.98.7
• LTM must be configured Network Access L3
Device Switch
to allow Asymmetric traffic End User/Device ISE-PSN-3
Generally NOT RECOMMENDED due to DNS AD

traffic flow complexity—must fully External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
Partially Inline: Layer 3/Different VLANs (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
F5 LTM
10.1.99.2
• All inbound LB traffic such RADIUS, Profiling, VIP: 10.1.98.8
and directed Web Services sent to LTM VIP 10.1.99.5
10.1.98.2
• Other inbound non-LB traffic bypasses LTM ISE-PSN-1
VLAN 98 VLAN 99
including redirected Web Services, PAN/MnT, (External) (Internal)
Management, Feed Services, MDM, AD, LDAP… 10.1.99.6
NAS IP: 10.1.98.1

• All outbound traffic from PSNs ISE-PSN-2
10.1.50.2
sent to LTM as DFGW. 10.1.99.1
10.1.99.7
• LTM must be configured Network Access L3
to allow Asymmetric traffic End User/Device Device Switch
ISE-PSN-3
Generally NOT RECOMMENDED due to DNS AD

traffic flow complexity—must fully External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.
Partially Inline: Multiple PSN Interfaces
10.1.99.5 10.1.91.5
Separate PSN Connections to LB and Rest of Network
F5 LTM
ISE-PSN-1
VIP:
• All LB traffic sent to LTM VIP including 10.1.98.8
RADIUS, Profiling (except SPAN data), 10.1.99.2
10.1.99.6 10.1.91.6
and directed Web Services 10.1.98.2
ISE-PSN-2
VLAN 98 VLAN 99
• All traffic initiated by PSNs sent to (Internal)
(External)
F5 LTM as global default gateway 10.1.99.7 10.1.91.7
NAS IP: 10.1.98.1
• Redirected Web
10.1.50.2 ISE-PSN-3
Services traffic 10.1.91.1
bypasses LTM
Network Access L3 VLAN 91
• For ISE 1.2, End User/Device Device Switch (Web Portals)
recommend SNAT redirected
HTTPS traffic at L3 switch DNS AD
External NTP LDAP
• ISE 1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM
traffic responses (set default
gateway per interface)
Fully Inline – Multiple PSN Interfaces VLAN 91
(Web Portals)
Network Separation Using Separate LB Interfaces
10.1.91.1
• All traffic sent to LTM including F5 LTM

RADIUS, Profiling (except SPAN data), 10.1.99.1 10.1.99.5 10.1.91.5
10.1.98.2
and directed Web Services VIP: 10.1.98.8 ISE-PSN-1
• All traffic initiated by PSNs sent to VLAN 98 VLAN 99
F5 LTM as global default gateway (External) (Internal) 10.1.99.6 10.1.91.6
NAS IP: 10.1.98.1

• LTM sends Web ISE-PSN-2
10.1.50.2
Services traffic L3
on separate PSN Switch 10.1.99.7 10.1.91.7
interface. Network Access
End User/Device Device
ISE-PSN-3
• For ISE 1.2 (and optionally 1.3),
SNAT Web Services at LTM DNS AD
External NTP LDAP
• ISE 1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM
traffic responses (set default
gateway per interface)
Configuration Prerequisites
Verify Routing Configuration in Overall Topology
L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network
Network Next Hop

0.0.0.0/0 10.1.98.1
Network Next Hop VLAN 98 VLAN 99 10.1.99.5
10.1.99.0/24 10.1.98.2
(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
VIP: 10.1.98.8
10.1.99.6
10.1.50.1 10.1.98.1 10.1.98.2 10.1.99.1
End User/Device Device 10.1.100.1 F5 LTM
DNS
10.1.100.3 NTP 10.1.99.7
10.1.100.4 External AD/
SMTP
ISE-PAN ISE-MNT Logger MDM LDAP ISE-PSN-3
Network Next Hop

0.0.0.0/0 10.1.99.1
Recommended Software Versions
• F5 BIG-IP LTM: 11.4.1 hotfix HF5 or 11.4.0 hotfix HF6

Additionally, 11.6.0 HF2 incorporates performance enhancements that can improve
RADIUS load balancing performance.
• Cisco ISE: 1.2.0, 1.2.1, or 1.3.0 with current patches installed.
F5 Configuration Prerequisites
Validate IP Addressing for Internal and External Interfaces
 Main > Network Self IPs
Validate Correct VLAN Assignments
Main > Network > VLANs > VLAN List
• Separate Physical Interfaces Example
• Single Physical Interfaces—VLAN Trunking Example
Verify LTM Routing Configuration
Main > Network > Routes
• Default route for LTM appliance set to external interface next hop gateway
Optional: Verify LTM High Availability
• F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes
• Configuration of LTM high availability is beyond the scope of this session.
• Refer to F5 product documentation for additional details:

• Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility
• Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility
• When configured for high availability, default gateways and next hop routes will point to the
floating IP address on the F5 appliance
• Health monitors will be sourced from the locally-assigned IP addresses.
ISE Configuration Prerequisites
Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group
• Administration > System > Deployment

2) Assign name (and multicast address if ISE 1.2)
1) Create node group
3) Add individual PSNs to node group
• Node group members can be L2 or L3

• Multicast no longer a requirements in ISE 1.3
Load Balancer General RADIUS Guidelines
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
Interval 15
ISE-PAN-1 ISE-MNT-1
Timeout 46
PAN MnT
User Name radprobe
Password cisco123
Alias Service Port 1812
PSN
ISE-PSN-1
VIP: 10.1.98.8
NAS IP: 10.1.50.2 10.1.99.1
PSN
Access Device
F5 LTM ISE-PSN-2
User
PSN
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
Add LTM(s) as NAD(s) for RADIUS Health Monitoring
Administration > Network Resources > Network Devices
• Configure Self IP address of LTM Internal

interface connected to PSN RADIUS
interfaces.
10.1.99.1
• Enable Authentication and set RADIUS
shared secret.
PSN
ISE-PSN-1
10.1.99.1
PSN
F5 LTM ISE-PSN-2
PSN
ISE-PSN-3
Configure Internal User for RADIUS Health Monitoring
Administration > Identity Management > Identities > Users
• This step optional if plan to use external ID store for health monitoring account. Still
recommended for testing and troubleshooting.
• User authorization for this account should be granted no network access.
• F5 LTM monitor accepts both Access-Accept and Access-Reject as healthy responses
Configure DNS and Certs to Support PSN Load Balancing
• Configure DNS entry for PSN cluster(s) and assign VIP IP address.
Example: psn-cluster.company.com
DNS SERVER: DOMAIN = COMPANY.COM
PSN-CLUSTER IN A 10.1.98.8
SPONSOR IN A 10.1.98.8
MYDEVICES IN A 10.1.98.8
ISE-PSN-1 IN A 10.1.99.5
ISE-PSN-2 IN A 10.1.99.6
ISE-PSN-3 IN A 10.1.99.7
• Configure ISE PSN server certs with Subject Alternative

Name configured for other FQDNs to be used by LB VIP
or optionally use wildcards (available in ISE 1.2).
Example
Example certificate SAN: ise-psn-1.company.com certificate with
psn-cluster.company.com multiple FQDN
sponsor.company.com values in SAN.
guest.company.com
ISE Certificate without SAN
Certificate Warning - Name Mismatch
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate ISE-PSN-2
F5 LTM
Subject =
ise-psn-3.company.com
PSN
Name Mismatch! 10.1.99.7
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com ISE-PSN-3
ISE Certificate with SAN
No Certificate Warning
DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5
ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE-PSN-2
ISE Certificate F5 LTM
Subject =
ise-psn.company.com
PSN
SAN= Certificate OK! 10.1.99.7
ise-psn-1.company.com Requested URL = sponsor.company.com
ise-psn-2.company.com Certificate SAN = sponsor.company.com ISE-PSN-3
ise-psn-3.company.com
sponsor.company.com
General Best Practices for Universal Certificates
• Use a common FQDN for Subject CN:
Examples: ise.company.com
aaa.company.com
• If Subject CN contains FQDN, add same
FQDN to SAN
• Multi-Domain/UCC* Certificate: Update
SAN with all FQDNs serviced by PSN
• OR
Wildcard Certificate: Update SAN with
wildcard domain using syntax
*.company.local
• If required for static IP hosting, add IP
addresses as both DNS and IP entries
(increases device compatibility)
*UCC = Unified Communications Certificate
Forwarding Non-LB Traffic
High-Level Load Balancing Diagram
DNS
NTP
External SMTP
ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP
VLAN 98 VLAN 99 10.1.99.5

(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1
NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1

10.1.99.6
10.1.99.7
ISE-PSN-3
ISE-PAN-2 ISE-MNT-2
80
Non-LB Traffic that Requires IP Forwarding
Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA
• PAN/MnT node communications
• All management traffic to/from the PSN real IP addresses such as HTTPS, SSH, SNMP, NTP,
DNS, SMTP, and Syslog.
• Repository and file management access initiated from PSN including FTP, SCP, SFTP, TFTP,
NFS, HTTP, and HTTPS.
• All external AAA-related traffic to/from the PSN real IP addresses such as AD, LDAP, RSA,
external RADIUS servers (token or foreign proxy), and external CA communications (CRL
downloads, OCSP checks, SCEP proxy).
• All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed
Services, partner MDM integration, pxGrid, and REST/ERS API communications.
• Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP, SNMP queries) and
URL-Redirection such as CWA, DRW/Hotspot, MDM, Posture, and Client Provisioning.
• RADIUS CoA from PSNs to network access devices.
Virtual Server to Forward General Inbound IP Traffic
General Properties
• Applies to connections initiated from

outside (external) network
• Type = Forwarding (IP)
• Source = All traffic (0.0.0.0/0) or limit to

specific network.
• Destination = PSN Network Addresses
• Service Port = 0 (All Ports)
• Availability = Unknown (No service

validation via health monitors)
Virtual Server to Forward General Inbound IP Traffic
Configuration (Advanced)
• Protocol = All Protocols
• Protocol Profile = fastL4
• Optionally limit to specific

ingress VLAN(s).
• No SNAT
Virtual Server to Forward General Outbound IP Traffic
General Properties

PSN (internal) network
• Source = PSN Network Addresses
• Destination = All traffic (0.0.0.0/0.0.0.0) or

limit to specific network.
• Service Port = 0 (All Ports)

Virtual Server to Forward General Outbound IP Traffic
• Protocol = All Protocols
• Optionally limit to specific

ingress VLAN(s).
• No SNAT
Example Inbound / Outbound IP Forwarding Servers
Inbound IP Forwarding for 2nd PSN Interface VLAN 91
(Web Portals)
2nd PSN Interface for Web Services
10.1.91.1
• LTM sends Web Services traffic F5 LTM

on separate PSN interface. 10.1.99.1 10.1.99.5 10.1.91.5
10.1.98.2
VIP: 10.1.98.8 ISE-PSN-1
VLAN 98 VLAN 99
(External) (Internal) 10.1.99.6 10.1.91.6
NAS IP: 10.1.98.1

ISE-PSN-2
10.1.50.2
L3
Switch 10.1.99.7 10.1.91.7
Network Access
End User/Device Device
ISE-PSN-3
• For ISE 1.2 (and optionally 1.3), LTM can perform SNAT on Web Services traffic
• ISE 1.3+ supports symmetric traffic responses, so SNAT not required

(Set default gateway per interface)
Virtual Server to Forward Inbound Redirected Web Traffic
General Properties

URL-redirected clients on outside
(external) network to 2nd PSN
interface
• Source = All traffic (0.0.0.0/0)

or limit to specific client networks.
• Destination = PSN Network Addresses
for Web Portals
• Service Port = 8443 (configurable)
Optionally set wildcard value of 0 for
multiple portal ports or services.
(NSP and Posture work on port 8905)
Virtual Server to Forward Inbound Redirected Web Traffic
• Protocol = TCP
Optionally set to * (All Protocols) for
multiple services.
• NSP requires TCP/8905, but
Posture requires both TCP and
UDP/8905.
• Optionally limit to specific ingress

VLAN(s).
• For ISE 1.2, enable SNAT
• For ISE 1.3, SNAT optional if

enabled symmetric traffic routing
(default route per interface).
Policy Service Node Scaling and Redundancy
• NADs can be configured with sequence of redundant RADIUS servers (PSNs).
• Policy Service nodes can also be configured in a cluster, or “node group”, behind a
load balancer. NADs send requests to LB virtual IP for Policy Services.
• Policy Service nodes in node group maintain heartbeat to verify member health.
Administration PAN PAN
Administration
Node (Primary) Node (Secondary)
N+1 node redundancy
Policy Services Node
assumed to support total
Policy PSN PSN PSN PSN
endpoints during:
Group (Same
Replication • Unexpected single
multicast domain)
server outage
AAA connection F5 BIG-IP • Scheduled server
LTM Load maintenance
Virtual Balancers
IP Also provides additional
scaling buffer.
Network
Access
Devices
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)
PSN
10.1.99.5
1 radius-server host 10.1.98.8
VIP: ISE-PSN-1
2 RADIUS AUTH request to 10.1.98.8
10.1.98.8
RADIUS ACCTG request to 10.1.98.8
5 PSN
10.1.99.6
NAD RADIUS AUTH response from 10.1.99.7 4
User
RADIUS ACCTG response from 10.1.99.7 6 F5 LTM
ISE-PSN-2
1. NAD has single RADIUS server defined (10.1.98.8) PSN

10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to same PSN via sticky based ISE-PSN-3
on RADIUS Calling-Station-ID, Framed-IP-Address, or NAS-IP-Address
4. RADIUS Auth Response received from real server ise-psn-3 @ 10.1.99.7
5. Successive RADIUS Accounting sent to VIP @ 10.1.98.8
6. RADIUS Accounting Response received from same PSN based on sticky.
NAT Restrictions for RADIUS Load Balancing
Why Source NAT Fails for NADs SNAT also results in less visibility as all requests appear
sourced from LB – makes troubleshooting more difficult.
• With SNAT, LB appears as the Network
Access Device (NAD) to PSN.
• CoA sent to wrong IP address
NAS IP Address is correct,

but not currently used for CoA
SNAT of NAD Traffic: Live Log Example
Auth Succeeds/CoA Fails: CoA Sent to BIG-IP LTM and Dropped
Allow Source NAT for PSN CoA Requests
Simplifying Switch CoA Configuration
• Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.
• Access switch config:

CoA SRC=10.1.99.5 PSN
• Before: 10.1.99.5
aaa server radius dynamic-author ISE-PSN-1

CoA SRC=10.1.98.8
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123 PSN
10.1.99.6
client 10.1.99.7 server-key cisco123 10.1.98.8
client 10.1.99.8 server-key cisco123 Access ISE-PSN-2
F5 LTM
client 10.1.99.9 server-key cisco123 Switch
client 10.1.99.10 server-key cisco123 PSN
10.1.99.7
<…one entry per PSN…>
• After: ISE-PSN-3
aaa server radius dynamic-author PSN

10.1.99.x
client 10.1.98.8 server-key cisco123
ISE-PSN-X
Allow NAT for PSN CoA Requests
Simplifying WLC CoA Configuration
• Before: • After
One RADIUS Server entry One RADIUS Server entry

required per PSN that may send required per load balancer VIP.
CoA from behind load balancer
Load Balancer General NAT Guidelines
To NAT or Not To NAT?
ISE-PAN-1 ISE-MNT-1 No NAT
That is the Question!
PAN MnT
PSN
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
F5 LTM
NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1
PSN
10.1.99.6
Access Device
ISE-PSN-2
User RADIUS AUTH RADIUS AUTH COA
NAS-IP =10.1.50.2 Remove
NAD is
SNAT for NAS-IP =10.1.50.2
SRC-IP =10.1.50.2 Source
Source =10.1.99.1
SRC-IP =10.1.50.2 PSN
NAD is BAD! 10.1.99.7
DST-IP =10.1.98.8 NAT
NATted DST-IP =10.1.99.7
ISE-PSN-3
RADIUS COA RADIUS COA
SNAT for
SRC-IP =10.1.98.8 SRC-IP =10.1.99.7
CoA is Okay! DST-IP =10.1.50.2
DST-IP =10.1.50.2
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes
• Common RADIUS Sticky Attributes

o Client Address
MAC Address=00:C0:FF:1A:2B:3C
 Calling-Station-ID IP Address=10.1.10.101 PSN
 Framed-IP-Address Device
o NAD Address 10.1.50.2 VIP: 10.1.98.8 ISE-PSN-1

 NAS-IP-Address Session: 00aa…99ff
 Source IP Address PSN
o Session ID Network Access

Device F5 LTM ISE-PSN-2
 RADIUS Session ID
User Username=jdoe@company.com
 Cisco Audit Session ID
PSN
• Best Practice Recommendations (depends on LB support and design)

1. Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3
2. Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD
3. Audit Session ID for persistence across re-authentications
Configuring RADIUS Persistence
RADIUS Profile Example
• RADIUS Sticky on Calling-Station-ID (client

MAC address)
• Simple option but does not support advanced
logging and other enhanced parsing options like
iRule
• Profile must be applied to Standard Virtual
Server based on UDP Protocol
ltm profile radius /Common/radiusLB {
app-service none
clients none
persist-avp 31
subscriber-aware disabled
subscriber-id-type 3gpp-imsi
iRule for RADIUS Persistence Based on Client MAC (1of2)
Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address
• iRule assigned to Persistence Profile
• Persistence Profile assigned to Virtual Server under Resources section
when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0 • Optional debug logging
• Enable for troubleshooting only to
reduce processing load
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600 • Configurable persistence timeout
if {$debug} {set access_media "Wireless"} based on media type
} else { oWireless Default = 1 hour
set persist_ttl 28800 oWired Default = 8 hours
if {$debug} {set access_media "Wired"}
}
iRule for RADIUS Persistence Based on Client MAC (2of2)
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
iRule for RADIUS Persistence – Sample Debug Output
Sat Sep 27 13:55:43 EDT 2014 alert f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc MAC=6C-20-
56-13-E9-FC Normal MAC=6C-20-56-13-E9-FC MEDIA=Wired
TARGET=/Common/radius_auth_pool 10.1.99.6 1812

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1 MAC=7c-6d-62-
e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless
TARGET=/Common/radius_acct_pool 10.1.99.7 1813

Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A
MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET=

Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found - Using NAS
IP as persist id. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS
IP=10.1.50.2 MEDIA=Wired TARGET=
Ensure NAD Populates RADIUS Attributes
Catalyst Switch Example
Cisco Catalyst IOS Command Description
radius-server attribute 8 include-in-access-req Include Framed-IP-Address

(if available) in RADIUS
Access Requests
radius-server attribute 31 send nas-port-detail Include client IP address for
remote console (vty)
connections to the switch
radius-server attribute 31 mac format ietf upper-case Set the MAC address format
to 00-00-40-96-3E-4A
(all upper case letters)
Ensure NAD Populates RADIUS Attributes
Cisco WLC Example
• WLC sets Calling-

Station-ID to MAC
Address for
RADIUS NAC-
enabled WLANs
• General
recommendation is
to set Acct Call
Station ID to
System MAC
Address
• Auth Call Station ID
Type may not be
present in earlier
software versions
RADIUS Health Monitors
Load Balancer Probes Determine RADIUS Server Health Status
• BIG-IP LTM RADIUS monitor has two key timer settings:

o Interval = probe frequency (default = 10 sec)
o Timeout = total time before monitor fails (default = 31 seconds)
Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config:

(Four health checks are attempted ltm monitor radius /Common/radius_1812 {
before declaring a node failure) debug no
defaults-from /Common/radius
• Timers: Set low enough to ensure destination *:1812
efficient failover but long enough
interval 10
to avoid excessive probing (AAA load);
password P@$$w0rd
Start with defaults then tune to network.
secret P@$$w0rd
• User Account: If valid user account to be time-until-up 0
used for monitor, be sure to configure timeout 31
user in ISE or external ID store with username f5-probe
limited/no network access privileges. }
Successful Health Monitor Requests using Valid Account
Yay! It Works!....But now what do I do about all that “noise” in my Live Log?
ISE Collection Filters
Filter Successful LTM Health Checks
F5 LTM Configuration Components for RADIUS LB
• RADIUS Auth
UDP Profile
• RADIUS Acct • RADIUS CoA
RADIUS Profile SNAT Pool
iRule Persistence Virtual Server

Virtual Server
(Persistence) Profile
Health Monitor Pool List
Member Nodes
Configure RADIUS Health Monitor
Local Traffic > Monitors
• Same monitor can be leveraged for RADIUS

Auth, Accounting, and Profiling to reduce
probe load for multiple services.
• Be sure BIG-IP LTM configured as ISE NAD.
Optional: Configure UDP Profile for RADIUS
Local Traffic > Profiles > Protocol > UDP
• Start with default Idle Timeout
• Using a custom profile allows for tuning

later if needed without impacting other
services based on same parent UDP profile
• Disable Datagram LB
Optional: Configure RADIUS Profile
Local Traffic > Profiles > Services > RADIUS
• Start with default settings
• Using a custom profile allows for tuning

later if needed without impacting other
services based on same parent radiusLB
profile
Configure iRule for RADIUS Persistence
Local Traffic > iRules > iRule List
• Recommend iRule based on

client MAC address
• RADIUS Attribute/Value Pair =
31 = Calling-Station-Id
• Recommend copy and paste
working iRule into text area.
F5 iRule Editor
https://devcentral.f5.com/d/tag/irules%20editor
• Manage
iRules and
config files
• Syntax
checker
• Generate
HTTP
traffic
• Quick links
to tech
resources
Configure Persistence Profile for RADIUS
Local Traffic > Profiles > Persistence
• Enable Match Across Services
• If different Virtual Server IP

addresses used for RADIUS Auth
and Accounting, then enable Match
Across Virtual Servers (not
recommended)
• Specify RADIUS Persistence iRule
• iRule persistence timer overrides

profile setting.
Configure Server Pool for RADIUS Auth
Local Traffic > Pools > Pool List
• Health Monitor = RADIUS Monitor
• SNAT = No
• Action on Service Down = Reselect

• Ensures existing connections are
moved to an alternate server.
Configure Member Nodes in RADIUS Auth Pool
Local Traffic > Pools > Pool List > Members
• Load Balancing
Method options:
(node)
(member)
• Server Port:
1812 or 1645
Configure Server Pool for RADIUS Accounting

(same monitor used for RADIUS
Auth)
• SNAT = No

• Ensures existing connections are
moved to an alternate server.
Configure Member Nodes in RADIUS Accounting Pool
• Load Balancing
Method options:
(node)
(member)
• Fastest (application)
• Server Port:
1813 or 1646
Configure Virtual Server for RADIUS Auth (Properties)
Local Traffic > Virtual Servers > Virtual Server List
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or

specific network address.
• Destination = RADIUS Virtual IP
• Service Port = 1812 or 1645
RADIUS VIP
Configure Virtual Server for RADIUS Auth (Advanced)
Local Traffic > Virtual Servers
• Protocol = UDP
• Protocol Profile = udp or

custom UDP profile
• RADIUS Profile = radiusLB or
custom RADIUS profile
• Optional: Limit traffic to specific
VLAN(s)
• SNAT = None
Configure Virtual Server RADIUS Auth (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources
• Default Pool = RADIUS Auth Pool
• Default Persistence Profile =

RADIUS persistence profile
• Fallback Persistence Profile:
• RADIUS iRule setting overrides
value set here.
• If not configured in iRule, set
optional value here. Example:
radius_source_addr
Recommend create new

persistence profile based on
Source Address Affinity to allow
custom timers and match settings.
Configure Virtual Server for RADIUS Accounting
• Same settings as RADIUS Auth Virtual
Server but different service port and pool
RADIUS VIP
Configure SNAT Pool List for RADIUS CoA
Local Traffic > Address Translation > SNAT Pool List
• CoA traffic is initiated by PSN to

NADs on UDP/1700
• Define SNAT Pool List with RADIUS
Server Virtual IP as a pool member
Configure Virtual Server to SNAT RADIUS CoA (Properties)
• CoA traffic is initiated by PSN to NADs on

UDP/1700
• Type = Standard
• Source = PSN Network
• Destination = 0.0.0.0 / 0.0.0.0 (all hosts)

or specific network for all NADs
• Service Port = 1700
Configure Virtual Server to SNAT RADIUS CoA (Advanced)
• Protocol = UDP

VLAN(s)
• Source Address Translation = SNAT
• SNAT Pool = CoA SNAT Pool List
• Resources = None
Scaling Profiling and Database
Replication
Significant Attributes vs. Whitelist Attributes
Attributes that impact profile
Significant Attributes AAA-Server NADAddress FirstCollection
• Change triggers global replication Calling-Station-ID NAS-IP-Address TimeToProfile
Certificate Expiration Date NAS-Port-Id Total Certainty Factor
MACADDRESS Certificate Issue Date NAS-Port-Type User-Agent
ENDPOINTIP Certificate Issuer Name LastNmapScanTime AC_User_Agent
MATCHEDVALUE Certificate Serial Number NmapScanCount cdpCacheAddress
ENDPOINTPOLICY Description NmapSubnetScanID cdpCacheCapabilities
ENDPOINTPOLICYVERSION DestinationIPAddress 161-udp cdpCacheDeviceId
STATICASSIGNMENT Device Identifier OS Version cdpCachePlatform
Device Name OUI cdpCacheVersion
STATICGROUPASSIGNMENT
DeviceRegistrationStatus PolicyVersion ciaddr
NMAPSUBNETSCANID PortalUser dhcp-class-identifier
EndPointPolicy
PORTALUSER EndPointPolicyID PostureApplicable dhcp-requested-address
DEVICEREGISTRATIONSTATUS EndPointProfilerServer Product host-name
EndPointSource RegistrationTimeStamp hrDeviceDescr
Whitelist Attributes FQDN StaticAssignment
StaticGroupAssignment
ifIndex
ip
Framed-IP-Address
• Change triggers PSN-PSN replication IdentityGroup MDMImei lldpCacheCapabilities
and global ownership change IdentityGroupID MDMManufacturer lldpCapabilitiesMapSupported
IdentityStoreGUID MDMModel lldpSystemDescription
IdentityStoreName MDMOSVersion operating-system
Other Attributes L4_DST_PORT MDMPhoneNumber sysDescr
• Dropped if whitelist filter enabled; MACAddress MDMSerialNumber AUPAccepted
MatchedPolicy CreateTime BYODRegistration
Otherwise, only locally saved by PSN MatchedPolicyID UpdateTime
Inter-Node Communications
TCP/12001 JGroups Tunneled
JGroup Connections – Global Cluster
MnT (P) MnT (S)
MnT MnT
• All Secondary nodes* establish
connection to Primary PAN (JGroup
Controller) over tunneled connection
(TCP/12001) for config/database sync.
PAN PAN
Admin (P) Admin (S) • Secondary Admin also listens on
GLOBAL TCP/12001 but no connection
JGROUP established unless primary
CONTROLLER fails/secondary promoted
• All Secondary nodes participate in the
PSN PSN
PSN1 PSN2 Global JGroup cluster.
*Secondary node = All nodes

except Primary Admin node;
PSN includes PSNs, MnT and Secondary
Admin nodes
PSN3
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT (P) MnT (S)
MnT MnT
• Node Groups can be used to define
local JGroup* clusters where
members exchange heartbeat and
sync profile data multicast or SSL.
PAN PAN
Admin (P) Admin (S) • PSN claims endpoint ownership only if
GLOBAL PSN1 isincurrent
change endpoint
whitelist owner
attribute; –
triggers
JGROUP DHCP
IP no database
inter-PSN sync replication even
of attributes. if
Whitelist
CONTROLLER Update
Address checkwhitelist
alwaysattribute changes of
occurs regardless
t=1
t=0
Change global attribute filter setting.
PSN
Fetch Attributes PSN
PSN1 PSN2 • Replication to PAN occurs if
Change PSN2 gets more current update
significant attribute changes, then
LOCAL Ownership for same endpoint and takes
sync all attributes via PAN; if whitelist
JGROUP ownership – fetches all attributes
CONTROLLER NODE GROUP A filter enabled, only whitelist attributes
from PSN1
(JGROUP A) synced to all nodes.
PSN
PSN3
*JGroups: Java toolkit for reliable multicast
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
communications between group/cluster members.
Cisco Confidential 129
• General classification data for given endpoint should stay

local to node group = whitelist attributes • Node groups continue to provide original
• Only certain critical data needs to be shared across entire function of session recovery for failed PSN.
deployment = significant attributes • Profiling sync leverages JGroup channel
• Each LB cluster should be a node group,
LB is NOT a
Load but LB is NOT required for node groups.
requirement for
Balancer
Node Group • Node group members should have GE LAN
NODE GROUP A
(JGROUP A) connectivity (L2 or L3)
• ISE 1.3 no longer uses UDP multicast
for JGroup
PSN1
PSN PSN
PSN2 • ISE 1.2 uses multicast with TTL=2;
max 1 hop)
L2 or L3 LAN
Switching • Reduces sync updates even if different
PSNs receive data – expect few whitelist
PSN
changes and even fewer critical attribute
changes. [IP change is significant attribute]
PSN3
MnT MnT
PAN PAN
• Profiling sync leverages JGroup channels

• All replication outside node group must
traverse PAN!
• If local Multicast fails, then nodes fall
back to Global JGroup communication
channel.
PSN1 PSN PSN PSN2 PSN4

PSN PSN PSN5
L2 or L3 LAN
Switching
NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)
PSN PSN
PSN3 PSN6
Configuring Node Groups
Recommended for ALL local PSNs! 2) Assign name and available multicast addres
• Administration > System > Deployment
1) Create node group
3) Add individual PSNs to node group
• Node group members may be L2 / L3 connected

• Multicast no longer required in ISE 1.3.
• ISE 1.2 uses multicast (TTL=2) and requires
multicast configuration on intermediate switches if separated by L3 hop
ISE Profiling Best Practices
Whenever Possible…
• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
Do NOT send profile data to multiple PSNs !
• Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using…
• DHCP IP Helpers
• SNMP Traps
DO send profile data to single and same PSN or Node
• DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
Group !
• Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node
DO use Device Sensor !
group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.
•
DO enable the Profiler Attribute Filter !
Avoid probes that collect the same endpoint attributes
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
ISE Profiling Best Practices
General Guidelines for Probes
• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent
SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:
•
•
Do NOT enable all probes by default !
Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.
Avoid
• SNMP SPAN,
Probe: SNMP Traps, and NetFlow probes !
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS
auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.
Profiling Redundancy – Duplicating Profile Data
Sending Profile Data for the Same Endpoint to the Same Node Group / PSN
• Common config is to duplicate IP helper

data at each NAD to two different PSNs PSN-CLUSTER1
PSN
PSN1 (10.1.99.5)
or PSN LB Clusters (10.1.98.8)
DC #1 PSN
PSN2 (10.1.99.6)
• Different PSNs receive data and may
contend for ownership—increases
F5 LTM
PSN PSN3 (10.1.99.7)
replication
int Vlan10
DHCP Request PSN
PSN-CLUSTER2 PSN1 (10.2.101.5)
User (10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 PSN PSN3 (10.2.101.7)
F5 LTM
ip helper-address <real_DHCP_Server
ip helper-address 10.1.98.8
Scaling Profiling and Replication
Using Anycast to Limit Profile Data to a Single PSN and Node Group
• Load Balancer VIPs host same target

IP for DHCP profile data PSN-CLUSTER1
PSN
PSN1 (10.1.99.5)
(10.1.98.8)
• Routing metrics determine which VIP DC #1 PSN
PSN2 (10.1.99.6)
receives DHCP from NAD
F5 LTM
PSN PSN3 (10.1.99.7)
int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
User PSN-CLUSTER2
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 PSN PSN3 (10.2.101.7)
F5 LTM
ip helper-address <real_DHCP_Server
Load Balancing Profiling
Services
For Your
Profiling Services using Load Balancers Reference
Which PSN Services Processes Profile Data?
• Profiling Probes
The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that
terminated RADIUS:
• DHCP IP Helper to DHCP probe
• NetFlow export to NetFlow Probe Option to leverage Anycast to reduce
log targets and facilitate HA
• SNMP Traps
• SNMP Query Probe (triggered)

PSNs configured to send SNMP Queries will send query to NAD that sent RADIUS or SNMP Trap which
triggered query. Therefore, SNMP Query data processed by same PSN that terminated RADIUS request for
endpoint.
• SNMP Query Probe (polled)

Not impacted by load balancing, although possible that PSN performing polled query is not same PSN that
terminates RADIUS for newly discovered endpoints. PSN will sync new endpoint data with Admin. Since poll
typically conducted at longer intervals, this should not impact more real-time profiling of endpoints.
For Your
Profiling Services using Load Balancers (Cont.) Reference
Which PSN Services Process Profile Data?
• DNS Probe
Submitted by same PSN which obtains IP data for endpoint. Typically the same PSN that processes RADIUS,
DHCP, or SNMP Query Probe data.
• NMAP Probe
Submitted by same PSN which obtains data which matches profile rule condition.
• HTTP (via URL redirect)

URL redirect will point to PSN that terminates RADIUS auth so HTTP data will be parsed by same PSN.
• DHCP SPAN or HTTP SPAN

Since mirror port is associated to a specific interface on real PSN, cannot provide HA for SPAN data unless
configure multiple SPAN destinations to separate PSNs. No guarantee that same PSN that collects SPAN data
terminates RADIUS session.
Load Balancing Profiling Services
Sample Flow
DHCP Request to Helper IP 10.1.1.10 10.1.1.10

2 DHCP PSN
10.1.99.5
DHCP Response returned from DHCP Server Server
3
ISE-PSN-1
1 2 PSN
10.1.99.6
VIP: 10.1.98.8
Access ISE-PSN-2
Device F5 LTM
User
4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.
Load Balancing Sticky Guidelines
Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN
Persistence Cache:
11:22:33:44:55:66 -> PSN-3
10.1.99.5
MAC: 11:22:33:44:55:66 ISE-PSN-1

F5 LTM
RADIUS request to VIP
1 2
User 10.1.99.6
NAD RADIUS response from PSN-3
ISE-PSN-2
VIP: 10.1.98.8
DHCP Request IP Helper sends DHCP to VIP
3 4
10.1.99.7
5
1. RADIUS Authentication request sent to VIP @ 10.1.98.8.
ISE-PSN-3
2. Request is Load Balanced to PSN-3, and entry added to Persistence Cache
3. DHCP Request is sent to VIP @ 10.1.98.8
4. Load Balancer uses the same “Sticky” as RADIUS based on client MAC address
5. DHCP is received by same PSN, thus optimizing endpoint replication
iRule for DHCP Persistence Based on Client MAC (1of2)
Persistence based on DHCP Option 61 – Client Identifier (MAC Address)
• iRule assigned to Persistence Profile
• Persistence Profile assigned to Virtual Server under Resources section
when CLIENT_ACCEPTED priority 100 {
# Rule Name and Version shown in the log

set static::RULE_NAME "Simple DHCP Parser v0.3"
set static::RULE_ID "dhcp_parser"
• Optional debug logging
# 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to
set debug 1 reduce processing load
# Persist timeout (seconds)
set persist_ttl 7200 • Configurable persistence timeout
iRule for DHCP Persistence Based on Client MAC (2of2)
# extract value filed in hexadecimal format
binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2
}] value_hex
set value ""
switch $option { Note: Example is excerpt
61 { # Client Identifier only—Not complete iRule
binary scan $value_hex a2a* ht id
switch $ht {
01 {
binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f)
set value "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"
set option61 "$value"
set mac_up [string toupper $option61] # Normalize MAC
} default {
set value "$id"
persist uie $mac_up $persist_ttl
if {$debug}{
set target [persist lookup uie $mac_up]
log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME
competed ***** MAC=$option61 Normal MAC=$mac_up TARGET=$target“
iRule for DHCP Persistence – Sample Debug Output
Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443]
Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1)(debug)
***** iRule: Simple DHCP Parser v0.3 competed *****
MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET=

BOOTP: 0.0.0.0 00:50:56:a0:0b:3a

***** iRule: Simple DHCP Parser v0.3 executed *****

***** iRule: Simple DHCP Parser v0.3 competed *****
MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D TARGET=
Load Balancing Simplifies Device Configuration
L3 Switch Example for DHCP Relay
• Before !
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.99.5 <--- ISE-PSN-1 Settings
ip helper-address 10.1.99.6 <--- ISE-PSN-2 impact each
ip helper-address 10.1.98.7 <--- ISE-PSN-3
! L3 interface
servicing
• After ! DHCP
interface Vlan10 endpoints
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.98.8 <--- F5 VIP
!
Load Balancing Simplifies Device Configuration
Switch Example for SNMP Traps
• Before !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.99.5 version 2c public mac-notification snmp
!
• After !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
!
F5 LTM Configuration Components for Profiling LB
UDP Profile
iRule Persistence
(Persistence) Profile
Virtual Server
Pool List
Member Nodes
Optional: Configure UDP Profile for Profiling
Local Traffic > Profiles > Protocol > UDP
• Using a custom profile allows for

tuning later if needed without
impacting other services based on
same parent UDP profile
• Disable Datagram LB
Optional: Configure iRule for DHCP Profiling Persistence
Local Traffic > iRules > iRule List
• Alternative to basic Source

Address-based persistence
• Sample iRule based on
client MAC address parsed
from DHCP Request
packets
• Allows DHCP for given
endpoint to persist to same
PSN serving RADIUS for
same endpoint
• Recommend copy and paste
working iRule into text area.
Optional: Configure Persistence Profile for Profiling

addresses used for DHCP Profiling
and RADIUS, then enable Match
Across Virtual Servers.
(Recommend use same IP address)
• Specify DHCP Persistence iRule
• iRule persistence timer overrides

profile setting.
Configure Server Pool for DHCP Profiling

• If PSN not configured for User Services
(RADIUS auth), then can use default
gateway_icmp monitor.

• Ensures existing connections are moved
to an alternate server.
Configure Member Nodes in DHCP Profiling Pool
Local Traffic > Pools > Members
• Load Balancing Method

= Round Robin
• Server Port = 67
(DHCP Server)
Configure Server Pool for SNMP Trap Profiling
Local Traffic > Pools
• Same settings as
DHCP Profiling Pool
except members
configured for UDP
Port 162.
Configure Virtual Server for DHCP Profiling (Properties)
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or

specific network address.
• Destination = Can be same as
RADIUS Virtual IP or unique IP.
Be sure to configure DHCP Relays/

IP Helpers to point to this IP address
• Service Port = 67
Configure Virtual Server for DHCP Profiling (Advanced)
• Protocol = UDP
• Protocol Profile = udp or

custom UDP profile
VLAN(s)
Configure Virtual Server for DHCP Profiling (Resources)
Local Traffic > Virtual Servers > Resources
• Default Pool = DHCP Profiling Pool
• Default Persistence Profile = Persistence

Profile based on Source Address Affinity, OR
DHCP persistence profile
• Fallback Persistence Profile:
o DHCP iRule setting overrides value set here.
o If not configured in iRule, set optional value
here. Example: profiling_source_addr
• If persistence profile based on Source
Address Affinity (source_addr), recommend
create new profile to allow custom timers
and “Match Across” settings.
Configure Virtual Server for SNMP Trap Profiling
• Same settings as DHCP Profiling Virtual
Server but different service port and pool.
Additionally, Default Persistence Profile

should be based on Source Address
Affinity (NAD IP address).
Load Balancing Web Services
F5 Load Balancing and URL-Redirected Web Services
Sample Flow
DNS Lookup = ise-psn-3.company.com

DNS
ISE-PSN-1
F5 LTM
1 RADIUS request to RADIUS VIP @ 10.1.98.8
NAD 10.1.99.6
RADIUS response from 10.1.98.8
User
3 VIP: 10.1.98.8 ISE-PSN-2
https://ise-psn-3.company.com:8443/...
2
5 HTTPS response from ise-psn-3.company.com
10.1.99.7
1. RADIUS Authentication requests sent to VIP 10.1.98.8. ISE-PSN-3

2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to ISE Certificate
https://ise-psn-3.company.com:8443/...&sessionId=0a012c5a0000... Subject CN =
4. Client browser redirected and resolves FQDN in URL to real server address. ise-psn-3.company.com
5. User sends web request directly to same PSN that serviced RADIUS request.
F5 Load Balancing Non-Redirected Web Services
Sample Flow
DNS Lookup = sponsor.company.com

DNS
https://sponsor.company.com ISE-PSN-1
F5 LTM
2 https://sponsor. company.com @ 10.1.98.8
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Sponsor 4 Device
1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8

10.1.99.7
2. Web request sent to https://sponsor.company.com @ 10.1.98.8 3
3. F5 load balances request to PSN based on IP or HTTP sticky
ISE-PSN-3
4. HTTPS response received from ise-psn-3 @ 10.1.99.7
Load Balancer NAT Guidelines for Web Traffic
URL-Redirected Traffic with Single PSN Interface
• No NAT Required
• Allow web portal traffic direct to PSN without NAT
10.1.99.0/24
10.1.98.0/24
.5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.10.0/24
.1
F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
User
RADIUS session load-balanced to PSN @ 10.1.99.6
URL Redirect automatically includes FQDN/Interface IP of same PSN @ 10.1.99.6

https://ise-psn-2.company.com:8443/guestportal/Login...
Browser traffic redirected to IP for ise-psn-2.company.com:

https://10.1.99.6:8443/guestportal/Login...
SNAT on L3 Switch for Dedicated Web Interfaces (ISE 1.2)
URL-Redirected Traffic with Dedicated PSN Interface for Web Portals (Single F5 LTM interface)
• Source NAT portal traffic to simplify routing

• Maintains Path Isolation
10.1.99.0/24
10.1.98.0/24
.5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.10.0/24 .1
F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.5 .6 .7 .x
User
10.1.91.0/24
RADIUS session load-balanced to PSN @ 10.1.99.6.
URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @
10.1.91.6: https://ise-psn-2-guest.company.com:8443/guestportal/Login...
Source NAT web traffic from user networks destined to PSN web interfaces @ 10.1.91.x; translate to 10.1.91.x
(or any address block that can be statically added to PSN route table)
Ensures all Web requests received by PSN web interface are returned out same interface.
SNAT on F5 LTM for Dedicated Web Interfaces (ISE 1.2)
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces

10.1.99.0/24
L3
User A 10.1.10.0/24Switch 10.1.98.0/24
F5 LTM .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.11.0/24
.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
Direct-Access Portals: Enable SNAT on Virtual Servers for ISE Sponsor, My

User C Devices, and LWA portals.
URL-Redirected Web Portals/Services: Enable SNAT on F5 IP Forwarding

Virtual Servers.
Dedicated Web Interfaces under ISE 1.3
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces

10.1.99.0/24
L3
User A 10.1.10.0/24Switch 10.1.98.0/24
F5 LTM .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.11.0/24
.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24
Response to traffic received on an interface sent out same interface if

User C
default route exists for interface: No SNAT required!
Default route 0.0.0.0/0 10.1.99.1 eth0

Default route 0.0.0.0/0 10.1.91.1 eth1
Dedicated Web Interfaces under ISE 1.3
Symmetric Traffic Flows
• Configure default routes for each interface to support symmetric return traffic
ise13-psn-x/admin# config t
Enter configuration commands, one per line. End with CNTL/Z.
ise13-psn-x/admin(config)# ip route 0.0.0.0 0.0.0.0 gateway 10.1.91.1
• Validate new default route

ise13-psn-x/admin# sh ip route
Destination Gateway Iface

----------- ------- -----
10.1.91.0/24 0.0.0.0 eth1

10.1.99.0/24 0.0.0.0 eth0
default 10.1.91.1 eth1
default 10.1.99.1 eth0
F5 LTM Configuration Components for HTTP/S LB
TCP Profile
Persistence
Profile
Virtual Server
Health Monitor Pool List
Member Nodes
Configure HTTPS Health Monitor
• Configure Send and Receive Strings appropriate to

ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE
HTTPS Health Monitor Examples
• ISE 1.2 Example

• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK
• ISE 1.3 Example

• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK
Optional: Configure TCP Profile for HTTPS
Local Traffic > Profiles > Protocol > TCP
• Using a custom profile allows for

tuning later if needed without
impacting other services based on
same parent TCP profile
Configure Persistence Profile for HTTPS

addresses used for Web Services,
then enable Match Across Virtual
Servers
Generally recommend use same

VIP address for all portals
• Timeout = Persistence timer
Value of 1200 seconds = 20

minutes (default Sponsor Portal idle
timeout setting in ISE)
Configure Server Pool for Web Services
• Health Monitor = HTTPS Monitor
• Action on Service Down = None
Configure Member Nodes in Web Services Pool
• Load Balancing
Method options:
(node)
(member)
• Fastest (application)
• Server Port = 0
(all ports)
Configure Virtual Server for Web Portals (Properties)
• Type = Standard
• Source = 0.0.0.0/0 (all hosts) or specific

network address.
• Destination = Web Portal Virtual IP
• Service Port = Web Portal Port

configured in ISE (default 8443)
Configure Virtual Server for HTTPS Portals (Advanced)
• Protocol = TCP
• Protocol Profile = tcp or custom TCP

profile
VLAN(s)
• Source Address Translation (SNAT)
• Single PSN interface: None
• Dedicated PSN interface (ISE 1.2): Auto
Map
• Dedicated PSN interface (ISE 1.3): None or
Auto Map
Configure Virtual Server HTTPS Portals (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources
• Default Pool = Web Portals Pool
• Default Persistence Profile = HTTPS

persistence profile
• Fallback Persistence Profile: Not required
Configure Virtual Server for Web Portals on TCP/443
• Virtual Server used to forward web

traffic sent to portal FQDN on default
HTTPS port 443
• PSNs will automatically redirect traffic
to FQDN to specific portal port / URL.
• Service Port = 443 (HTTPS)
Default HTTPS port used in initial
portal request by end user.
• All other Virtual Server settings the
same port-specific Virtual Server
(Example: ise_https8443_portals)
• Virtual Server used to forward web traffic

sent to portal FQDN on default HTTP
port 80
• PSNs will automatically redirect traffic to
FQDN to specific portal port / URL.
• Service Port = 80 (HTTP)
Default HTTP port used in initial portal
request by end user.
• All other Virtual Server settings the same
port-specific Virtual Server
(Example: ise_https8443_portals)
Optional HTTP -> HTTPS Redirect by F5 LTM
To configure F5 LTM to perform automatic

HTTP to HTTPS redirect instead of PSNs:
• Configure new http profile under Profiles >
Services > HTTP using default settings
• Configure new http class under Profiles >
Protocol > HTTP Class. Under Actions, set
redirect URL.
• Under Virtual Server for HTTP (TCP/80):
• Specify HTTP Profile under Advanced
Configuration
• Specify new HTTP Class under Resources >
HTTP Class Profiles.
Virtual Server List
Server Pool List
Global Load Balancing
Considerations
F5 BIG-IP GTM: Load Balancing Web Requests
Client-Based Load Balancing/Distribution Based on DNS Response
• Integrate Global LB using F5 BIG-IP GTM with Local LB using F5 BIG-IP LTM
ISE-PSN-14 ISE-PSN-15
F5 LTM
F5 LTM
PSN PSN
10.1.99.12 10.2.100.14 10.2.100.15

sponsor IN A 10.1.99.12
What is IP address for sponsor IN A 10.2.100.14 What is IP address for
sponsor.company.com? sponsor IN A 10.2.100.15 sponsor.company.com?
DNS SOA for company.com
10.1.60.105 10.1.99.12 F5 BIG-IP GTM 10.2.100.15 10.2.5.221
F5 BIG-IP GTM: Load Balancing Web Requests
Global Load Balancing/Distribution Based on Routing and DNS Response
• Example combines Anycast as DNS response
ISE-PSN-14 ISE-PSN-15
F5 LTM
F5 LTM
PSN PSN
10.1.99.12 10.1.99.12 10.1.99.12

mydevices IN A 10.1.99.12
What is IP address for lwa-portal1 IN A 10.1.99.12 What is IP address for
sponsor.company.com? lwa-portal2 IN A 10.1.99.12 sponsor.company.com?
DNS SOA for company.com
10.1.60.105 10.1.99.12 F5 BIG-IP GTM 10.1.99.12 10.2.5.221
Basic NAD-Based RADIUS Server Redundancy
Multiple RADIUS Servers Defined in Access Device
• Configure Access Devices with multiple RADIUS Servers.
• Fallback to secondary servers if primary fails
RADIUS Auth PSN PSN1 (10.1.2.3)
PSN
PSN2 (10.4.5.6)
User Network Access
Device PSN
PSN3 (10.7.8.9)
radius-server host 10.1.2.3 auth-port 1812 acct-port 1813

NAD-Based Redundancy to Different LTM LB Clusters
RADIUS Example – Different RADIUS VIP Addresses
• Configure access devices with each PSN PSN

F5-LTM1 PSN1 (10.1.99.5)
LB cluster VIP as a RADIUS Server. (10.1.98.8)
DC #1
• Fallback to secondary DC PSN
PSN2 (10.1.99.6)
if primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
RADIUS Auth PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)

RADIUS Example – Single RADIUS VIP Address using Anycast

F5-LTM1 PSN1 (10.1.99.5)
LB cluster VIP as a RADIUS Server. (10.1.98.8)
DC #1
• Fallback to secondary DC PSN
PSN2 (10.1.99.6)
if primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
RADIUS Auth PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)

Profiling Example – Different DHCP VIP Addresses

F5-LTM1 PSN1 (10.1.99.5)
cluster VIP as an IP Helper. (10.1.98.11)
DC #1
• Both Data Centers receive copy PSN
PSN2 (10.1.99.6)
of DHCP Profiling data
PSN PSN3 (10.1.99.7)
Network Access
Device
DHCP Relay PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.2.100.3)
PSN PSN2 (10.2.101.6)
DC #2
interface VLAN 10 PSN PSN3 (10.2.101.7)
ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real
ip helper-address 10.1.98.11 # LTM1
ip helper-address 10.2.100.3 # LTM2
Profiling Example – Single DHCP VIP Address using Anycast
• Configure access devices with the single PSN

F5-LTM1 PSN1 (10.1.99.5)
PSN cluster VIP as an IP Helper. (10.1.98.11)
DC #1
• Fallback to secondary DC if routing to PSN
PSN2 (10.1.99.6)
primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
DHCP Relay PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.1.98.11)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)
interface VLAN 10
ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real
ip helper-address 10.1.98.11 # Anycast
Monitoring and
Troubleshooting
Live Log Output for Load Balanced Sessions
Synthetic Transactions
• Batch of test authentications generated from Catalyst switch:

# test aaa group radius radtest cisco123 new-code count 100
All RADIUS sent to

LB VIP @ 10.1.98.8
Requests evenly
distributed across
real servers:
ise-psn-1
ise-psn-2
ise-psn-3
Live Log Output for Load Balanced Sessions
Real Transactions
• All RADIUS sent to LB VIP @ 10.1.98.8
1• All phone auth is load balanced from VIP to ise-psn-3 @ 10.1.99.7

2• All PC auth is load balanced to ise-psn-1 @ 10.1.99.5; URL Redirect traffic sent to same PSN.
3• CoA is sent from same PSN that is handling the auth session.
4• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address. Request can be
load balanced to any PSN. Not required to pull dACL from same PSN as auth.
3
4 2
1
Cisco ISE Monitoring and Troubleshooting
• Verify Operational Status of Cisco Components

• Validate ISE Nodes Online and Connected
• Check that PSNs are synchronized under Administration > Deployment.
• Verify the RADIUS Server status from the NADs.
• Verify Identity Stores such as AD and LDAP are connected to PSNs and traffic is not being dropped.
• ISE Authentications Live Log
• ISE Reports
• ISE Packet Capture using TCP Dump
• Logging Suppression and Collection Filters
Verify ISE Node Status
• Check Node Status from ISE Dashboard and under Administration > Deployment
Verify Health Monitor Is Authenticating Successfully
• Are Probes Failing?
Verify Health Monitor Is Authenticating Successfully
• If internal user used, is account enabled? Is password correct?
• If external user store used, is identity store connected?
F5 BIG-IP LTM Monitoring and Troubleshooting
• Verify Operational Status of F5 Components

• Virtual Server Status
• Pool Member Status
• Health Monitors
• Persistence Records
• iRule Debug and View Local Traffic Logs
• Packet Capture using TCP Dump
Verify Virtual Server and Pool Member Status
• Virtual Server Status • Pool Member Status
If node down, cluster impacted but

Server is still up. If connections
fail, verify persist entries cleared.
If Virtual Server down, then

all Pool Members are down
Viewing Persistence Records from the F5 Web Interface
• Persistence
Records
—Bad Example
• MAC addresses
are not
normalized so
separate persist
entries created
Viewing Persistence Records from the F5 Web Interface
• Persistence
Records
—Good Example
Viewing Persistence Records from the F5 BIG-IP LTM Console Interface
• Show Persistence Records for RADIUS Virtual Server

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence
persist-records virtual ise_radius_auth
Sys::Persistent Connections
universal 10.1.98.8:1812 10.1.99.15:1812 0
universal 10.1.98.8:1812 10.1.99.15:1812 0
universal 10.1.98.8:1812 10.1.99.16:1812 0
universal 10.1.98.8:1812 10.1.99.17:1812 0
universal 10.1.98.8:1812 10.1.99.17:1812 0
Total records returned: 5
• Show Persistence Records for Specific Client Based on MAC address as Persist Key
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence
persist-records virtual ise_radius_auth mode universal key 7C-6D-62-E3-D5-05
Sys::Persistent Connections
universal 10.1.98.8:1812 10.1.99.16:1812 0
Total records returned: 1
Clearing Persistence Records and Connections from the F5 BIG-IP LTM Console Interface
• Delete Persistence Records for RADIUS Virtual Server

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence
persist-records virtual ise_radius_auth
• Delete All Persistence Records

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence
persist-records
• Delete Connections for RADIUS Auth Services

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection cs-
server-port 1812
• Delete All Connections

root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection
Network Topology, Routing, and Addressing Review
Key Components
• Clients / Endpoints
• Network Access Devices
• Intermediate infrastructure
• BIG-IP LTM appliances
• ISE PSN appliances
• Supporting services such as DNS, NTP, AD/LDAP, and Admin and MnT nodes
Network Topology, Routing, and Addressing Review
Other Troubleshooting Checklist Items
• Map out the expected path for each flow.
• Validate actual path taken by packets by reviewing configuration files, logs and packet
captures, routing tables, and ARP tables.
• Take into special consideration where NAT may be deployed and addresses change.
• If F5 appliance trunks multiple VLANs, note that packet captures may show both ingress
and egress packets where MAC addresses change but IP addresses do not. This can
sometimes cause confusion when analyzing packet captures.
• Verify symmetric path is taken and that no packets are being dropped using component
logs and debugs and packet captures.
Summary
Cisco ISE / F5 BIG-IP Load Balancing
Summary Review
• Cisco ISE is a comprehensive, context-based policy management system that can scale
services through the deployment of multiple Policy Service Nodes (PSNs).
• F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
• F5 BIG-IP Global Traffic Manager (GTM) is a global load balancing solution that leverages
standard DNS to help ensure that users and applications are directed to the most available
and optimal server
• Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and availability
• Optimize ISE AAA, profiling, and database replication by ensuring same PSN services requests
• Simplify configuration management for network devices
• Improve overall user experience
Cisco Support References
 Your local Cisco Channel/Security SE
 Sales Assistance Center (SAC) -- 24 x 7 All countries, All timezones
Email: sac-support@cisco.com
Phone: +1-408-902-4872 (International)
800-225-0905 (US Toll Free )
8-902-4872 (within Cisco)
Live Chat: http://tinyurl.com/sacise
Website: sac.cisco.com (Cisco Internal)
 Cisco Support Communities: supportforums.cisco.com

 Tech Talks – Security Deep Dive Training Series: https://communities.cisco.com/docs/DOC-30977
 Tech Zone: https://techzone.cisco.com/t5/AAA-and-Identity-Management/ct-p/aaa
 ISE and TrustSec “How-To” and Design Guides:
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html
F5 Support References
• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
Tools and Frameworks

• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring
Pack
 F5 BIG-IP Product Trials – Trial, Eval, and Lab Licenses:
https://f5.com/products/trials/product-trials
 Cisco dCloud: http://dcloud.cisco.com/

 ISE / NFR POC Kit on MarketPlace: http://cisco.mediuscorp.com/ise
 ISE Configured Limited Deployment (COLD) Program: https://communities.cisco.com/docs/DOC-32999
 QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE

 Public – Scheduled and On-Demand ISE Demos:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html
Questions?
Thank you.

DeployingF5LoadBalancerswithCiscoISE Techalk Security Dec04 2014

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DeployingF5LoadBalancerswithCiscoISE Techalk Security Dec04 2014

Hochgeladen von

Copyright:

Verfügbare Formate

ISE 1.

3 F5-ISE Load Balancing

 Introducing F5 BIG-IP and Cisco ISE Solution Components

New VIPRION 2200 VIPRION 2400

Virtual Physical Hybrid

LTM is the Local Traffic Manager, it is a licensed

Virtual Server is the traffic management object

A node is a physical or logical

Each pool has its own load

A pool is a logical grouping of pool A node can be a member of

10 .2 .2 .10 0 :80 10 .2 .2 .10 0 :4 43

Each virtual server then directs the

The virtual server translates the

• Monitors are served from the Self IP addresses

BIG-IP LTM continues to

172.20.10.1 Yes 172.20.10.2 Yes 172.20.10.3 Yes 172.20.10.4

• The programming language integrated into

• Provide a full scripting language that enables

Using Persistence Profiles Using iRules for Radius Persistence

10 .2 .2 .10 0 :80 BIG-IP LTM directs the request to the

Current connection counts for

• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-

• BIG-IP LTM Support forum

• F5 University – LTM Training

Follow us on Twitter @f5Networks  Official F5 Networks Channel

• Static load balancing methods distribute connections in a fixed manner

10.2.2.100:80 BIG-IP LTM directs the request to

Current connection counts

This takes into account all Current connection counts

• Priority Group Activation

• BIG-IP LTM Configuration Guide

• BIG-IP LTM Support forum

• F5 University – LTM Training

Follow us on Twitter @f5Networks  Official F5 Networks Channel

Tools and Frameworks

Who What Where When How

Security Policy Attributes

Wired Wireless VPN

Virtual machine client, IP device, guest, employee, and remote user

 Policy Service Node (PSN) Can run in a single host

 Policy Administration Node (PAN)

 Monitoring & Troubleshooting Node (MnT)

 Inline Posture Node (IPN)

Network Access Policy Service Node Policy Administration Monitoring and

NAD PSN PAN MnT

Admin (P) Monitor (P) Policy Services Cluster Distributed

Scaling per PSN Platform Max # Endpoints per PSN

• Access Devices send RADIUS AAA requests to LB virtual IP.

PSN PSN PSN

Use Global Load Balancing (GTM) to direct traffic to closest VIP.

• RADIUS Authentication and Accounting Services

• URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native

• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS

DNS Lookup = ise-psn-3.company.com

1. RADIUS Authentication requests sent to VIP 10.1.98.8. ISE-PSN-3

DNS Lookup = sponsor.company.com

DHCP Request to Helper IP 10.1.1.10

VLAN 98 VLAN 99 10.1.99.5

NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1

• All traffic flows through LB including RADIUS, 10.1.98.2 10.1.99.1

• All outbound traffic from PSNs NAS IP: 10.1.50.2 ISE-PSN-2

Generally NOT RECOMMENDED due to DNS AD

NAS IP: 10.1.98.1

Generally NOT RECOMMENDED due to DNS AD