ISE 1.3 Load Balancing

Hello,
I've got 4x ISE appliance, 2x Administration and 2x PSN
1 Administration primary / Monitoring secondary
2 Policy Service Node
3 Administration secondary / Monitoring Primary
4 Policy Service Node
Both PSN's are in the same Node Group... ISE is working fine, but it's not load balancing profiling, Corp WLAN is getting profiled by PSN 2 and guest WLAN is getting profiled by PSN 4... Is there a way to make both WLAN's to get profiled by random PSN? Like a load Balancer?
BR,
Emerson

Hi Emerson-
Do you have a load balancer? If you do you can load balance the sessions between the ISE nodes located in the node group. If not you could do Anycast based profiling. Check this link out that goes over all of the different options that you have:
http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
I hope this helps!
Thank you for rating helpful posts!

Similar Messages

  • ISE 1.2 load balancing and Jgroups

    Hi,
    I would like to loadbalance PSN nodes. Instead of using a loadbalancer I would like to use Jgroups which I have seen in release 1.2 presentations. However I am unable to find any information in configuration guides detailing how to design and configure this feature. Has anyone seen more detail? is it even possible to use this feature to loadbalance without a loadbalancer such as an F5 or have I misinterpurated the purpose of Jgroups?
    Thanks in advance.

    jgroup is how db sync/ replication work in 1.2, which replace the queuing mechnism in 1.1.
    but this should not be related to PSN LB? do you mean you want to lb requests between several PSNs?
    using F5 or ACE can help, also 1.2 support wildcard certificate will help address the cert warning problem.
    Sent from Cisco Technical Support iPad App

  • Ise & vlan load balancing (user balancing)

    As far as I know anb based on some esperience in a test environment it seems that cisco ISE among two load balancing radius kind of attributes supports only vlan gropu assignment, this means that on the switches vlan group assignment is required.
    A second method of passing multiple vlans or vlan IDs by radius attributes is not allowed.
    Am I wrong?
    The issue I'm trying to overcome is the following
    Subnet1     /24
    Subnet2     /22
    Many, many switches
    (and the situation can't be changed)
    Assuming the vlan assignment is local to the switch and with a round robin method, once the IPs are exhausted on Subnet1 only half of the clients that authenticate will obtain an IP (on Subnet2) while the rest will get stuck on Subnet1 without an IP
    The same situation comes up when considering an odd number of authenticated clients on every switch and with two /24 subnets: it is likely possible that Subnet1 will be "full" before the second subnet does falling in the previous situation.
    is there any solution?
    thank you in advance

    Don,
    You are right. I should have said - Forte uses its own partitioning scheme
    not the default scheme you see when you open partition workshop.
    Nirmal
    From: Don Nelson <[email protected]>
    To: Nirmal P Uppalapati <[email protected]>
    Cc: [email protected]
    Subject: Re: Load Balancing, User Visible Service objects, Running man
    Date: Wednesday, October 22, 1997 10:45 PM
    Nirmal,
    One note on the "running man"...
    At 08:12 PM 10/22/97 -0500, Nirmal P Uppalapati wrote:
    3. Running Man
    When you run an application by clicking on the running man Forte uses
    its
    default partitioning scheme and runs the application. The partitionscheme
    that you made will be used only when you run the application distributedor
    from the partition workshop. This is the time you might encounter errorsif
    your partitioning is not right.
    Actually, clicking on the "running man" from the repository or project
    workshop will cause the application to be run VERY differently thanrunning
    it distributed.
    It's not technically correct to say that the default partitioning schemeis
    used with the running man.
    Forte consulting offers a deployment workshop that covers the finerpoints
    of this and other distributed issues.
    Don
    ============================================
    Don Nelson
    Regional Consulting Manager - Rocky Mountain Region
    Forte Software, Inc.
    Denver, CO
    Corporate voice mail: 510-986-3810
    aka: [email protected]
    ============================================
    "If you ask me, though, any game without push-ups, hits, burns or noogies
    is a sissy game." - Calvin

  • ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

    Hello guys
    Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
    Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
    I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
    Thanks in advance
    Sayre

    Hello Sayre-
    For Question #1:
    Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
    You can configure Radius and Profiling to be enabled on other interfaces
    Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
    Take a look at this link for more info:
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
    For Question #2
    If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
    The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
    –Option 12—HostName of the client
    –Option 60—The Vendor Class Identifier
    After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
    Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
    On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
    http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
    I hope this helps!
    Thank you for rating helpful posts!

  • To Load Balance or Not to Load Balance? ISE and F5 Big IP

    Currently my team is debating whether to put our two ISE appliances (PSN nodes) behind our F5 load balancing deployment. 
    Our network is relatively small in size (5K users) with a small wireless deployment (4 Cisco controllers with 300 Access points). Network growth should remain relatively minimal over the coming years. 
    We will be rolling out wired Dot1X, followed by posture assessment and remediation. (BYOD is not an option). 
    On one hand, the Big IP features could make it easier for us to perform load balancing, maintenance and troubleshooting. 
    On the other hand, the Big IP adds another element of complexity into an already complex deployment. We already have the capability to load balance from the switches themselves. Load balancing for wireless should not  be an issue as our deployment is very small and I expect it to remain so. Given the size of my environment, there seems to be relatively little to gain for the additional effort and potential pitfalls. 
    Would anyone care to share their honest opinion on this issue?
    Thanks, 
    Phill

    Load balancers are elegant and do their job nicely when it comes to distributing the load between servers. You already have one so I would suggest using it if you have the technical expertise to configure it.
    With that being said, if your team is not 100% comfortable with F5 then you should definitely skip it. Instead, you can configure your WLCs to use Node #1 as primary and Node #2 as secondary Radius server and then your Switches to use Node #2 as primary and Node#1 as secondary. 
    I hope this helps!
    Thank you for rating helpful posts!

  • Question about Load Balancing Wireless connections using WLC- F5- ISE

    Hi all,
    Can anyone give me some orientation how the radius auth process/handshake between the WLC and ISE changes once the F5 is installed in the middle in order to perform load balancing?
    We can do some kind of load balancing by configuring different radius servers on each WLC for which, I must configure the same shared secret in the WLC and ISE so the radius request/accept could be processed.
    Now that we have the F5 in the middle, do I need to create/configure the same shared secret in the F5 so radius transactions can be processed by this device?. Based on the following link, I must configure the F5 in the ISE like another NAD device (similar to the WLC) but I do not know if this additional configuration in the ISE includes the Auth parameter to be added in the ISE NAD (F5) configuration.
    How to properly use a load balancer in Cisco's Identity Services Engine
    http://www.networkworld.com/community/blog/load-balancing-cisco-identity-services-engine
    Our sheme is shown next,

    When you covert the pair into SSO, all the APs will go to the ACTIVE unit.  No unit will "live" in the standby unit because this unit will "share" the AP-support license between the two.
    This is the first step you need to get sorted.  Send an email to [email protected] and give them the exact details of what you want to do (i. e.  AP SSO) and then provide the serial number of your nominated active WLC and the serial number of your nominated standby WLC.

  • ISE node group behind load balancer

    I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
    Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
    Q1:
    Node group config requires multicast.
    Cisco ACE LB doesn't support multicast, except in brige mode.
    How do people support distributed deployment in node group behind Ciso ACE?
    Q2:
    User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
    What if we need more than 4 PSN nodes to support our network & user base?
    Q3:
    Has anyone been able to implement distributed deployment between two datacenters behind GSS?
    If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
    thx!

    I have had close to zero experience with LBs so my answers will be limited:
    Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
    Q2: You will have to create a new node group with a new multicast address
    Q3: No help here
    Couple of other things to remember:
    1. The nodes must be layer 2 adjacent
    2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
    3. You must perform sticky
    4. The Load balancers must be listed as NADs in ISE
    Hope this provides some help to you.
    Thank you for rating!

  • Trying to load Balance several Cisco ISE servers.

    Trying to load Balance several Cisco ISE servers.  For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it.  I have documentation for the Cisco ACE, but using F5 LTM's.  Assuming this has to be done with an I-Rule as none of these are available as a default.  Not sue where to begin.  I tried attaching the Cisco PDF, but not able for whatever reason.

    Please also keep in mind that When using a Load-Balancer (anyone's) you must ensure a few things.
    Each PSN must be reachable by the      PAN /  MNT directly, without having to go through NAT (Routed mode LB,       not NAT). No Source-NAT. This includes the Accounting      messages, not  just the Authentication ones.
    This means the       Load-Balancer must be in the direct path between the clients and the ISE PSNs.
    Some       organizations have used Policy  Based Routing (PBR) to accomplish the       path, without physically  locating the Load-Balancer between the clients       and the PSNs.
    Endpoints (clients) must be able      to  reach each Policy Services Node Directly (not going through the VIP) for       redirections/Centralized Web Authentication/Posture  Assessments/Native      Supplicant Provisioning, and more.
    You may want to "hack"      the certs to include the VIP FQDN in the SAN field (my next blog post      should cover this trick).
    Perform sticky (aka: persistence)      based on Calling-Station-ID and Framed-IP-address.
    VIP gets listed as the RADIUS      server of each NAD for all 802.1X related AAA.
    Dynamic-Authorization (CoA):
    If you use       Server NAT to replace the  PSN IP address with the VIP Address for Change       of Authorization,  then you would use the VIP address as the       Dynamic-Authorization  (CoA) client.
    Otherwise, use       the real IP Address of the PSN, not the VIP.
    The LoadBalancers get listed as      NADs in ISE so their test authentications may be answered, to keep the      probes alive.
    ISE uses the Layer-3 Address      to  identify the NAD, not the NAS-IP-Address in the RADIUS packet. This       is a big reason to avoid SNAT.
    Failure Scenarios:
    The VIP is the RADIUS Server, so      if the  entire VIP is down, then the NAD should fail over to the Secondary       DataCenter VIP (listed as the secondary RADIUS server on the NAD).
    Use probes on the Load-Balancers      to ensure that RADIUS is responding, as well as HTTPS (at minimum).
    LB Probes       should send test RADIUS  messages to each PSE periodically, to ensure that       RADIUS is  responding, not just look for open UDP ports.
    LB Probe should       also examine the response for HTTPS, not just look for the open port(s).
    Use node-groups with the L2-adjacent      PSN's behind the VIP.
    If the       session was in process and one  of the PSN's in a node-group fails,       then another member of the  node-group will issue a CoA-reauth; forcing       the session to begin  again. 
    At this point,       the LB should have  failed the dead PSN due to the probes configured       in the LB; and so  this new authentication request will reach the LB &       be  directed to a different PSN…

  • ISE behind load balancer

    I have a question regarding ISE profiling servers that are placed behind a load balancer:
    If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
    For example:
    There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
    A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
    Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
    Kind regards,
    Bert

    >> they are independant servers that just replicate their configuration.
    So a user should authenticate always with the same ISE.
    Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
    Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
    The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
    Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
    As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
    /CH

  • ISE 1.2 and load balancing...

    I'm looking into configuring load balancing behind F5's. I know this can be done and have read the documentation on what is required. I still have a couple of questions about it:
    1. When you load balance the RADIUS traffic do you have to create separate VIP's for the auth and accounting ports (1812 & 1813)?
    2. Are there good configuration examples out there for VIP Configs and setting up the VIP's to run in routed mode?
    3. Are there any caveats or lessons learned that other people have experienced besides what is documented?
    Thanks.

    jgroup is how db sync/ replication work in 1.2, which replace the queuing mechnism in 1.1.
    but this should not be related to PSN LB? do you mean you want to lb requests between several PSNs?
    using F5 or ACE can help, also 1.2 support wildcard certificate will help address the cert warning problem.
    Sent from Cisco Technical Support iPad App

  • Error while selecting Load Balancing in JCO creation

    While creating JCO i am facing this error.It is working fine with Single server connection,but when i chose Load balancing i error comes out.Please tell me the solution.
    I have read couples of forum mentioned you need to start both Portal and ECC.
    For you information my Portal and Java are both on diffrrent Box.
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=olameccpdvr GROUP=PUBLIC R3NAME=DVR MSSERV=sapmsDVR PCS=1 LOCATION    CPIC (TCP/IP) on local host with Unicode ERROR       service 'sapmsDVR' unknown TIME        Thu Feb 24 12:19:54 201 RELEASE     701 COMPONENT   NI (network interface) VERSION     38 RC          -3 MODULE      nixxhsl.cpp LINE        776 DETAIL      NiHsLGetServNo: service name cached as unknown COUNTER     5

    Is your backend system configured correctly in your SLD ?
    Go to transaction SMMS on your backend system that your are connecting to. Click on Goto=>Parameters=>Display. Look for "server port" value.
    This should give you the TCP/IP port for your message server. It could be 3600 or 3601 (36NN - where NN is the instance number).
    In your services file, if you made the entry at the end of the file, press Enter (Return) after your entry.
    Try restarting your server after making the above changes.
    - Shanti

  • Error in creation of JCO with Load balancing server

    Hi,
    We are using a ABAP user base for our WEBAS server 6.40 (with ABAP+JAVA). i have created a Public group in concerned ECC 5.0 system. I have already configured SLD, and then i maintain data supplier bridge in SLD and run RZ70 in ECC 5.0 system to load system information.. i can see details in SLD ..
    now i am trying to create JCO connections .. here i am unable to create JCO with load balancing option..  i get
    com.sap.mw.jco.JCO$Exception: (102) RFC_ERROR_COMMUNICATION: Connect to message server host failed Connect_PM  TYPE=B MSHOST=<servername> GROUP=PUBLIC R3NAME=SID MSSERV=sapms<SID> PCS=1 ERROR       service 'sapms<SID>' unknown TIME        Fri Jun 16 12:41:20 2006 RELEASE     640 COMPONENT   NI (network interface) VERSION     37 RC          -3 MODULE      ninti.c LINE        505 DETAIL      NiPGetServByName2: service 'sapms<SID>' not found SYSTEM CALL getservbyname_r COUNTER     1
    i am able to create single server JCO, but it fails in load balancing.. is there anything i have  missed out in settings...
    Thanks and regards,
    Sudhir

    Thanks, Bogdan Rokosa
    I have the same problem,and solved it following the steps provided by Bogdan Rokosa  :
    you must insert an entry for your R3 system
    (like: sapms<SID> 3600/tcp)
    in services file
    (C:\WINDOWS\system32\drivers\etc\services) on Java WAS.
    I test the Jco successful without restart J2EE Engine.

  • SAP GLM Print Request - Load Balancing of WWI server

    Hi GLM Experts,
    I am using new GLM + module that generates labels based on Print Requests. I am unable to understand how I can load balance the WWI services when there are multiple label printing requests.
    In GLM + we associate a WWI to a Print Station and which can then be associated with a printer. So in the configuration we are tying up a printer a WWI.
    Also during label printing, if the scenario uses print request module, then the use need to select a print station and printer. What happens if the WWI related to the print station is down?
    For example I have two services in WWI server GENPC1 and GENPC2. I created WWII and WWI2 as two print stations. I will associate my printer PRNWWI to both the print stations WWI1 and WWI2.
    During label printing if the user picks and WWI1 and Printer PDNWWI and if the GENPC1 WWI server assocaited with print status WWI1 is busy and down I want WWI GENPC2 to generate the label?
    How to setup the above load balancing or fall back? Please let me know.
    Thanks
    Pugal

    Dear Pugal
    we are not using GLM + and I am not sure about the technqiue used there to handle load balancing. Regarding general WWI setup I assume you know this Note: EH&amp;amp;S: Availability and performance of WWI and Expert servers
    On the top there is a further SAP Note abvailable which might be of interest. This is referenced here:
    http://de.scribd.com/doc/191576739/011000358700000861002013-e
    May be check OSS note: 1958655; OSS Note 1155294 is more related to normal WWI stuff; but may be check it as well. May be 1934253 might help better
    May be this might help.
    C.B.
    PS: may be check as well: consolut - EHS_MD_140_01 - EH&amp;amp;S-Management-Server einrichten
    The load balancing of synchron WWi servers is donein the "RFC" layer, therefore you have no inffluence here, for asynchron WWI servers you can do a lot to manage the WWI load balancing by using "exits" etc.

  • APEX SSO and Load balancing: Could not determine workspace for application

    We had a single HTTP Server serving APEX in a 10.2.0.2 database configured with SSO to be used by the developers. APEX has been registered as a partner application and the login url has been CA Siteminder protected so that the SM_USER details are forwarded in the header for the application to use for authorization. Everything is fine so far.
    Now we have added a HTTP Server on another host and have it all set up for APEX and its pointing to the same database. APEX_ADMIN access works as normal, but applications previously using SSO now get the following error after entering the URL.
    Expecting p_company or wwv_flow_company cookie to contain security group id of application owner.
    Error ERR-7620 Could not determine workspace for application ().
    Using HTTP Watch I find that the application is not even trying to redirect to the login page.
    What is wrong here?

    APEX has been registered as a partner application as described in
    http://www.oracle.com/technology/products/database/application_express/howtos/sso_partner_app.html
    In the meantime I found metalink document 368746.1 which describes the cause of this problem. Please read carefully what I wrote, it all works when the the new APEX web server is turned off in the server farm on the load balancer and directed through the original web server. When running regapp.sql the hostname in the listener token was using the virtual hostname. This works fine if the request comes from the original APEX server which proofs that there is nothing wrong with the installation and set up of SSO. When directing the request to the new APEX web server the APEX_ADMIN page still works only existing work spaces using SSO don't seems to work anymore resulting in a error as described in the subject.
    As for metalink document 368746.1 naming the causes of this error:
    - there are no duplicate entries in WWSEC_ENABLER_CONFIG_INFO$
    -LISTENER_TOKEN clearly works for requests coming from the first web server
    -theoretically the web server listener port could be changed from 7777, but port 80 needs to be maintained here as production is mimiced as far down as possible.
    Is there some cache table which can be cleared? How is it that the flows schema (apex engine) can not find the work space when the request comes from a new web server which can however access the APEX_ADMIN pages.
    anyone?

  • SSO with SAP R/3 with load balancing as backend over the Web AS

    Hi,
    we have Netweaver 2004 at this time and we have to connect the portal to a BSP application in a load balancing environment.
    We set user mapping for the user and set the connection type from SAPLOGONTICKET to UIDPW. This is running for a test environment with only one R/3 system without load balancing.
    Does anyone know the setting parameters for a load balancing environment (ok, the message server and...?).
    Thank you.
    Best regards
    Patrizia

    Hi all,
    run into the same problem. Setting up a mapping with UIDPW in a non load balanced WEB-AS enviroment for BSP or Webdynpro for ABAP works fine. But if I go to set it up in a balanced system I can see the following behavior. The http request is send to the messageserver. This request enclosed my mapped user and password. The messageserver responds with an HTTP 301 wich contains one of my applicationservers, so far so good. The client sends a new request to the mentioned applicationserver but this time without the UIDPW. So the user will not be logged in.
    I was wondering if my backend have to issue logonticket too, cause today it only accept tickets from the portal.
    Is this is a bug or a feature?
    Regards,
    Bernd

Maybe you are looking for