ISE behind load balancer

Similar Messages

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• ISE node group behind load balancer

  I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
  Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
  Q1:
  Node group config requires multicast.
  Cisco ACE LB doesn't support multicast, except in brige mode.
  How do people support distributed deployment in node group behind Ciso ACE?
  Q2:
  User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
  What if we need more than 4 PSN nodes to support our network & user base?
  Q3:
  Has anyone been able to implement distributed deployment between two datacenters behind GSS?
  If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
  thx!

  I have had close to zero experience with LBs so my answers will be limited:
  Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
  Q2: You will have to create a new node group with a new multicast address
  Q3: No help here
  Couple of other things to remember:
  1. The nodes must be layer 2 adjacent
  2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
  3. You must perform sticky
  4. The Load balancers must be listed as NADs in ISE
  Hope this provides some help to you.
  Thank you for rating!

• Ise & vlan load balancing (user balancing)

  As far as I know anb based on some esperience in a test environment it seems that cisco ISE among two load balancing radius kind of attributes supports only vlan gropu assignment, this means that on the switches vlan group assignment is required.
  A second method of passing multiple vlans or vlan IDs by radius attributes is not allowed.
  Am I wrong?
  The issue I'm trying to overcome is the following
  Subnet1     /24
  Subnet2     /22
  Many, many switches
  (and the situation can't be changed)
  Assuming the vlan assignment is local to the switch and with a round robin method, once the IPs are exhausted on Subnet1 only half of the clients that authenticate will obtain an IP (on Subnet2) while the rest will get stuck on Subnet1 without an IP
  The same situation comes up when considering an odd number of authenticated clients on every switch and with two /24 subnets: it is likely possible that Subnet1 will be "full" before the second subnet does falling in the previous situation.
  is there any solution?
  thank you in advance

  Don,
  You are right. I should have said - Forte uses its own partitioning scheme
  not the default scheme you see when you open partition workshop.
  Nirmal
  From: Don Nelson <[email protected]>
  To: Nirmal P Uppalapati <[email protected]>
  Cc: [email protected]
  Subject: Re: Load Balancing, User Visible Service objects, Running man
  Date: Wednesday, October 22, 1997 10:45 PM
  Nirmal,
  One note on the "running man"...
  At 08:12 PM 10/22/97 -0500, Nirmal P Uppalapati wrote:
  3. Running Man
  When you run an application by clicking on the running man Forte uses
  its
  default partitioning scheme and runs the application. The partitionscheme
  that you made will be used only when you run the application distributedor
  from the partition workshop. This is the time you might encounter errorsif
  your partitioning is not right.
  Actually, clicking on the "running man" from the repository or project
  workshop will cause the application to be run VERY differently thanrunning
  it distributed.
  It's not technically correct to say that the default partitioning schemeis
  used with the running man.
  Forte consulting offers a deployment workshop that covers the finerpoints
  of this and other distributed issues.
  Don
  ============================================
  Don Nelson
  Regional Consulting Manager - Rocky Mountain Region
  Forte Software, Inc.
  Denver, CO
  Corporate voice mail: 510-986-3810
  aka: [email protected]
  ============================================
  "If you ask me, though, any game without push-ups, hits, burns or noogies
  is a sissy game." - Calvin

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• Access Manager 6 2005Q1 naming service behind load balancer

  Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
  Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
  All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
  The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
  The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
  We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
  How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?

  Bernhard,
  We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
  Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
  AMAgent.properties
  com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
  com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
  AMConfig.properties
  com.iplanet.am.server.protocol=https
  com.iplanet.am.server.host=am.mydomain.com
  com.iplanet.am.server.port=443
  com.iplanet.am.console.protocol=https
  com.iplanet.am.console.host=lb-mydomain.com
  com.iplanet.am.console.port=443
  com.iplanet.am.profile.host=lb-mydomain.com
  com.iplanet.am.profile.port=443
  com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
  com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
  tionservice
  If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
  Thanks,
  Craig

• Livecycle Connector to Sharepoint behind load balancer

  In the environment of our customer, there is a load balancer in front of 2 sharepoint servers.
  Then the PDF document is uploaded from the Livecycle server to sharepoint (via the load balancer).
  However, occasionally it will fail to place the PDF to the folder specified, and placed on the outermost folder in sharepoint. 
  May we have any hint to fix the problem?
  Thanks.
  Raymond

  Trevor,
  I'm sorry to say that extending the Default zone to, say, Internet, did not change the behavior... even with the introduction of host header information.  Could it be something to do with my use of ports?  I am very new to SharePoint. Should I
  be extending the applications (I have many on the same server) and use host header information in place of using any explicit port information when creating these extended zones?
  Tommy S. Armstrong II

• OAM Webgate Ip validation problem caused by load balancer...

  Hi all,
  In my topology, i have 5 webgates on 5 OHS web servers running in reverse proxy mode . Those web servers are behind load balancer. Since load balancer is working in proxy mode, all requests seems to be coming from load balancer vip and this prevents ip validation at webgate side . Does anybody think that it is possible to solve this issue without changing load balancer configuration..
  Regards,

  Hi,
  Randat, how can i reconfigure ip validation against x-forwarded-for? A custom authz plugin, or only a configuration change ? I'll keep on searching on this solution, but if you can share your solution , it'll be appriciated..
  Ambarishmitra, i want to use ip validation but since all requests are coming from single ip i can't distinguish client ip's, that's my problem..
  Thank you both,
  Regards..

• How to monitor targets which are controlled by LOAD BALANCING mechanism

  Hi,
  I have installed Enterprise Manager 10.1.0.3 and upgraded it to 10.1.0.5. Then i have applied the Application plug-in patch for managing Oracle Applications.In my environment, we have two concurrent managers and four forms servers which are using Load Balancer.Please let me how to manage these concurrent managers and forms servers in that scenario.Would highly appreciate your suggestions regarding the same.Thanks in advance.
  Regards,
  Vamsi Manyam

  This note shows how to configure OEM behind a load balancer.
  The question was how to use OEM, not behind a load balancer, to monitor other targets which are behind one or different load balancers.
  For example, to monitor :
  Forms on server A and B behind load balancer LB1.
  Forms on server C and D behind load balancer LB1.
  Forms on server E and F behind load balancer LB2.
  Gary

• ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

  Hello guys
  Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
  Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
  Thanks in advance
  Sayre

  Hello Sayre-
  For Question #1:
  Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  You can configure Radius and Profiling to be enabled on other interfaces
  Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  Take a look at this link for more info:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
  For Question #2
  If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 
  The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
  –Option 12—HostName of the client
  –Option 60—The Vendor Class Identifier
  After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
  Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
  On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• To Load Balance or Not to Load Balance? ISE and F5 Big IP

  Currently my team is debating whether to put our two ISE appliances (PSN nodes) behind our F5 load balancing deployment. 
  Our network is relatively small in size (5K users) with a small wireless deployment (4 Cisco controllers with 300 Access points). Network growth should remain relatively minimal over the coming years. 
  We will be rolling out wired Dot1X, followed by posture assessment and remediation. (BYOD is not an option). 
  On one hand, the Big IP features could make it easier for us to perform load balancing, maintenance and troubleshooting. 
  On the other hand, the Big IP adds another element of complexity into an already complex deployment. We already have the capability to load balance from the switches themselves. Load balancing for wireless should not  be an issue as our deployment is very small and I expect it to remain so. Given the size of my environment, there seems to be relatively little to gain for the additional effort and potential pitfalls. 
  Would anyone care to share their honest opinion on this issue?
  Thanks, 
  Phill

  Load balancers are elegant and do their job nicely when it comes to distributing the load between servers. You already have one so I would suggest using it if you have the technical expertise to configure it.
  With that being said, if your team is not 100% comfortable with F5 then you should definitely skip it. Instead, you can configure your WLCs to use Node #1 as primary and Node #2 as secondary Radius server and then your Switches to use Node #2 as primary and Node#1 as secondary. 
  I hope this helps!
  Thank you for rating helpful posts!

• Trying to load Balance several Cisco ISE servers.

  Trying to load Balance several Cisco ISE servers.  For persistence, Cisco recommends using Calling-Station-ID and Framed-IP-address...Session-ID is recommended if load balancer is capable of it.  I have documentation for the Cisco ACE, but using F5 LTM's.  Assuming this has to be done with an I-Rule as none of these are available as a default.  Not sue where to begin.  I tried attaching the Cisco PDF, but not able for whatever reason.

  Please also keep in mind that When using a Load-Balancer (anyone's) you must ensure a few things.
  Each PSN must be reachable by the      PAN /  MNT directly, without having to go through NAT (Routed mode LB,       not NAT). No Source-NAT. This includes the Accounting      messages, not  just the Authentication ones.
  This means the       Load-Balancer must be in the direct path between the clients and the ISE PSNs.
  Some       organizations have used Policy  Based Routing (PBR) to accomplish the       path, without physically  locating the Load-Balancer between the clients       and the PSNs.
  Endpoints (clients) must be able      to  reach each Policy Services Node Directly (not going through the VIP) for       redirections/Centralized Web Authentication/Posture  Assessments/Native      Supplicant Provisioning, and more.
  You may want to "hack"      the certs to include the VIP FQDN in the SAN field (my next blog post      should cover this trick).
  Perform sticky (aka: persistence)      based on Calling-Station-ID and Framed-IP-address.
  VIP gets listed as the RADIUS      server of each NAD for all 802.1X related AAA.
  Dynamic-Authorization (CoA):
  If you use       Server NAT to replace the  PSN IP address with the VIP Address for Change       of Authorization,  then you would use the VIP address as the       Dynamic-Authorization  (CoA) client.
  Otherwise, use       the real IP Address of the PSN, not the VIP.
  The LoadBalancers get listed as      NADs in ISE so their test authentications may be answered, to keep the      probes alive.
  ISE uses the Layer-3 Address      to  identify the NAD, not the NAS-IP-Address in the RADIUS packet. This       is a big reason to avoid SNAT.
  Failure Scenarios:
  The VIP is the RADIUS Server, so      if the  entire VIP is down, then the NAD should fail over to the Secondary       DataCenter VIP (listed as the secondary RADIUS server on the NAD).
  Use probes on the Load-Balancers      to ensure that RADIUS is responding, as well as HTTPS (at minimum).
  LB Probes       should send test RADIUS  messages to each PSE periodically, to ensure that       RADIUS is  responding, not just look for open UDP ports.
  LB Probe should       also examine the response for HTTPS, not just look for the open port(s).
  Use node-groups with the L2-adjacent      PSN's behind the VIP.
  If the       session was in process and one  of the PSN's in a node-group fails,       then another member of the  node-group will issue a CoA-reauth; forcing       the session to begin  again. 
  At this point,       the LB should have  failed the dead PSN due to the probes configured       in the LB; and so  this new authentication request will reach the LB &       be  directed to a different PSN…

• ISE 1.3 Load Balancing

  Hello,
  I've got 4x ISE appliance, 2x Administration and 2x PSN
  1 Administration primary / Monitoring secondary
  2 Policy Service Node
  3 Administration secondary / Monitoring Primary
  4 Policy Service Node
  Both PSN's are in the same Node Group... ISE is working fine, but it's not load balancing profiling, Corp WLAN is getting profiled by PSN 2 and guest WLAN is getting profiled by PSN 4... Is there a way to make both WLAN's to get profiled by random PSN? Like a load Balancer?
  BR,
  Emerson

  Hi Emerson-
  Do you have a load balancer? If you do you can load balance the sessions between the ISE nodes located in the node group. If not you could do Anycast based profiling. Check this link out that goes over all of the different options that you have:
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  I hope this helps!
  Thank you for rating helpful posts!

• ISE 1.2 and load balancing...

  I'm looking into configuring load balancing behind F5's. I know this can be done and have read the documentation on what is required. I still have a couple of questions about it:
  1. When you load balance the RADIUS traffic do you have to create separate VIP's for the auth and accounting ports (1812 & 1813)?
  2. Are there good configuration examples out there for VIP Configs and setting up the VIP's to run in routed mode?
  3. Are there any caveats or lessons learned that other people have experienced besides what is documented?
  Thanks.

  jgroup is how db sync/ replication work in 1.2, which replace the queuing mechnism in 1.1.
  but this should not be related to PSN LB? do you mean you want to lb requests between several PSNs?
  using F5 or ACE can help, also 1.2 support wildcard certificate will help address the cert warning problem.
  Sent from Cisco Technical Support iPad App

• Load Balancing behind firewall

  Hi,
  Can load balancing be done behind a firewall with CSS. For e.g. CSS (on the outside of the firewall) load balances on the servers connected to the DMZ of the firewall.
  If so, should there be any performance issues. And what if the firewall had IPS functionality as well.
  Regards.

  It can be done. You need to make sure
  1. Holes are punched in the Firewall form probe traffic (CSS -> Servers)
  2. Return traffic from the servers should not Bypass the CSS. (Firewall should handover the responses from servers back to CSS). You can use source nat on CSS for this purpose.
  Thanks
  Syed Iftekhar Ahmed