ISE Load Balancing Using BIG-IP
Topology
ISE Cluster
ISE logging
F5 network device
F5 probe user
Virtual Server: LTM Forwarding IP Configuration - Inbound
Virtual Server: LTM Forwarding IP Configuration - Outbound
Add WLC as network device and user creation in ISE
Local user creation
ISE Policy set
Health Monitor: radius_1812
ISE Filtering and Log Suppression
Irule: radius_macip_sticky
# ISE persistence iRule based on Calling-Station-Id (Client MAC Address) and Framed-IP-Address (Client IP address)
when CLIENT_ACCEPTED {
set framed_ip [RADIUS::avp 8 ip4]
set calling_station_id [RADIUS::avp 31 "string"]
# log local0. "Request from $calling_station_id:$framed_ip"
persist uie "$calling_station_id:$framed_ip"
}
iRule: radius_mac_sticky
# ISE persistence iRule based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address as persistence identifier
when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600
if {$debug} {set access_media "Wireless"}
} else {
set persist_ttl 28800
if {$debug} {set access_media "Wired"}
}
# If MAC address is present - use it as persistent identifier
# See Radius AV Pair documentation on https://devcentral.f5.com/wiki/irules.RADIUS__avp.ashx
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
UDP Profile: ise_radius_udp
Radius Profile: ise_radiusLB
Persistence Profile: radius_sticky
Nodes
radius_auth_pool
radius_acct_pool
Virtual Server - ise_radius_auth
Virtual Server - ise_radius_acct
WLC configuration
Source NAT for RADIUS CoA
SNAT Pool: radius_coa_snatpool
Virtual Server: RADIUS-COA-SNAT
Load Balancing DHCP Profiling Data
interface GigabitEthernet0/1.88
encapsulation dot1Q 88
ip address 172.88.88.1 255.255.255.0
ip helper-address 202.100.10.11 <--- F5 VIP
UDP Profile: ise_profiling_udp
iRule: dchp_mac_sticky
#
# DHCP Option Field Parser rev 0.3 (2013/02/25)
#
# Written By: Shun Takahashi
#
# Original By: Jun Chen (j.chen at f5.com)
# Original At: https://devcentral.f5.com/community/group/aft/25727/asg/50
#
# Description: iRule to demonstrate how tocapture and binary scan UDP payload
# and store them into session table for logging enrichment and
# intelligent traffic steering decision.
#
# RFC2131 defines DHCP packet structure. This irule is to scan
# UDP payload and store information into session tables with
# your_ip as a key.
#
# All the option and value is stored into following session table.
#
# [tabe set -subtable <your_ip_addr> <option> <value>]
#
# Requirement: The rule requires virtual server to listen on DHCP traffic in the
# middle either in inline or out of band.
#
# 1) In-Line to DHCP traffic
#
# profile udp udp_dhcp {
# allow-no-payload disabled
# app-service none
# datagram-load-balancing disabled
# idle-timeout immediate
# ip-tos-to-client 0
# link-qos-to-client 0
# proxy-mss disabled
# }
#
# ltm virtual vs_dhcp {
# destination 0.0.0.0:bootps
# ip-protocol udp
# mask any
# profiles {
# udp_dhcp { }
# }
# rules {
# dhcp_sampler
# }
# source 0.0.0.0/0
# translate-address disabled
# vlans {
# local
# }
# vlans-enabled
# }
#
# 2) Receiving mirrored DHCP stream
#
# References: RFC 2132 DHCP Options and BOOTP Vendor Extensions
# RFC 1533 DHCP Options and BOOTP Vendor Extensions (Obsoleted)
# RFC 4702 The Dynamic Host Configuration Protocol (DHCP) Client
# Fully Qualified Domain Name (FQDN) Option
#
timing off
when CLIENT_ACCEPTED priority 100 {
# Rule Name and Version shown in the log
set static::RULE_NAME "Simple DHCP Parser v0.3"
set static::RULE_ID "dhcp_parser"
# 0: No Debug Logging 1: Debug Logging
set debug 1
# Persist timeout (seconds)
set persist_ttl 7200
# Using High-Speed Logging in thie rule
set log_prefix "\[$static::RULE_ID\]([IP::client_addr])"
set log_prefix_d "$log_prefix\(debug\)"
if {$debug}{log local0.debug "$log_prefix_d ***** iRule: \
$static::RULE_NAME executed *****"}
if { [UDP::payload length] < 200 } {
log local0.info "$log_prefix Ignored due to length\(less than 200 octet\)"
drop
return
} else {
# BOOTP
binary scan [UDP::payload] ccccH8SB1xa4a4a4a4H2H2H2H2H2H2 \
msg_type hw_type hw_len hops transaction_id seconds\
bootp_flags client_ip_hex your_ip_hex server_ip_hex \
relay_ip_hex m(a) m(b) m(c) m(d) m(e) m(f)
# Put client address into variables for session key
set your_ip [IP::addr $your_ip_hex mask 255.255.255.255]
set client_mac "$m(a):$m(b):$m(c):$m(d):$m(e):$m(f)"
binary scan [UDP::payload] H32H64H128H8 \
padding server_host_name boot_file magic_cookie
if {$debug}{log local0.debug "$log_prefix_d BOOTP: $your_ip $client_mac"}
# DHCP
binary scan [UDP::payload] x240H* dhcp_option_payload
set option_hex 0
set options_length [expr {([UDP::payload length] -240) * 2 }]
for {set i 0} {$i < $options_length} {incr i [expr { $length * 2 + 2 }]} {
# extract option value and convert into decimal
# for human readability
binary scan $dhcp_option_payload x[expr $i]a2 option_hex
set option [expr 0x$option_hex]
# move index to get length field
incr i 2
# extract length value and convert length from Hex string to decimal
binary scan $dhcp_option_payload x[expr $i]a2 length_hex
set length [expr 0x$length_hex]
# extract value field in hexadecimal format
binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2 }] value_hex
set value ""
switch $option {
61 {
# Client Identifier
# This option is used by DHCP clients to specify their unique
# identifier. DHCP servers use this value to index their database of
# address bindings. This value is expected to be unique for all
# clients in an administrative domain.
#
binary scan $value_hex a2a* ht id
switch $ht {
01 {
binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f)
set value "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"
set option61 "$value"
# Normalize MAC address to upper case
set mac_up [string toupper $option61]
}
default {
set value "$id"
}
}
}
}
}
}
persist uie $mac_up $persist_ttl
set target [persist lookup uie $mac_up]
if {$debug}{log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME competed ***** MAC=$option61 Normal MAC=$mac_up TARGET=$target"}
}
Persistence Profile: dhcp_sticky
Pool: profiling_dhcp_pool
Virtual server: ise_profiling_dhcp
Pool: profiling_snmptrap_pool
Persistence : profiling_source_addr
Virtual Server: ise_profiling_snmptrap
WLC: SNMP trap receiver
Testing COA
------------------------------------------------------------------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------------------------------------------------------------------
Load Balancing ISE Web Services
Sponsor portal
TCP Profile: ise_https_tcp
Persistence profile: https_sticky
Health Monitor: ise_https_8445
GET /sponsorportal/PortalSetup.action?portal=370331ec-3561-4667-8599-f30b5b60f89a HTTP/1.1\r\nUser-Agent: BigIP-LTM-Probe/1.0\r\nHost:\r\nConnection: Close\r\n\r\n
Pool: web_portals_pool
Virtual server: ise_https8445_portals
Virtual server: ise_https_portals
Profile: service: http/2 - ISE_HTTP
Policy: ise_http_redirect_policy
No comments:
Post a Comment