I'm working on a solution where we have NetScaler load balancers distributing radius requests from the NADs to respectvie PSNs. Authentication works and redirect URLs work etc.. The challenge we're having is with EAP-TLS sessions. The user get's a provisioned certificate and chain that checks out on the endpoint fine. When the user tries to connect with the device we see EAP timeouts from the ISE session to the supplicant. Each PSN has the internal identity cert configured for EAP authentication that has been configured from the same internal CA within the customers PKI.
Has anyone configured a NetScaler for use with ISE and besides the general guidlines below are there more specific things that need to be done to make this work with Citrix NetScalers?
Load Balancing guidelines.
- Each PSN must be reachable by the PAN / MNT directly, without having to go through NAT (Routed mode LB, not NAT).
- Each PSN must also be reachable directly from the client network for redirections (CWA, Posture, etc…)
Perform sticky (aka: persistence) based on Calling-Station-ID and Framed-IP-address
- Session-ID is recommended if load balancer is capable (ACE is not).
VIP for PSNs gets listed as the RADIUS server on each NAD for all RADIUS AAA.
Each PSN gets listed individually in the NAD CoA list by real IP address (not VIP).
- If ”Server NAT" the PSN-initiated CoA traffic, then can list single VIP in NAD CoA list.
Load Balancers get listed as NADs in ISE so their test authentications may be answered.
ISE uses the Layer 3 address to identify the NAD, not the NAS-IP-Address in the RADIUS packet. This is a primary reason to avoid Source NAT (SNAT) for traffic sent to VIP.