Load Balancing Cisco Identity Services Engine (ISE)

Configuration has yet to be fully verified, Kemp Support will gladly assist if your Cisco ISE traffic is not flowing as expected.


1   Introduction

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches. The purpose is to simplify identity management across diverse devices and applications.


1.2  Document Purpose

This section details a configuration for a specific application that has been provided by a customer but has yet to be fully tested.

The purpose of this document is to give readers an overview on the recommended best practice settings when configuring the Cisco ISE components for load balancing.

Configuration has yet to be fully verified, but Kemp Support will gladly assist if Cisco ISE is not flowing as expected.


2  Configuration Required

One Virtual Service required on port 443.

 2.1 Global Configuration  

     >No Changes Required


2.2  Virtual Service Configuration:


2.3   Cisco ISE

      > New Virtual Service

      > Enter IP Address

      > Port = 443

      > Name = Cisco ISE     

> Add New Virtual Service

 2.4    Standard Options   

      > Disable Transparency

      > Subnet Originating Request = Enable

      >  Persistence = Source IP 

      >  Persistence Time = 30min  

      > Scheduling Method = Least Connection

      >  Idle Connection Timeout = 660  (Default)

   2.5   Real Servers

      > Add New 

      > Enter IP Address

      > Port = 443

      > Checker Parameter Type = HTTPS 


If you have successfully Load Balanced your Cisco ISE environment by implementing this specific configuration, please give a thumbs up or please leave a comment on a possible alteration that was required to make it function. Thank you


1 comment


Aigars Karveckis

If you are really looking at selling Kemp as Load Balancer for Cisco ISE, then you should know that most important part is Radius and TACACS+ use. Then there is Guest portals. Guest Portals are dependant on which of PSN servers processed initial authentication and there need to be means to forward Guest Portal aka Captive Portal requests to the same server which did initial Authentication.

Hope someone from Kemp is able and willing to invest time to create configuration guide for same level of documentation provided by Cisco ISE and F5 load balancing integration!


Please to leave a comment.

Didn't find what you were looking for?