Wifi and RADIUS Load balancing

The RADIUS handling in Cisco WLCs isn’t exactly known for it’s great handling of RADIUS servers. Ok, I’ll admit that after the RADIUS fallback feature was introduced it has become slightly better. So if you want to do a large scale setup you will need a load balancer.

Cisco has written a great design document. It is based on F5 load balancers, but reading it will help using other Load balance platforms like Netscaler also.


If you don’t want to read the complete document this is my 5 bulletpoints:

  1. Use persistency based on calling-station-id. This will ensure that the each clients session goes to the same RADIUS server. The document also mentioned FRAMED-IP, but I found that some packets didn’t include the FRAMED-IP field.
  2. Ensure that both Authentication and Accounting packets goes to the same RADIUS server (Calling-Station-ID).
  3. Use NAT for all COA traffic going from the RADIUS towards the NAD. This will ensure that you don’t have to have all RADIUS real-servers configured on the WLCs to get a valid COA.
  4. Don’t use NAT for RADIUS traffic from the WLC to the RADIUS server. Cisco ISE needs the original IP of the WLC to make sure it can contact the correct WLC with COA.Skærmbillede 2017-07-03 kl. 10.52.12
  5. If using Profiling use RADIUS Profiling. Using ip helper-address will not scale.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s