The RADIUS handling in Cisco WLCs isn’t exactly known for it’s great handling of RADIUS servers. Ok, I’ll admit that after the RADIUS fallback feature was introduced it has become slightly better. So if you want to do a large scale setup you will need a load balancer.
Cisco has written a great design document. It is based on F5 load balancers, but reading it will help using other Load balance platforms like Netscaler also.
If you don’t want to read the complete document this is my 5 bulletpoints:
- Use persistency based on calling-station-id. This will ensure that the each clients session goes to the same RADIUS server. The document also mentioned FRAMED-IP, but I found that some packets didn’t include the FRAMED-IP field.
- Ensure that both Authentication and Accounting packets goes to the same RADIUS server (Calling-Station-ID).
- Use NAT for all COA traffic going from the RADIUS towards the NAD. This will ensure that you don’t have to have all RADIUS real-servers configured on the WLCs to get a valid COA.
- Don’t use NAT for RADIUS traffic from the WLC to the RADIUS server. Cisco ISE needs the original IP of the WLC to make sure it can contact the correct WLC with COA.
- If using Profiling use RADIUS Profiling. Using ip helper-address will not scale.