Symptom

RADIUS load balance can be configured on WLC 9800 using the below settings: aaa group server radius ... load-balance method least-outstanding batch-size ... However, this configuration doesn't apply any persistence or stickiness per RADIUS session or per MAC address, so it's not possible to assign all transactions of same RADIUS session or same MAC address to one RADIUS server which is recommended from RADIUS server side to avoid performance issues with distributing transactions of same session on different RADIUS servers as it leads to session ownership change multiple times causing "High Authentication Latency".

Conditions

Any WLC 9800 version. Deployment of multiple AAA RADIUS servers. RADIUS load balance is applied on WLC between multiple RADIUS servers.

Workaround

Disable WLC built-in RADIUS load balance. Make sure both authentication/authorization list in WLAN and accounting list in Policy Profile are using same order of ISE PSNs, so we would have all transactions of same session sent from WLC to same ISE PSN. (Optional) if there are multiple SSIDs on WLC, then each (SSID and Policy Profile) combination on WLC can have unique order of RADIUS servers as a way of distributing the load without using WLC built-in RADIUS load balance feature. (Optional) Use external load balancer which supports persistence/stickiness per RADIUS session or per MAC address.

Further Problem Description