Configure ODBC on ISE 2.3 with Oracle Database

Transcription

1 Configure ODBC on ISE 2.3 with Oracle Database Contents Introduction Prerequisites Requirements Components Used Configure Step 1. Oracle Basic Configuration Step 2. ISE Basic Configuration Step 3. Configure User Authentication Step 4. Configure Group Retrieval Step 5. Configure Attributes Retrieval Step 6. Configure Authentication/Authorization policies Step 7. Add Oracle ODBC to Identity Source Sequences Verify RADIUS Live Logs Detail report Troubleshoot Incorrect credentials are used Wrong DB name (Service Name) Troubleshoot users authentications References Introduction This document describes how to configure Identity Services Engine (ISE) with Oracle Database for ISE authentication using Open Database Connectivity (ODBC). Open Database Connectivity (ODBC) authentication requires ISE to be able to fetch a plain text user password. The password can be encrypted in the database, but has to be decrypted by the stored procedure. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco Identity Services Engine 2.3 Database and ODBC concepts Oracle

2 Components Used The information in this document is based on these software and hardware versions: Identity Services Engine Centos 7 Oracle Database Oracle SQL Developer Configure Note: Treat SQL procedures presented in this document as examples. This is not an official and recommended way of Oracle DB configuration. Ensure that you understand result and impact of every SQL query you commit. Step 1. Oracle Basic Configuration In this example Oracle was configured with following parameters: DB name: ORCL Service name: orcl.vkumov.local Port: 1521 (default) Created account for ISE with username ise You should configure your Oracle before proceeding further. Step 2. ISE Basic Configuration Create an ODBC Identity Source at Administration > External Identity Source > ODBC and test connection:

3 Note: ISE connects to Oracle using Service Name, hence [Database name] field should be filled with Service Name which exists in Oracle, not SID (or DB name). Due to the bug CSCvf06497 dots (.) cannot be used in [Database name] field. This bug is fixed in ISE 2.3. Step 3. Configure User Authentication ISE authentication to ODBC uses stored procedures. It is possible to select type of procedures. In this example we use recordsets as return. For other procedures, refer to Cisco Identity Services Engine Administrator Guide, Release 2.3 Tip: It is possible to return named parameters instead of resultset. It is just a different type of output, functionality is the same. 1. Create the table with users credentials. Make sure you set the identity settings on the primary key. -- DDL for Table USERS

4 CREATE TABLE "ISE"."USERS" ("USER_ID" NUMBER(*,0) GENERATED ALWAYS AS IDENTITY MINVALUE 1 MAXVALUE INCREMENT BY 1 START WITH 1 CACHE 20 NOORDER NOCYCLE NOKEEP NOSCALE, "USERNAME" VARCHAR2(120 BYTE), "PASSWORD" VARCHAR2(120 BYTE) ) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING TABLESPACE "USERS" ; -- DDL for Index USERS_PK CREATE UNIQUE INDEX "ISE"."USERS_PK" ON "ISE"."USERS" ("USER_ID") PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ; -- Constraints for Table USERS ALTER TABLE "ISE"."USERS" MODIFY ("USER_ID" NOT NULL ENABLE); ALTER TABLE "ISE"."USERS" MODIFY ("USERNAME" NOT NULL ENABLE); ALTER TABLE "ISE"."USERS" MODIFY ("PASSWORD" NOT NULL ENABLE); ALTER TABLE "ISE"."USERS" ADD CONSTRAINT "USERS_PK" PRIMARY KEY ("USER_ID") USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ENABLE; Or from SQL Developer GUI:

5 2. Add users INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('alice', 'password1') INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('bob', 'password1') INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('admin', 'password1') 3. Create a procedure for plain text password authentication (used for PAP, EAP-GTC inner method, TACACS) create or replace function ISEAUTH_R ( ise_username IN VARCHAR2, ise_userpassword IN VARCHAR2 ) return sys_refcursor AS BEGIN declare c integer; resultset SYS_REFCURSOR; begin select count(*) into c from USERS where USERS.USERNAME = ise_username and USERS.PASSWORD = ise_userpassword; if c > 0 then open resultset for select 0 as code, 11, 'good user', 'no error' from dual; ELSE open resultset for select 3, 0, 'odbc','odbc Authen Error' from dual; END IF; return resultset; end; END ISEAUTH_R;

6 4. Create a procedure for plain text password fetching (used for CHAP, MSCHAPv1/v2, EAP-MD5, LEAP, EAP-MSCHAPv2 inner method, TACACS) create or replace function ISEFETCH_R ( ise_username IN VARCHAR2 ) return sys_refcursor AS BEGIN declare c integer; resultset SYS_REFCURSOR; begin select count(*) into c from USERS where USERS.USERNAME = ise_username; if c > 0 then open resultset for select 0, 11, 'good user', 'no error', password from USERS where USERS.USERNAME = ise_username; DBMS_OUTPUT.PUT_LINE('found'); ELSE open resultset for select 3, 0, 'odbc','odbc Authen Error' from dual; DBMS_OUTPUT.PUT_LINE('not found'); END IF; return resultset; end; END; 5. Create a procedure for check username or machine exists (used for MAB, fast reconnect of PEAP, EAP-FAST and EAP-TTLS) create or replace function ISELOOKUP_R ( ise_username IN VARCHAR2 ) return sys_refcursor AS BEGIN declare c integer; resultset SYS_REFCURSOR; begin select count(*) into c from USERS where USERS.USERNAME = ise_username; if c > 0 then open resultset for select 0, 11, 'good user', 'no error' from USERS where USERS.USERNAME = ise_username; ELSE open resultset for select 3, 0, 'odbc','odbc Authen Error' from dual; END IF; return resultset; end; END; 6. Configure procedures on ISE and save

7 7. Go back to Connection tab and click [Test Connection] button Step 4. Configure Group Retrieval 1. Create tables containing user groups and another used for many-to-many mapping -- DDL for Table GROUPS CREATE TABLE "ISE"."GROUPS" ("GROUP_ID" NUMBER(*,0) GENERATED ALWAYS AS IDENTITY MINVALUE 1 MAXVALUE INCREMENT BY 1 START WITH 1 CACHE 20 NOORDER NOCYCLE NOKEEP NOSCALE,

8 "GROUP_NAME" VARCHAR2(255 BYTE), "DESCRIPTION" CLOB ) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING TABLESPACE "USERS" LOB ("DESCRIPTION") STORE AS SECUREFILE ( TABLESPACE "USERS" ENABLE STORAGE IN ROW CHUNK 8192 NOCACHE LOGGING NOCOMPRESS KEEP_DUPLICATES STORAGE(INITIAL NEXT MINEXTENTS 1 MAXEXTENTS PCTINCREASE 0 ) ; -- DDL for Table USER_GROUPS_MAPPING CREATE TABLE "ISE"."USER_GROUPS_MAPPING" ("USER_ID" NUMBER(*,0), "GROUP_ID" NUMBER(*,0) ) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING TABLESPACE "USERS" ; -- DDL for Index GROUPS_PK CREATE UNIQUE INDEX "ISE"."GROUPS_PK" ON "ISE"."GROUPS" ("GROUP_ID") PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ; -- DDL for Index USER_GROUPS_MAPPING_UK1 CREATE UNIQUE INDEX "ISE"."USER_GROUPS_MAPPING_UK1" ON "ISE"."USER_GROUPS_MAPPING" ("USER_ID", "GROUP_ID") PCTFREE 10 INITRANS 2 MAXTRANS 255 COMPUTE STATISTICS TABLESPACE "USERS" ; -- Constraints for Table GROUPS ALTER TABLE "ISE"."GROUPS" MODIFY ("GROUP_ID" NOT NULL ENABLE); ALTER TABLE "ISE"."GROUPS" MODIFY ("GROUP_NAME" NOT NULL ENABLE); ALTER TABLE "ISE"."GROUPS" ADD CONSTRAINT "GROUPS_PK" PRIMARY KEY ("GROUP_ID") USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ENABLE; -- Constraints for Table USER_GROUPS_MAPPING

9 ALTER TABLE "ISE"."USER_GROUPS_MAPPING" MODIFY ("USER_ID" NOT NULL ENABLE); ALTER TABLE "ISE"."USER_GROUPS_MAPPING" MODIFY ("GROUP_ID" NOT NULL ENABLE); ALTER TABLE "ISE"."USER_GROUPS_MAPPING" ADD CONSTRAINT "USER_GROUPS_MAPPING_UK1" UNIQUE ("USER_ID", "GROUP_ID") USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 COMPUTE STATISTICS TABLESPACE "USERS" ENABLE; From GUI:

10 2. Add groups and mappings, so that alice and bob belong to group Users and admin belongs to group Admins -- Adding groups INSERT INTO "ISE"."GROUPS" (GROUP_NAME, DESCRIPTION) VALUES ('Admins', 'Group for administrators') INSERT INTO "ISE"."GROUPS" (GROUP_NAME, DESCRIPTION) VALUES ('Users', 'Corporate users') -- Alice and Bob are users INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('1', '2') INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('2', '2') -- Admin is in Admins group INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('3', '1') 3. Create a group retrieval procedure. It returns all groups if username is * create or replace function ISEGROUPSH ( ise_username IN VARCHAR2, ise_result OUT int ) return sys_refcursor as BEGIN declare c integer; userid integer; resultset SYS_REFCURSOR; begin IF ise_username = '*' then ise_result := 0;

11 open resultset for select GROUP_NAME from GROUPS; ELSE select count(*) into c from USERS where USERS.USERNAME = ise_username; select USER_ID into userid from USERS where USERS.USERNAME = ise_username; IF c > 0 then ise_result := 0; open resultset for select GROUP_NAME from GROUPS where GROUP_ID IN ( SELECT m.group_id from USER_GROUPS_MAPPING m where m.user_id = userid ); ELSE ise_result := 3; open resultset for select 0 from dual where 1=2; END IF; END IF; return resultset; end; END ; 4. Map it to Fetch groups 5. Fetch the groups and add them into the ODBC Identity Source

12 Select needed groups and click [OK], they will appear on Groups tab Step 5. Configure Attributes Retrieval 1. In order to simplify this example, a flat table is used for attributes -- DDL for Table ATTRIBUTES CREATE TABLE "ISE"."ATTRIBUTES" ("USER_ID" NUMBER(*,0), "ATTR_NAME" VARCHAR2(255 BYTE), "VALUE" VARCHAR2(255 BYTE) ) SEGMENT CREATION IMMEDIATE PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING TABLESPACE "USERS" ; -- DDL for Index ATTRIBUTES_PK

13 CREATE UNIQUE INDEX "ISE"."ATTRIBUTES_PK" ON "ISE"."ATTRIBUTES" ("ATTR_NAME", "USER_ID") PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ; -- Constraints for Table ATTRIBUTES ALTER TABLE "ISE"."ATTRIBUTES" MODIFY ("USER_ID" NOT NULL ENABLE); ALTER TABLE "ISE"."ATTRIBUTES" MODIFY ("ATTR_NAME" NOT NULL ENABLE); ALTER TABLE "ISE"."ATTRIBUTES" ADD CONSTRAINT "ATTRIBUTES_PK" PRIMARY KEY ("ATTR_NAME", "USER_ID") USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 TABLESPACE "USERS" ENABLE; From GUI: 2. Create some attributes for users INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('3', 'SecurityLevel', '15') INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('1', 'SecurityLevel', '5') INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('2', 'SecurityLevel', '10')

14 3. Create a procedure. Same as with groups retrieval, it will return all distinct attributes if username is * create or replace function ISEATTRSH ( ise_username IN VARCHAR2, ise_result OUT int ) return sys_refcursor as BEGIN declare c integer; userid integer; resultset SYS_REFCURSOR; begin IF ise_username = '*' then ise_result := 0; open resultset for select DISTINCT ATTR_NAME, '0' as "VAL" from ATTRIBUTES; ELSE select count(*) into c from USERS where USERS.USERNAME = ise_username; select USER_ID into userid from USERS where USERS.USERNAME = ise_username; if c > 0 then ise_result := 0; open resultset for select ATTR_NAME, VALUE from ATTRIBUTES where USER_ID = userid; ELSE ise_result := 3; open resultset for select 0 from dual where 1=2; END IF; END IF; return resultset; end; END ; 4. Map it to Fetch attributes 5. Fetch the attributes

15 Select attributes and click [OK]. Step 6. Configure Authentication/Authorization policies In this example the following simple authorization policies were configured: Users with SecurityLevel = 5 will be denied. Step 7. Add Oracle ODBC to Identity Source Sequences Navigate to Administration > Identity Management > Identity Source Sequences, select your sequence and add ODBC to the sequence:

16 Save it. Verify You should now be able to authenticate users against ODBC by now and retrieve their groups and attributes. RADIUS Live Logs Perform some authentications and navigate to Operations > RADIUS > Live Logs

17 As you can see, user Alice has SecurityLevel = 5, hence the access was rejected. Detail report Click on Detail report in Details column for the interesting session to check the flow. Detailed report for user Alice (rejected due to low SecurityLevel):