Konfigurieren von ODBC auf ISE 2.3 mit Oracle Database

Einführung

In diesem Dokument wird beschrieben, wie Identity Services Engine (ISE) mit Oracle Database for ISE Authentication mithilfe von Open Database Connectivity (ODBC) konfiguriert wird.

Für die Open Database Connectivity (ODBC)-Authentifizierung muss die ISE ein Nur-Text-Benutzerkennwort abrufen können. Das Kennwort kann in der Datenbank verschlüsselt werden, muss jedoch von der gespeicherten Prozedur entschlüsselt werden.

Voraussetzungen

Anforderungen

Cisco empfiehlt, über Kenntnisse in folgenden Bereichen zu verfügen:

• Cisco Identity Services Engine 2.3
• Datenbank- und ODBC-Konzepte
• Oracle 

Verwendete Komponenten

Die Informationen in diesem Dokument basieren auf den folgenden Software- und Hardwareversionen:

• Identity Services Engine 2.3.0.298
• Centres 7
• Oracle Database 12.2.0.1.0
• Oracle SQL Developer 4.1.5

Konfigurieren

Hinweis: Behandeln Sie SQL-Prozeduren in diesem Dokument als Beispiele. Dies ist keine offizielle und empfohlene Methode für die Oracle DB-Konfiguration. Stellen Sie sicher, dass Sie die Ergebnisse und Auswirkungen jeder von Ihnen übergebenen SQL-Abfrage verstehen.

Schritt 1: Oracle-Basiskonfiguration

In diesem Beispiel wurde Oracle mit folgenden Parametern konfiguriert:

• DB-Name: ORL
• Servicename: orcl.vkumov.local
• Port: 1521 (Standard)
• Konto für ISE mit Benutzername ise erstellt

Konfigurieren Sie Ihre Oracle-Datenbank, bevor Sie fortfahren.

Schritt 2: ISE - Basiskonfiguration

Erstellen Sie eine ODBC-Identitätsquelle unter Administration > External Identity Source > ODBC, und testen Sie die Verbindung:

Hinweis: Die ISE stellt mithilfe des Dienstnamens eine Verbindung zu Oracle her. Daher sollte das Feld [Datenbankname] mit dem Dienstnamen gefüllt werden, der in Oracle existiert, nicht mit der SID (oder dem DB-Namen). Aufgrund des Bugs CSCvf06497 können Punkte (.) im Feld [Datenbankname] nicht verwendet werden. Dieser Fehler wurde in ISE 2.3 behoben.

Schritt 3: Benutzerauthentifizierung konfigurieren

Die ISE-Authentifizierung für ODBC verwendet gespeicherte Prozeduren. Sie können die Art der Prozeduren auswählen. In diesem Beispiel werden Datensätze als Rückgabe verwendet.

Weitere Anweisungen finden Sie im Administratorhandbuch für Cisco Identity Services Engine, Version 2.3.

Tipp: Sie können benannte Parameter anstelle von resultSet zurückgeben. Es ist nur ein anderer Ausgabetyp, die Funktionalität ist die gleiche.

1. Erstellen Sie die Tabelle mit den Benutzeranmeldeinformationen. Stellen Sie sicher, dass Sie die Identitätseinstellungen für den Primärschlüssel festlegen.

--------------------------------------------------------
--  DDL for Table USERS
--------------------------------------------------------

  CREATE TABLE "ISE"."USERS" 
   (	"USER_ID" NUMBER(*,0) GENERATED ALWAYS AS IDENTITY MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH 1 CACHE 20 NOORDER  NOCYCLE  NOKEEP  NOSCALE , 
	"USERNAME" VARCHAR2(120 BYTE), 
	"PASSWORD" VARCHAR2(120 BYTE)
   ) SEGMENT CREATION IMMEDIATE 
  PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 
 NOCOMPRESS LOGGING
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  DDL for Index USERS_PK
--------------------------------------------------------

  CREATE UNIQUE INDEX "ISE"."USERS_PK" ON "ISE"."USERS" ("USER_ID") 
  PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  Constraints for Table USERS
--------------------------------------------------------

  ALTER TABLE "ISE"."USERS" MODIFY ("USER_ID" NOT NULL ENABLE);
  ALTER TABLE "ISE"."USERS" MODIFY ("USERNAME" NOT NULL ENABLE);
  ALTER TABLE "ISE"."USERS" MODIFY ("PASSWORD" NOT NULL ENABLE);
  ALTER TABLE "ISE"."USERS" ADD CONSTRAINT "USERS_PK" PRIMARY KEY ("USER_ID")
  USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS"  ENABLE;

Oder von der SQL Developer-GUI:

2. Benutzer hinzufügen

INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('alice', 'password1')
INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('bob', 'password1')
INSERT INTO "ISE"."USERS" (USERNAME, PASSWORD) VALUES ('admin', 'password1')

3. Erstellen eines Verfahrens für die unverschlüsselte Kennwortauthentifizierung (für PAP, EAP-GTC innere Methode, TACACS)

create or replace function ISEAUTH_R 
(
  ise_username IN VARCHAR2, 
  ise_userpassword IN VARCHAR2 
) return sys_refcursor AS 
BEGIN
  declare 
    c integer;
    resultSet SYS_REFCURSOR;
  begin
    select count(*) into c from USERS where USERS.USERNAME = ise_username and USERS.PASSWORD = ise_userpassword;
    if c > 0 then
      open resultSet for select 0 as code, 11, 'good user', 'no error' from dual;
    ELSE 
      open resultSet for select 3, 0, 'odbc','ODBC Authen Error' from dual;
    END IF;
    return resultSet;
  end;
END ISEAUTH_R;

4. Erstellen eines Verfahrens zum Abrufen von unverschlüsselten Kennwörtern (für CHAP, MSCHAPv1/v2, EAP-MD5, LEAP, EAP-MSCHAPv2 innere method, TACACS)

create or replace function ISEFETCH_R 
(
  ise_username IN VARCHAR2
) return sys_refcursor AS 
BEGIN
  declare 
    c integer;
    resultSet SYS_REFCURSOR;
  begin
    select count(*) into c from USERS where USERS.USERNAME = ise_username;
    if c > 0 then
      open resultSet for select 0, 11, 'good user', 'no error', password from USERS where USERS.USERNAME = ise_username;
      DBMS_OUTPUT.PUT_LINE('found');
    ELSE 
      open resultSet for select 3, 0, 'odbc','ODBC Authen Error' from dual;
      DBMS_OUTPUT.PUT_LINE('not found');
    END IF;
    return resultSet;
  end;
END;

5. Erstellen einer Prozedur zur Prüfung des Benutzernamens oder des vorhandenen Rechners (für MAB, schnelle Wiederverbindung von PEAP, EAP-FAST und EAP-TTLS)

create or replace function ISELOOKUP_R 
(
  ise_username IN VARCHAR2
) return sys_refcursor AS 
BEGIN
  declare 
    c integer;
    resultSet SYS_REFCURSOR;
  begin
    select count(*) into c from USERS where USERS.USERNAME = ise_username;
    if c > 0 then
      open resultSet for select 0, 11, 'good user', 'no error' from USERS where USERS.USERNAME = ise_username;
    ELSE 
      open resultSet for select 3, 0, 'odbc','ODBC Authen Error' from dual;
    END IF;
    return resultSet;
  end;
END;

6. Konfigurieren von Prozeduren auf der ISE und Speichern

7. Kehren Sie zur Registerkarte Verbindung zurück, und klicken Sie auf die Schaltfläche Verbindung testen.

Schritt 4: Gruppenabruf konfigurieren

1. Erstellen von Tabellen mit Benutzergruppen und einer anderen Tabelle für die Many-to-Many-Zuordnung

--------------------------------------------------------
--  DDL for Table GROUPS
--------------------------------------------------------

  CREATE TABLE "ISE"."GROUPS" 
   (	"GROUP_ID" NUMBER(*,0) GENERATED ALWAYS AS IDENTITY MINVALUE 1 MAXVALUE 9999999999999999999999999999 INCREMENT BY 1 START WITH 1 CACHE 20 NOORDER  NOCYCLE  NOKEEP  NOSCALE , 
	"GROUP_NAME" VARCHAR2(255 BYTE), 
	"DESCRIPTION" CLOB
   ) SEGMENT CREATION IMMEDIATE 
  PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 
 NOCOMPRESS LOGGING
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" 
 LOB ("DESCRIPTION") STORE AS SECUREFILE (
  TABLESPACE "USERS" ENABLE STORAGE IN ROW CHUNK 8192
  NOCACHE LOGGING  NOCOMPRESS  KEEP_DUPLICATES 
  STORAGE(INITIAL 106496 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)) ;
--------------------------------------------------------
--  DDL for Table USER_GROUPS_MAPPING
--------------------------------------------------------

  CREATE TABLE "ISE"."USER_GROUPS_MAPPING" 
   (	"USER_ID" NUMBER(*,0), 
	"GROUP_ID" NUMBER(*,0)
   ) SEGMENT CREATION IMMEDIATE 
  PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 
 NOCOMPRESS LOGGING
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  DDL for Index GROUPS_PK
--------------------------------------------------------

  CREATE UNIQUE INDEX "ISE"."GROUPS_PK" ON "ISE"."GROUPS" ("GROUP_ID") 
  PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  DDL for Index USER_GROUPS_MAPPING_UK1
--------------------------------------------------------

  CREATE UNIQUE INDEX "ISE"."USER_GROUPS_MAPPING_UK1" ON "ISE"."USER_GROUPS_MAPPING" ("USER_ID", "GROUP_ID") 
  PCTFREE 10 INITRANS 2 MAXTRANS 255 COMPUTE STATISTICS 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  Constraints for Table GROUPS
--------------------------------------------------------

  ALTER TABLE "ISE"."GROUPS" MODIFY ("GROUP_ID" NOT NULL ENABLE);
  ALTER TABLE "ISE"."GROUPS" MODIFY ("GROUP_NAME" NOT NULL ENABLE);
  ALTER TABLE "ISE"."GROUPS" ADD CONSTRAINT "GROUPS_PK" PRIMARY KEY ("GROUP_ID")
  USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS"  ENABLE;
--------------------------------------------------------
--  Constraints for Table USER_GROUPS_MAPPING
--------------------------------------------------------

  ALTER TABLE "ISE"."USER_GROUPS_MAPPING" MODIFY ("USER_ID" NOT NULL ENABLE);
  ALTER TABLE "ISE"."USER_GROUPS_MAPPING" MODIFY ("GROUP_ID" NOT NULL ENABLE);
  ALTER TABLE "ISE"."USER_GROUPS_MAPPING" ADD CONSTRAINT "USER_GROUPS_MAPPING_UK1" UNIQUE ("USER_ID", "GROUP_ID")
  USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 COMPUTE STATISTICS 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS"  ENABLE;

Über die Benutzeroberfläche:

2. Fügen Sie Gruppen und Zuordnungen hinzu, sodass Alice und Bob zu Gruppe Benutzer und Admin zur Gruppe Administratoren gehören.

-- Adding groups
INSERT INTO "ISE"."GROUPS" (GROUP_NAME, DESCRIPTION) VALUES ('Admins', 'Group for administrators')
INSERT INTO "ISE"."GROUPS" (GROUP_NAME, DESCRIPTION) VALUES ('Users', 'Corporate users')

-- Alice and Bob are users
INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('1', '2')
INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('2', '2')

-- Admin is in Admins group
INSERT INTO "ISE"."USER_GROUPS_MAPPING" (USER_ID, GROUP_ID) VALUES ('3', '1')

3. Erstellen Sie eine Gruppenabrufprozedur. Wenn der Benutzername "*" lautet, werden alle Gruppen zurückgegeben.

create or replace function ISEGROUPSH 
(
  ise_username IN VARCHAR2, 
  ise_result OUT int
) return sys_refcursor as
BEGIN
  declare 
    c integer;
    userid integer;
    resultSet SYS_REFCURSOR;
  begin
    IF ise_username = '*' then 
      ise_result := 0;
      open resultSet for select GROUP_NAME from GROUPS;
    ELSE
      select count(*) into c from USERS where USERS.USERNAME = ise_username;
      select USER_ID into userid from USERS where USERS.USERNAME = ise_username;
      IF c > 0 then
          ise_result := 0;
          open resultSet for select GROUP_NAME from GROUPS where GROUP_ID IN ( SELECT m.GROUP_ID from USER_GROUPS_MAPPING m where m.USER_ID = userid );
      ELSE 
          ise_result := 3;
          open resultSet for select 0 from dual where 1=2;
      END IF;
    END IF;
    return resultSet;
  end;
END ;

4. Zuordnen zu Abrufen von Gruppen

5. Abrufen der Gruppen und Hinzufügen dieser Gruppen zur ODBC-Identitätsquelle

Wählen Sie die erforderlichen Gruppen aus, und klicken Sie auf OK. Sie werden auf der Registerkarte Gruppen angezeigt.

Schritt 5: Konfigurieren des Abrufen von Attributen

1. Um dieses Beispiel zu vereinfachen, wird eine flache Tabelle für Attribute verwendet.

--------------------------------------------------------
--  DDL for Table ATTRIBUTES
--------------------------------------------------------

  CREATE TABLE "ISE"."ATTRIBUTES" 
   (	"USER_ID" NUMBER(*,0), 
	"ATTR_NAME" VARCHAR2(255 BYTE), 
	"VALUE" VARCHAR2(255 BYTE)
   ) SEGMENT CREATION IMMEDIATE 
  PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 
 NOCOMPRESS LOGGING
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  DDL for Index ATTRIBUTES_PK
--------------------------------------------------------

  CREATE UNIQUE INDEX "ISE"."ATTRIBUTES_PK" ON "ISE"."ATTRIBUTES" ("ATTR_NAME", "USER_ID") 
  PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS" ;
--------------------------------------------------------
--  Constraints for Table ATTRIBUTES
--------------------------------------------------------

  ALTER TABLE "ISE"."ATTRIBUTES" MODIFY ("USER_ID" NOT NULL ENABLE);
  ALTER TABLE "ISE"."ATTRIBUTES" MODIFY ("ATTR_NAME" NOT NULL ENABLE);
  ALTER TABLE "ISE"."ATTRIBUTES" ADD CONSTRAINT "ATTRIBUTES_PK" PRIMARY KEY ("ATTR_NAME", "USER_ID")
  USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255 
  STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "USERS"  ENABLE;

Über die Benutzeroberfläche:

2. Erstellen Sie einige Attribute für Benutzer

INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('3', 'SecurityLevel', '15')
INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('1', 'SecurityLevel', '5')
INSERT INTO "ISE"."ATTRIBUTES" (USER_ID, ATTR_NAME, VALUE) VALUES ('2', 'SecurityLevel', '10')

3. Erstellen einer Prozedur. Wie beim Abrufen von Gruppen werden alle eindeutigen Attribute zurückgegeben, wenn der Benutzername "*" lautet.

create or replace function ISEATTRSH 
(
  ise_username IN VARCHAR2, 
  ise_result OUT int
) return sys_refcursor as
BEGIN
  declare 
    c integer;
    userid integer;
    resultSet SYS_REFCURSOR;
  begin
    IF ise_username = '*' then 
      ise_result := 0;
      open resultSet for select DISTINCT ATTR_NAME, '0' as "VAL" from ATTRIBUTES;
    ELSE
      select count(*) into c from USERS where USERS.USERNAME = ise_username;
      select USER_ID into userid from USERS where USERS.USERNAME = ise_username;
      if c > 0 then
          ise_result := 0;
          open resultSet for select ATTR_NAME, VALUE from ATTRIBUTES where USER_ID = userid;
      ELSE 
          ise_result := 3;
          open resultSet for select 0 from dual where 1=2;
      END IF;
    END IF;
    return resultSet;
  end;
END ;

4. Zuordnen zu Attributen abrufen

5. Abrufen der Attribute

Wählen Sie Attribute aus, und klicken Sie auf OK.

Schritt 6: Authentifizierungs-/Autorisierungsrichtlinien konfigurieren

In diesem Beispiel wurden die folgenden einfachen Autorisierungsrichtlinien konfiguriert:

Benutzer mit SecurityLevel = 5 werden abgelehnt.

Schritt 7: Hinzufügen von Oracle ODBC zu Identitätsquellensequenzen

Navigieren Sie zu Administration > Identity Management > Identity Source Sequences, wählen Sie Ihre Sequenz aus, und fügen Sie ODBC zur folgenden Sequenz hinzu:

Speichern Sie sie.

Überprüfen

Sie sollten jetzt Benutzer über ODBC authentifizieren und deren Gruppen und Attribute abrufen können.

RADIUS-Live-Protokolle

Führen Sie einige Authentifizierungen durch, und navigieren Sie zu Operations > RADIUS > Live Logs (Vorgänge > RADIUS > Live-Protokolle).

Wie Sie sehen, hat Alice für Benutzer SecurityLevel = 5, daher wurde der Zugriff abgelehnt.

Detailbericht

Klicken Sie für die interessante Sitzung in der Spalte Details auf den Detailbericht, um den Ablauf zu überprüfen.

Detaillierter Bericht für die Alice-Funktion des Benutzers (wegen niedriger Sicherheitsstufe abgelehnt):

Fehlerbehebung

Wenn die Verbindung bei der ISE nicht erfolgreich hergestellt werden kann, verwenden Sie den Befehl show logging application prt-management.log tail beim Verbindungsversuch.

Es werden falsche Anmeldeinformationen verwendet.

2017-08-08 16:50:47,851 WARN   [admin-http-pool11][] cisco.cpm.odbcidstore.impl.OracleDbAccess -:admin::- Connection to ODBC DB failed. Exception: java.sql.SQLException: ORA-01017: invalid username/password
; logon denied

java.sql.SQLException: ORA-01017: invalid username/password; logon denied

        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:389)
        at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:382)
        at oracle.jdbc.driver.T4CTTIfun.processError(T4CTTIfun.java:600)
        at oracle.jdbc.driver.T4CTTIoauthenticate.processError(T4CTTIoauthenticate.java:445)
        at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
        at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
        ...

Falscher DB-Name (Dienstname)

2017-08-08 10:53:12,002 WARN   [admin-http-pool2][] cisco.cpm.odbcidstore.impl.OracleDbAccess -:admin::- Connection to ODBC DB failed. Exception: java.sql.SQLException: Listener refused the connection with
the following error:
ORA-12514, TNS:listener does not currently know of service requested in connect descriptor

java.sql.SQLException: Listener refused the connection with the following error:
ORA-12514, TNS:listener does not currently know of service requested in connect descriptor

        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:419)
        at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:536)
        at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:228)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:32)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:521)
        at java.sql.DriverManager.getConnection(DriverManager.java:664)
        at java.sql.DriverManager.getConnection(DriverManager.java:208)
        at com.cisco.cpm.odbcidstore.impl.OracleDbAccess.connect(OracleDbAccess.java:42)

Fehlerbehebung bei Benutzerauthentifizierungen

Aktivieren Sie zur Fehlerbehebung bei DB-Vorgängen unter Administration > System > Logging > Debug Log Configuration die Option odbc-id-store auf DEBUG-Ebene.

Protokolle werden in der Datei prrt-management.log abgelegt.

Beispielausgabe für Alias:

2017-08-08 16:56:32,403 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Authenticate Plain Text Password. Username=alice, SessionID=0a301a36RUXmaX9ttCZfrQI3ItQf
96x6eiTpiEMIfkUBybDj7jY
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24852
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Authenticate plain text password
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Call function instead of procedure
2017-08-08 16:56:32,409 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEAUTH_R
2017-08-08 16:56:32,410 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Using recordset to obtain stored procedure result values
2017-08-08 16:56:32,410 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24855
2017-08-08 16:56:32,410 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {? = call ISEAUTH_R(?, ?)}
2017-08-08 16:56:32,410 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=alice, password=***
2017-08-08 16:56:32,410 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-08-08 16:56:32,412 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-08-08 16:56:32,412 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Obtain stored procedure results from recordset
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, number of columns=4
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.OdbcAuthResult -:::- Authentication result: code=0, Conection succeeded=false, odbcDbErrorString=no error, odbcStoredProcedureCusto
merErrorString=null, accountInfo=good user, group=11
2017-08-08 16:56:32,413 DEBUG  [Thread-47197][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24853
2017-08-08 16:56:32,425 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Username=alice, SessionID=0a301a36RUXmaX9ttCZfrQI3ItQf96x6eiTpiEMIf
kUBybDj7jY
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Fetch user groups. Username=alice, SessionID=0a301a36RUXmaX9ttCZfrQI3ItQf96x6eiTpiEMIfkU
BybDj7jY
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24869
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetch user groups
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Call function instead of procedure
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEGROUPSH
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {? = call ISEGROUPSH(?,?)}
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=alice
2017-08-08 16:56:32,431 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-08-08 16:56:32,434 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, total number of columns=1
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- According to column number expect multiple rows (vertical attributes/groups retured result)
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: ExternalGroup=Users
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Result code indicates success
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24870
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Got groups...
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Got groups(0) = Users
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Setting Internal groups(0) = Users
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Username=alice, ExternalGroups=[Users]
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Fetch user attributes. Username=alice, SessionID=0a301a36RUXmaX9ttCZfrQI3ItQf96x6eiTpiEM
IfkUBybDj7jY
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24872
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetch user attributes
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Call function instead of procedure
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEATTRSH
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {? = call ISEATTRSH(?,?)}
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=alice
2017-08-08 16:56:32,435 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, total number of columns=2
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- According to column number expect multiple rows (vertical attributes/groups retured result)
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: SecurityLevel=5
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Result code indicates success
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-08-08 16:56:32,437 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24873
2017-08-08 16:56:32,438 DEBUG  [Thread-47198][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user attrs. Username=alice, Setting OracleDB.SecurityLevel to 5
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Lookup. Username=alice, SessionID=ise23-3:userauth7
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24865
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Lookup
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Call function instead of procedure
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISELOOKUP_R
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Using recordset to obtain stored procedure result values
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24855
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {? = call ISELOOKUP_R(?)}
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=alice
2017-08-08 16:56:35,292 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-08-08 16:56:35,294 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-08-08 16:56:35,294 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Obtain stored procedure results from recordset
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, number of columns=4
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.OdbcAuthResult -:::- Authentication result: code=0, Conection succeeded=false, odbcDbErrorString=no error, odbcStoredProcedureCusto
merErrorString=null, accountInfo=good user, group=11
2017-08-08 16:56:35,295 DEBUG  [Thread-47187][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24866
  

Referenzen

• Konfigurieren von ISE 2.1 mit MS SQL mithilfe von ODBC
• Konfigurieren von ODBC auf ISE 2.1 mit PostgreSQL
• Konfigurieren der ISE 2.2 für die Integration mit dem MySQL Server
• Administratoranleitung für Cisco Identity Services Engine, Version 2.3
• Oracle-Dokumentation