本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本文檔介紹如何配置思科身份服務引擎(ISE) 2.2以與MySQL開放式資料庫連線(ODBC)外部源整合。本文檔適用於使用MySQL作為ISE身份驗證和授權外部身份源的設定。
思科建議您瞭解以下主題:
本檔案中的資訊是根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路正在作用,請確保您已瞭解任何指令可能造成的影響。
ISE 2.2支援多個ODBC外部源,其中一個是MySQL。您可以使用ODBC作為外部身份源來驗證使用者和端點(類似於Active Directory (AD))。ODBC身份源可用於身份庫序列以及訪客和發起人身份驗證。
以下是ISE 2.2支援的清單資料庫引擎:
在此組態範例中,端點使用無線介面卡來與無線網路關聯。配置WLC上的無線LAN (WLAN)以透過ISE對使用者進行身份驗證。在ISE上,MySQL被配置為外部身份庫。下圖說明所使用的網路拓撲:
顯示的MySQL配置是一個示例。Do not treat is a Cisco建議。
更新您的系統:
sudo apt-get update sudo apt-get upgrade
安裝MySQL (安裝期間應提示您輸入root使用者的密碼):
sudo apt-get install mysql-server
存取MySQL資料庫:
mysql -u root -p
建立資料庫:
mysql>
mysql> CREATE DATABASE demo_db;
Query OK, 1 row affected (0.00 sec)
mysql>
mysql> use demo_db;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
建立資料庫使用者並授與許可權:
mysql>
mysql> CREATE USER 'cisco' IDENTIFIED BY 'cisco';
mysql> GRANT USAGE ON *.* TO 'cisco'@'%';
mysql> GRANT ALL PRIVILEGES ON `demo_db`.* TO 'cisco'@'%';
mysql> GRANT SELECT ON *.* TO 'cisco'@'%';
建立使用者表格:
mysql>
mysql> CREATE TABLE ´users´ (
-> `user_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-> `username` varchar(50) NOT NULL,
-> `password` varchar(50) NOT NULL,
-> PRIMARY KEY (`user_id`),
-> UNIQUE KEY `username_UNIQUE` (`username`)
-> ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Query OK, 0 rows affected (0.01 sec)
建立使用者並將他們新增至表格中:
mysql>
mysql> INSERT INTO users
-> (user_id, username, password)
-> VALUES
-> (1, "alice", "Krakow123");
Query OK, 1 row affected (0.00 sec)
您可以類似地增加其他使用者並列出表內容(與使用者一樣,增加MAC地址以進行MAB身份驗證-密碼可以保留為空):
mysql>
mysql> select * from users;
+---------+----------+-----------+
| user_id | username | password |
+---------+----------+-----------+
| 1 | alice | Krakow123 |
| 2 | bob | Krakow123 |
| 3 | oscar | Krakow123 |
+---------+----------+-----------+
建立群組表格:
mysql>
mysql> CREATE TABLE `groups` (
-> `group_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-> `groupname` varchar(50) NOT NULL,
-> PRIMARY KEY (`group_id`),
-> UNIQUE KEY `groupname_UNIQUE` (`groupname`)
-> ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Query OK, 0 rows affected (0.01 sec)
建立群組並將它們加入表格中:
mysql>
mysql> INSERT INTO groups
-> (group_id, groupname)
-> VALUES
-> (1, "everyone");
Query OK, 1 row affected (0.00 sec)
您可以以類似方式新增其他群組,並列出表格的內容:
mysql>
mysql> select * from groups;
+----------+------------+
| group_id | groupname |
+----------+------------+
| 3 | contractor |
| 2 | employee |
| 1 | everyone |
+----------+------------+
建立使用者與群組間對映的表格
mysql>
mysql> CREATE TABLE `user_group` (
-> `user_id` int(10) unsigned NOT NULL,
-> `group_id` int(10) unsigned NOT NULL,
-> PRIMARY KEY (`user_id`,`group_id`),
-> KEY `group_id` (`group_id`),
-> CONSTRAINT `user_group_ibfk_1` FOREIGN KEY (`user_id`) REFERENCES `users` (`user_id`)
-> ON DELETE CASCADE,
-> CONSTRAINT `user_group_ibfk_2` FOREIGN KEY (`group_id`) REFERENCES `groups`
-> (`group_id`) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
Query OK, 0 rows affected (0.01 sec)
填入表格中使用者與群組之間的對映
mysql>
mysql> INSERT INTO user_group
-> (user_id, group_id)
-> VALUES
-> (1, 1);
Query OK, 1 row affected (0.00 sec)
您可以以類似方式新增其他對映,並列出表格的內容:
mysql>
mysql> select * from user_group;
+---------+----------+
| user_id | group_id |
+---------+----------+
| 1 | 1 |
| 2 | 1 |
| 1 | 2 |
| 2 | 3 |
+---------+----------+
4 rows in set (0.00 sec)
您必須配置所需的儲存過程,以便根據ODBC身份源對使用者進行身份驗證。由過程執行的任務因身份驗證協定而異。 ISE支援對ODBC外部儲存進行三種不同型別的憑證檢查。您需要為每個檢查型別配置單獨的儲存過程。 ISE使用輸入引數呼叫相應的儲存過程並接收輸出。資料庫可以返回一個記錄集或一組命名引數來響應ODBC查詢。
每個過程都應使用分隔符進行定義,以便MySQL接受查詢的語法:
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEGroups`(username varchar(64), OUT result INT)
begin
CASE username
WHEN '*' THEN
select distinct groupname from groups;
ELSE
select groupname from user_group
inner join users ON users.user_id = user_group.user_id
inner join groups ON groups.group_id = user_group.group_id
where users.username = username;
END CASE;
SET result = 0;
end //
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEAuthUserPlainReturnsRecordset`(username varchar(64), password varchar(255))
begin
IF EXISTS (select * from users where users.username = username and users.password = password ) THEN
select 0,11,'This is a very good user, give him all access','no error';
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEFetchPasswordReturnsRecordset`(username varchar(64))
begin
IF EXISTS (select * from users where users.username = username) THEN
select 0,11,'This is a very good user, give him all access','no error',password from users where users.username = username;
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
DELIMITER //
CREATE DEFINER=`root`@`localhost` PROCEDURE `ISEUserLookupReturnsRecordset`(username varchar(64))
begin
IF EXISTS (select * from users where users.username = username) THEN
select 0,11,'This is a very good user, give him all access','no error';
ELSE
select 3, 0, 'odbc','ODBC Authen Error';
END IF;
end //
使用下面提及的資訊將MySQL與思科ISE整合。導航到管理>身份管理>外部身份源> ODBC,然後增加新儲存:
使用運行MySQL資料庫的Ubuntu的IP地址作為以下主機名/IP地址。指定資料庫型別(此情況下使用MySQL),並插入先前建立的資料庫名稱和資料庫使用者證明資料:
指定以MySQL建立的程式名稱-您必須小心使用MAC位址格式(在本範例中,此格式已變更為其他格式):
完成後,請返回Connection頁籤並測試連線:
從MySQL獲取屬性,按一下屬性頁籤:
以相同方式擷取群組:
配置ISE以從MySQL資料庫對使用者進行身份驗證和授權。導航到策略>身份驗證和策略>授權:
測試了兩個身份驗證流:PEAP-MSCHAPv2和MAB。Alice是MySQL上的employee組的一部分,Bob是承包商組的一部分:
為了在ISE上啟用調試,請導航到管理>系統>日誌記錄>調試日誌配置,選擇PSN節點並將odbc-id-store元件的日誌級別更改為調試:
要檢查的日誌- prrt-server.log和prrt-management.log。您可以直接從ISE的CLI跟蹤它們:
vchrenek-ise22-1/admin# show logging application prrt-management.log tail
在驗證使用者bob期間,ISE必須獲取純文字檔案密碼,然後使用以下儲存過程ISEFetchPasswordReturnsRecordset:
2017-02-18 14:13:37,565 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Fetch Plain Text Password. Username=bob, SessionID=0a3e94660000090658a8487f
2017-02-18 14:13:37,566 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24861
2017-02-18 14:13:37,567 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-02-18 14:13:37,567 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetch plain text password
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEFetchPasswordReturnsRecordset
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Using recordset to obtain stored procedure result values
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24855
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {call ISEFetchPasswordReturnsRecordset(?)}
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=bob
2017-02-18 14:13:37,568 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-02-18 14:13:37,571 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-02-18 14:13:37,571 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Obtain stored procedure results from recordset
2017-02-18 14:13:37,571 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, number of columns=5
2017-02-18 14:13:37,571 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-02-18 14:13:37,572 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-02-18 14:13:37,572 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-02-18 14:13:37,572 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-02-18 14:13:37,572 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.OdbcAuthResult -:::- Authentication result: code=0, Conection succeeded=false, odbcDbErrorString=no error, odbcStoredProcedureCustomerErrorString=null, accountInfo=This is a very good user, give him all access, group=11
因為ISE必須檢查ODBC組分配,所以它必須檢索組:
2017-02-18 14:13:37,572 DEBUG [Thread-493][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24862
2017-02-18 14:13:37,728 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Username=bob, SessionID=0a3e94660000090658a8487f
2017-02-18 14:13:37,728 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Fetch user groups. Username=bob, SessionID=0a3e94660000090658a8487f
2017-02-18 14:13:37,728 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24869
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetch user groups
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEGroups
2017-02-18 14:13:37,729 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {call ISEGroups(?,?)}
2017-02-18 14:13:37,733 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=bob
2017-02-18 14:13:37,733 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, total number of columns=1
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- According to column number expect multiple rows (vertical attributes/groups retured result)
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: ExternalGroup=everyone
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: ExternalGroup=contractor
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Result code indicates success
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-02-18 14:13:37,740 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24870
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Got groups...
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Got groups(0) = everyone
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Setting Internal groups(0) = everyone
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Got groups(1) = contractor
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Setting Internal groups(1) = contractor
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user groups. Username=bob, ExternalGroups=[everyone, contractor]
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Fetch user attributes. Username=bob, SessionID=0a3e94660000090658a8487f
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24872
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - get connection
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - use existing connection
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 1
屬性亦然:
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetch user attributes
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Prepare stored procedure call, procname=ISEAttrsH
2017-02-18 14:13:37,741 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Text: {call ISEAttrsH(?,?)}
2017-02-18 14:13:37,745 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Setup stored procedure input parameters, username=bob
2017-02-18 14:13:37,746 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Execute stored procedure call
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Process stored procedure results
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Received result recordset, total number of columns=3
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- According to column number expect multiple columns (hotizontal attributes/groups retured result)
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: eye_color=green
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: floor=1
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Fetched data: is_certified=true
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Results successfully parsed from recordset
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnection -:::- Result code indicates success
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - release connection
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcConnectionPool -:::- OdbcConnectionPool - connections in use: 0
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- Call to ODBC DB succeeded
2017-02-18 14:13:37,749 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.CustomerLog -:::- Write customer log message: 24873
2017-02-18 14:13:37,750 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user attrs. Username=bob, Setting myODBC.eye_color to green
2017-02-18 14:13:37,750 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user attrs. Username=bob, Setting myODBC.floor to 1
2017-02-18 14:13:37,750 DEBUG [Thread-259][] cisco.cpm.odbcidstore.impl.OdbcIdStore -:::- ODBC ID Store Operation: Get all user attrs. Username=bob, Setting myODBC.is_certified to true
修訂 | 發佈日期 | 意見 |
---|---|---|
1.0 |
01-Apr-2017 |
初始版本 |