ciesinsn
commented
4 months ago Can you include a screenshot of your ISE authz policy as well as the live log details for the endpoint? I can check it out and try and reproduce.
Closed ognetravco closed 4 months ago
ciesinsn
commented
4 months ago Can you include a screenshot of your ISE authz policy as well as the live log details for the endpoint? I can check it out and try and reproduce.
ciesinsn
commented
4 months ago So, accountEnabled is not sent back to ISE in the SQL procedure call. The attribute that is is accountExpired which is True if its time expired and False if it is not time expired. For a suspended endpoint when it runs any of the procedures you have above it will return authentication error.
ciesinsn
commented
4 months ago I think the confusion is the original authors documentation on the Cisco communities doesn't cover what you are looking to do and actually doesn't have iPSK Manager as part of the authentication flow, just authorization. I really should work on getting all that documentation moved over to GitHub and cleaned up.
If you make a authentication rule for your MAB authentication that uses the iPSK ODBC database vs the Internal Database like this I think it will do what you are looking for when a endpoint is suspended if I'm following what you're asking.
ciesinsn
commented
4 months ago One additional item I didn't mention you may want to switch to using the versions of the procedure that don't have "NonExpired" in the name. When you use ones with "NonExpired" in the name if the endpoint is expired they will be returned with a authentication error and then wouldn't connect to the SSID.
The ones without "NonExpired" would return authentication success and If you wished to allow them to re-enroll/renew a registration you'd then use the accountExpired attribute in a AuthZ rule.
ognetravco
commented
4 months ago I appreciate the clarification that ISE does not receive the attribute as part to the authorization. The intent was to be able to disable certain endpoints on the iPSK Manager Admin portal to deny access but still retain the endpoint in the database. But removing the endpoint or placing it in a "Disabled" group that has no ISE policy would result in the same action of access being denied.
Not part of the original question so I'm ok with not getting answer, but when exactly does the accountExpired attribute goes from False to True? I shutdown my test iPSK Manger VM over the weekend an the entry that should be expired, show expired on the portal but the data base still has it as accountExpired=False.
ciesinsn
commented
4 months ago To do what you want I'd have ISE use the iPSK DB as the Authentication and Authorization source but I'd change to using the Stored Procedures with "NonExpired" not in the name. That way you could control expired endpoints in a authorization rule, to for instance, send them back to a captive portal. If you just wanted Expired endpoints to have no access then you could keep using the Stored Procedures with "NonExpired" in the name.
I did move over some of the community based documentation and updated some of it for ISE you can find it here: ISE Config
As for your other question of where accountExpired gets set that would be when ISE does the stored procedure call to the iPSK DB. This is the code in one of the stored procedures. As there is no process that actively runs updating that field across the board based on the actual expire date and time the raw DB field shouldn't be considered accurate unless it was polled by the stored procedure.
IF NOT (SELECT expirationDate FROM endpoints WHERE endpoints.macAddress = @formattedMAC) = 0 THEN
IF NOT (SELECT accountExpired FROM endpoints WHERE endpoints.macAddress = @formattedMAC) = 'True' THEN
IF (SELECT expirationDate FROM endpoints WHERE endpoints.macAddress = @formattedMAC) < UNIX_TIMESTAMP(NOW()) THEN
UPDATE `endpoints` SET `endpoints`.`accountExpired` = 'True' WHERE `endpoints`.`macAddress` = @formattedMAC;
END IF;
END IF;
END IF;Appreciate the detail feedback, totally makes sense now 😄
I am unclear on how to reference the "accountEnabled" attribute.
If i suspend the endpoint, ISE still lets it on the network. If I add the iPSK manager attribute "accountEnabled = 1" to the authorization policy that is already looking for the endpoint's device group, the rule stops working.
How do i get this to work?
Using the following. iPSK_AuthMACPlainNonExpired iPSK_FetchPasswordForMACNonExpired iPSK_MACLookupNonExpired
Ubuntu 22.04.4 LTS MySQL 8.0.36-0ubuntu0.22.04.1 PHP 8.1.2-1ubuntu2.17 ISE 3.2.0.542 patch 3.4