topic Re: iPSK - New ISE PSN node in Network Access Control

iPSK - New ISE PSN node

stefan.tabell — Thu, 09 Dec 2021 15:08:58 GMT

Hi,

Reaching out here and hopefully someone can help me. We have a working iPSK server that is connected to our ISE deployment.

I'm currently installing new ISE PSN nodes but am getting issues with having the new nodes speaking with the iPSK portal.

On ISE I can only see that it fails to query the database.

24878 Retry failed ODBC operation
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24874 Fetching of the user attributes in external ODBC database failed
15048 Queried PIP - iPSK.ExternalGroups
24869 Perform fetching of the user groups in external ODBC database
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24878 Retry failed ODBC operation
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24871 Fetching of the user groups in external ODBC database failed
24872 Perform fetching of the user attributes in external ODBC database
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24878 Retry failed ODBC operation
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24874 Fetching of the user attributes in external ODBC database failed
15048 Queried PIP - iPSK.ExternalGroups
24869 Perform fetching of the user groups in external ODBC database
24849 Connecting to external ODBC database
24851 Connection to external ODBC database failed
24878 Retry failed ODBC operation
According to the firewall in between all traffic is allowed.

A packet capture on the IPSK shows:
ISE PSN -> IPSK - [SYN]
IPSK -> ISE PSN - [SYN, ACK]
ISE PSN -> IPSK - [ACK]
IPSK -> ISE PSN - [MySQL server greeting]
ISE PSN -> IPSK -> [RST, ACK]

Packet capture from the ISE shows:
ISE PSN -> IPSK - [SYN]
IPSK -> ISE PSN - [SYN, ACK]
ISE PSN -> IPSK - [ACK]
IPSK -> ISE PSN -> [RST, ACK]

Compared with a capture on our working setup this looks very different.

I've been suspecting that something in the iPSK Linux Server (MySQL server) is only allowing connections from certain hosts but haven't been able to find anything in any config file. Neither is the IPTables blocking anything.

Please let me know if anyone can give me any pointers on what I could check. I could share PCAP screenshoots (with sensitive information blurred) if needed. Thanks!

Re: iPSK - New ISE PSN node

thomas — Mon, 13 Dec 2021 18:21:32 GMT

By "iPSK server" I assume you mean an instance of the iPSK Manager?

You did not explicitly state if that is the software you are using or if you are using your own custom software.

Did you follow the guide to get it configured?

Re: iPSK - New ISE PSN node

hslai — Tue, 14 Dec 2021 02:47:56 GMT

Like Thomas said, do refer to that guide. Also, use another MySQL client on a Windows or macOS or Linux to test and verify the connectivity and the credentials for the user ipsk-ise-user.

Re: iPSK - New ISE PSN node

stefan.tabell — Fri, 17 Dec 2021 09:38:42 GMT

Hi Thomas,

Thank you for responding. It is indeed the Cisco iPSK manager that I'm working with.

It was setup by my predecessor according to the guide, but not sure if he took extra steps to add security. What I can say is that we have several PSN nodes that the setup is working with, it's just the new PSNs it doesn't work for. Almost like the MySQL service doesn't allow for connections from those hosts.

Re: iPSK - New ISE PSN node

stefan.tabell — Mon, 20 Dec 2021 12:51:48 GMT

Hi, after some further digging I found that a firewall on the path was blocking the mysql traffic (but it allowed the traffic on TCP3306 where it was establishing the TCP session with 3-way handshake).