This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We are troubleshooting an ISE-SCCM integration issue. The SCCM settings have been applied according to the ISE Administration guide (double checked by SCCM admin). ISE shows successful connection but is unable to access data in SCCM for any workstation.
We followed these step-by-step guides:
The guide states that
The user account that you use for ISE integration must either:
Be a member of SMS Admins user group.
Have the same permissions as the SMS object under the WMI namespace
where sitecode is the SCCM site.
SMS Admins is an AD group that provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools. Members can run WMI queries but they have no explicit read access to the MSSQL database so they cannot run WQL queries. Such users are able to access the data via the WMI provider and they have access to the WMI namespace.
However, there is a role in SCCM having even more privileges: SCCM Full Administrator role. A full admin is able to run both WMI and WQL queries as he/she has explicit read access to the MSSQL database. Not surprisingly, the person responsible for SCCM prefers not to give this privilege if the Cisco guide does not indicate.
The Cisco guide does not require that the ISE user should be a Full Administrator in SCCM. The guide does not include a step that we should give the user explicit read access to the MSSQL database.
The Troubleshooting section describes a testing method with WBEMTOOL which uses WQL query. Our user is unable to fetch data via WQL query as it is not a Full Administrator.
As far as I'm aware, SCCM integration with ISE only requires WMI. I've asked a colleague to provide addition information.
ISE uses WMI to query the SCCM database and hence the user has to be part of SMS admin. This is enough and you dont need any specific permission for SQL queries.
The guide has a snapshot of WMI query sent to SCCM server to check the compliance status.
WMI query and SMS Admins are enough actually.
The failure is caused by the over-complex factory WMI query in ISE. It cannot be served in 30 seconds by SCCM server and the too long response times caused policy evaluation failure in iSE.