cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

174
Views
5
Helpful
3
Replies
Contributor

Privileges and queries for ISE-SCCM integration

We are troubleshooting an ISE-SCCM integration issue. The SCCM settings have been applied according to the ISE Administration guide (double checked by SCCM admin). ISE shows successful connection but is unable to access data in SCCM for any workstation.

 

We followed these step-by-step guides:

Configure the Microsoft SCCM Server for ISE

 

https://community.cisco.com/t5/security-documents/how-to-integrate-cisco-ise-with-microsoft-sccm-for-patch/ta-p/3725035#_Toc526701135

 

 

The guide states that

The user account that you use for ISE integration must either:

  • Be a member of SMS Admins user group.

  • Have the same permissions as the SMS object under the WMI namespace

root\sms\site_<sitecode>

where sitecode is the SCCM site.

 

SMS Admins is an AD group that provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools. Members can run WMI queries but they have no explicit read access to the MSSQL database so they cannot run WQL queries. Such users are able to access the data via the WMI provider and they have access to the WMI namespace.

 

However, there is a role in SCCM having even more privileges:    SCCM Full Administrator role. A full admin is able to run both WMI and WQL queries as he/she has explicit read access to the MSSQL database. Not surprisingly, the person responsible for SCCM prefers not to give this privilege if the Cisco guide does not indicate.

 

The Cisco guide does not require that the ISE user should be a Full Administrator in SCCM. The guide does not include a step that we should give the user explicit read access to the MSSQL database.

 

Questions:

  • Is it correct that the integration user needs rights to run only WMI queries?

The Troubleshooting section describes a testing method with WBEMTOOL which uses WQL query. Our user is unable to fetch data via WQL query as it is not a Full Administrator.

  • Is it correct in the guide that membership in SMS Admins is enough and the integration user does not need SCCM Full Administrator role?
  • Is it correct that the integration user does not need explicit read access to the MSSQL database to run WQL queries?

i23.jpg

3 REPLIES 3
Cisco Employee

Re: Privileges and queries for ISE-SCCM integration

As far as I'm aware, SCCM integration with ISE only requires WMI.  I've asked a colleague to provide addition information.

 

Regards,

-Tim

Cisco Employee

Re: Privileges and queries for ISE-SCCM integration

ISE uses WMI to query the SCCM database and hence the user has to be part of SMS admin. This is enough and you dont need any specific permission for SQL queries. 

The guide has a snapshot of WMI query sent to SCCM server to check the compliance status. 

Thanks,

Nidhi

 

Contributor

Re: Privileges and queries for ISE-SCCM integration

WMI query and SMS Admins are enough actually.

 

The failure is caused by the over-complex factory WMI query in ISE. It cannot be served in 30 seconds by SCCM server and the too long response times caused policy evaluation failure in iSE.