Solved: EAP-Chaining UserID based ODBC Query

junk1 · ‎05-21-2018

Hi

My customer has ISE 2.3 Patch 2 integrated with Microsoft SQL 2016 Database.

The design was to have dot1x endpoints to get authenticated against AD and get authorised against SQL DB values for SGT and VLAN.

This is to meet scalability needs, as recommended by ISE TME.

Customer uses Cisco AnyConnect NAM supplicant with EAP-Chaining for both User AND Machine Authentication enabled.

The Table in Microsoft SQL DB consists of User_ID, Project_ID, VLAN and SGT values, and the plan is to authorise endpoints based on User_ID.

The integration with ODBC when clicked on "Test connection" shows working fine. We could also manually fetch attributes from ISE page.

However when connected an endpoint, the endpoint is shown authenticated in ISE log but the SGT and VLAN attributes are not getting assigned. This happens when we have User_ID only in SQL table, with EAP-FAST (AnyConnect NAM with User AND Machine Authentication as Supplicant settings).

I could see the unique error in the ISE log as "Dynamic Attribute value not available".

It only works,

When included the Machine Hostname in the SQL table (host/PUNITP152923L), SQL attributes are fetched and working fine. The endpoint gets respective VLAN and SGT.
When tried ONLY with User Authentication (Windows Native Supplicant), the SQL attributes are fetched and working fine. The endpoint gets respective VLAN and SGT.
When tried with User or Computer Authentication (MAR – Windows Native Supplicant), the SQL attributes are fetched and working fine. The endpoint gets respective VLAN and SGT.

Please help with this, if there is a way to make ISE to send User_ID when querying SQL DB for attributes, instead of Machine Hostname.

Is there any AnyConnect NAM settings to do this?

Thanks and Regards

V Vinodh.

hslai · ‎05-21-2018

I believe your case already escalated to our ESC team and being worked on by Dev so it's best for you to continue that route. We could give some random ideas but might do more harms than helpful.

I am not familiar with MS SQL stored procedures but I am guessing they can do something like this:

If the subject is a machine, then return empty attribute/group list.

Else <do the regular attribute/group lookup>

PS: I am not Hosuk. ;-)

View solution in original post

hslai · ‎05-21-2018

EAP Chaining is a means to authenticate and authorize both the user and the machine, regardless using ODBC or not. If the use case is for user only, then please configure NAM for user auth only.

junk1 · ‎05-21-2018

Hi Hosuk

The requirement is to have both User AND Machine Authentication only, as per supplicant settings.

But when it comes to ODBC, the queries should be done based on either User_ID alone or based on the combination of User_ID and Machine name.

Here it is happening only based on Machine name.

Any way to achieve this with ODBC settings?

Regards

V Vinodh.

hslai · ‎05-21-2018

I believe your case already escalated to our ESC team and being worked on by Dev so it's best for you to continue that route. We could give some random ideas but might do more harms than helpful.

I am not familiar with MS SQL stored procedures but I am guessing they can do something like this:

If the subject is a machine, then return empty attribute/group list.

Else <do the regular attribute/group lookup>

PS: I am not Hosuk. ;-)

junk1 · ‎05-21-2018

Thanks Hsing-Tsu Lai... and apologise for the typo.

Regards

V Vinodh.