Yes, the integration is through APIs, though, not pxGrid.
You can't use any MySQL version higher than 5.7 and no PHP version higher than 7.4. Here are my notes from installing iPSK Manager for ISE 3.3:
iPSK Manager
https://github.com/CiscoDevNet/iPSK-Manager
iPSK (Identity Pre-Shared-Key) Manager portal server for ISE
Preparation
After installing Ubuntu OS, make sure the system is up-to-date:
sudo apt-get update
sudo apt-get upgrade -y
After updating Ubuntu OS, install MySQL 5.7
Install MySQL 5.7
Download the repository
https://www.devart.com/dbforge/mysql/how-to-install-mysql-on-ubuntu/
First, create a dowwnloads/ folder
Download the MySQL repository to the downloads folder by executing the following command
wget https://dev.mysql.com/get/mysql-apt-config_0.8.12-1_all.deb -P downloads/
After the MySQL package has been successfully downloaded, install it
cd downloads/
sudo dpkg -i mysql-apt-config_0.8.12-1_all.deb
Choose
- Ubuntu Bionic
- MySQL Server & Cluster
- mysql-5.7
- OK
Next, update the APT repository
If you encounter the "signature couldn't be verified" error like this one: NO_PUBKEY 467B942D3A79BD29, you will need to import the missing gpg key by running the following command (change the key value to the one shown in your error):
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
sudo apt update
To check whether MySQL 5.7 repository has been successfully installed, execute
sudo apt-cache policy mysql-server
You should see MySQL 5.7 repository at the bottom of the list
iseadmin@ipsk:~/downloads$ sudo apt-cache policy mysql-server
mysql-server:
Installed: (none)
Candidate: 8.0.33-0ubuntu0.22.04.4
Version table:
8.0.33-0ubuntu0.22.04.4 500
500 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
8.0.33-0ubuntu0.22.04.2 500
500 http://azure.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
8.0.28-0ubuntu4 500
500 http://azure.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
5.7.42-1ubuntu18.04 500
500 http://repo.mysql.com/apt/ubuntu bionic/mysql-5.7 amd64 Packages
100 /var/lib/dpkg/status
Install
Now that you have a MySQL 5.7 repository in your system, you can proceed to install it. For this, run the following command
sudo apt install -f mysql-client=5.7* mysql-community-server=5.7* mysql-server=5.7*
Press Y to begin the installation and set the root password when asked
MySQL Configuration
(Recommended) Run post installation script for MySQL, this will set the
Password Policy
sudo mysql_secure_installation utility
Securing the MySQL server deployment.
Connecting to MySQL using a blank password.
VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?
Press y|Y for Yes, any other key for No: y
There are three levels of password validation policy:
LOW Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0
Skipping password set for root as authentication with auth_socket is used by default.
If you would like to use password authentication instead, this can be done with the "ALTER_USER" command.
See https://dev.mysql.com/doc/refman/8.0/en/alter-user.html#alter-user-password-management for more information.
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.
Remove anonymous users? (Press y|Y for Yes, any other key for No) :
... skipping.
Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : N
... skipping.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y
- Dropping test database...
Success.
- Removing privileges on test database...
Success.
Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y
Success.
All done!
Note: For more information on the MySQL or MariaDB secure installation utility, please review:
Creating a User
(Recommended) Instead of using MySQL root account, a temporary install account can be created to install the iPSK Manager then removed once completed
Enter the password for the root user
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
At the mysql> prompt, type these commands (replace `password` with the password you want to set):
CREATE USER 'install' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'install'@'%' WITH GRANT OPTION;
Install PHP7.4, Apache2, and PHP plugins
Add the PHP repository
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt upgrade
Apache2, PHP7, MySQL server, and additional modules:
sudo apt-get install php7.4 apache2 php7.4-common libapache2-mod-php7.4 php7.4-cli php7.4-mysql php7.4-ldap php7.4-curl php7.4-mbstring php7.4-xml -y
Enable Apache Modules:
sudo a2enmod rewrite
sudo a2enmod ssl
iPSK Manager Installation
Download iPSK Manager from GitHub into the /var/www/ folder
sudo git clone https://github.com/CiscoSE/iPSK-Manager.git /var/www/iPSK-Manager
Configuration
Change owner of the iPSK-Manager directory (Showing example of Ubuntu distribution which uses www-data user and group for the apache process)
cd /var/www
sudo chown www-data:www-data -R iPSK-Manager
It is recommended to use SSL for security and subsequent section describes how to enable SSL. However, if no certificate is available,follow the instructions in the Appendix on how to use non-SSL port for the portals
Copy the certificate bundle to the linux machine:
sudo wget https://server.com/endpoints/cert_files.zip -P /home/iseadmin/downloads/
To unzip the package, install unzip
sudo nala install unzip -y
Then unzip the certificate package into the .certs/ folder
mkdir .certs && cd downloads
unzip cert_files.zip -d ~/.certs/
(Recommended) Create self-signed certificate using OpenSSL or external tools. You will need private key, signed certificate, and CA chain if applicable
(Recommended) Enable SSL for admin portal. There are sample apache configuration files for the admin portal and end user portal located at the root of the install directory called portal-ssl.sample.conf file. There are 3 sections in the file for admin portal and also for enabling port 8443 & 8445 for SSL. You can simply copy each section in to separate files and place them in /etc/apache2/sites-enabled to get it enabled. The files are shown below. Aside from that you need to make sure to update the path and file names for the certificate. First for admin portal create a file called 443-ssl.conf with following content:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@ipskmanager
DocumentRoot /var/www/iPSK-Manager/adminportal
<Directory /var/www/iPSK-Manager/adminportal>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/admin-error.log
CustomLog ${APACHE_LOG_DIR}/admin-access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
</IfModule>
Note: Make sure to modify the path and file name for the certificate, private key, and the certificate chain
(Recommended) Enable SSL for end user portal port. Next for end user portal create files called 8443-ssl.conf and 8445-ssl.conf with following content:
<IfModule mod_ssl.c>
Listen 8443
<VirtualHost *:8443>
ServerAdmin webmaster@ipskmanager
DocumentRoot /var/www/iPSK-Manager/portals
<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/portal-8443-error.log
CustomLog ${APACHE_LOG_DIR}/portal-8443-access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
Listen 8445
<VirtualHost *:8445>
ServerAdmin webmaster@ipskmanager
DocumentRoot /var/www/iPSK-Manager/portals
<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/portal-8445-error.log
CustomLog ${APACHE_LOG_DIR}/portal-8445-access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
</IfModule>
(Recommended) Once SSL is enabled restart apache. This time you will be asked to enter password to access the private key file:
sudo service apache2 restart
Enter passphrase for SSL/TLS keys for 127.0.1.1:443 (RSA): *********
Finish Installation via Web
Run setup via browser. Open web browser from any machine and go to the IP or hostname (If DNS is already setup) of the IPSK Manager host
You will be greeted with setup screen, click Next and accept the license agreement page and click Next to continue with setup
Installer will also make sure that required PHP modules are installed, if any of the modules are missing go back to the CLI and make sure they are installed and rerun the Installer
Accept default values or change values as needed
| Field Name |
Sample Entry |
Note |
| mySQL Server IP/FQDN |
127.0.0.1 |
|
| iPSK Database Username |
ipsk-db-user |
A random password will be generated at the end of installation process |
| Cisco ISE ODBC Username |
ipsk-ise-user |
This is the username ISE will use for SQL connection. A random password will be generated at the end of installation process |
| iPSK Database Name |
ipsk |
|
| MySQL Admin/Root Username |
install |
If using temporary MySQL install account, if not use root account |
| MySQL Admin/Root Password |
ISEisC00L |
If using temporary MySQL install account, if not use root password |
| Administrator Password |
ISEisC00L |
|
You will also be asked to create local GUI administrator account password
If the install fails, please make sure to go through the steps above to see any of the steps were missed
At the end of setup process, it will automatically download a txt file called 'DONOTDELETE-iPSKMANAGER-Install.txt' which contains the database details including username & password needed for ISE communication such as following:
#Copyright 2021 Cisco Systems, Inc. or its affiliates
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.
########################################################
## iPSK Manager
## DO NOT DELETE THIS DATA - STORE IN A SECURE LOCATION
## THIS FILE CONTAINS DETAILS ABOUT YOUR INSTALLATION
########################################################
#Organization SID for iPSK Manager
#---------------------------------
Organization (System) SID Value = S-1-9-1569991369-1569991369-1
#Encryption Key for Encrypting MySQL Sensitive Data
#--------------------------------------------------
Encryption Key = AipsBSIhIJ+TnwsYkLlw1fTPSXc/siDQoP8YaTWZNpY=
#iPSKManager Database Credentials
#--------------------------------
Host = 127.0.0.1
Username = ipsk-db-user
Password = t@DKrkNyZhvXnUTd
Database = ipsk
#Cisco ISE MySQL Credentials
#---------------------------
Username = ipsk-ise-user
Password = e1YV3JefcDQut8g
Database = ipsk
#Cisco ISE Stored Procedures Names
#---------------------------------
iPSK_AttributeFetch
iPSK_AuthMACPlain
iPSK_FetchGroups
iPSK_FetchPasswordForMAC
iPSK_MACLookup
###OPTIONAL### Cisco ISE Replacement Stored Procedures for returning only Non-Expired Endpoints Contained within the iPSK Database
#---------------------------------------------------------------------------------------------------------------------------------
iPSK_AuthMACPlainNonExpired
iPSK_FetchPasswordForMACNonExpired
iPSK_MACLookupNonExpired
Note: Keep this file safe in case iPSK Manager needs to be restored or new ISE / iPSK Manager integration is needed
You should be redirected to the iPSK Manager login page where you can enter the credential (default GUI admin username is administrator) created during the setup to login to proceed with iPSK Manager configuration
Allow SQL connection from other hosts, by editing the /etc/mysql/mysql.conf.d/mysqld.cnf file. Find the line bind-address = 127.0.0.1 and add # at the front to remark it
Note: Please make sure to utilize MySQL security best practices such as FW rules and limiting mySQL user to specific hosts as above allows SQL access from all hosts
Restart MySQL service by running sudo service mysql restart
Remove Temporary install user
(Optional) If temporary MySQL account was created in previous step, run the following to remove the install account
sudo mysql -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'install'@'%';
mysql> FLUSH PRIVILEGES;
mysql> DROP USER 'install'@'%';
Downgrade to PHP 7.4 (if PHP 8 was installed)
https://github.com/CiscoDevNet/iPSK-Manager/issues/24
Downgrade:
sudo apt install software-properties-common apt-transport-https -y
Install the php 7 repo
sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt upgrade -y
Install php7
sudo apt install php7.4 php7.4-common libapache2-mod-php7.4 php7.4-cli -y
Disable php 8
Enable php 7
Restart Apache2
sudo systemctl restart apache2
Install php extentions needed for iPSK-Manager
sudo apt install php7.4-mbstring
sudo apt install php7.4-xml
sudo apt install php7.4-ldap
sudo apt install php7.4-mysql
sudo apt install php7.4-curl
Then restart apache2 again:
sudo systemctl restart apache2
