12-18-2018 06:55 AM
We are troubleshooting an ISE-SCCM integration issue. The SCCM settings have been applied according to the ISE Administration guide (double checked by SCCM admin). ISE shows successful connection but is unable to access data in SCCM for any workstation.
We followed these step-by-step guides:
Configure the Microsoft SCCM Server for ISE
The guide states that
The user account that you use for ISE integration must either:
Be a member of SMS Admins user group.
Have the same permissions as the SMS object under the WMI namespace
root\sms\site_<sitecode>
where sitecode is the SCCM site.
SMS Admins is an AD group that provides its members with access to the SMS Provider, through WMI. Access to the SMS Provider is required for viewing and modifying SMS security objects and data in the SMS Administrator console, or in other similar tools. Members can run WMI queries but they have no explicit read access to the MSSQL database so they cannot run WQL queries. Such users are able to access the data via the WMI provider and they have access to the WMI namespace.
However, there is a role in SCCM having even more privileges: SCCM Full Administrator role. A full admin is able to run both WMI and WQL queries as he/she has explicit read access to the MSSQL database. Not surprisingly, the person responsible for SCCM prefers not to give this privilege if the Cisco guide does not indicate.
The Cisco guide does not require that the ISE user should be a Full Administrator in SCCM. The guide does not include a step that we should give the user explicit read access to the MSSQL database.
Questions:
The Troubleshooting section describes a testing method with WBEMTOOL which uses WQL query. Our user is unable to fetch data via WQL query as it is not a Full Administrator.
12-18-2018 07:32 AM
As far as I'm aware, SCCM integration with ISE only requires WMI. I've asked a colleague to provide addition information.
Regards,
-Tim
12-21-2018 08:44 AM
ISE uses WMI to query the SCCM database and hence the user has to be part of SMS admin. This is enough and you dont need any specific permission for SQL queries.
The guide has a snapshot of WMI query sent to SCCM server to check the compliance status.
Thanks,
Nidhi
05-18-2019 01:08 PM
WMI query and SMS Admins are enough actually.
The failure is caused by the over-complex factory WMI query in ISE. It cannot be served in 30 seconds by SCCM server and the too long response times caused policy evaluation failure in iSE.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: