Solved: ISE-PIC and WMI Configuration

PedroDias1994 · ‎07-23-2020

Hello,

I am trying to configure WMI between Cisco ISE-PIC and Microsoft AD but it isn't working... from the debug files, I can see some sort of missing permissions:

2020-07-23 15:56:05,562 VERBOSE,139823415269120,Extended Error code: 60190 (symbol: LW_ERROR_ISEEXEC_CP_OPEN_REMOTE_FILE),lsass/server/auth-providers/ad-open-provider/provider-main.c:7663

2020-07-23 15:56:05,562 VERBOSE,139823415269120,Error at ../../lsass/server/auth-providers/ad-open-provider/provider-main.c:7664 [code: C0000022],lsass/server/auth-providers/ad-open-provider/provider-main.c:7664

2020-07-23 15:56:05,562 VERBOSE,139823415269120,Error code: 5 (symbol: ERROR_ACCESS_DENIED),lsass/server/auth-providers/ad-open-provider/provider-main.c:7841

2020-07-23 15:56:05,562 VERBOSE,139823415269120,Error code: 5 (symbol: ERROR_ACCESS_DENIED),lsass/server/auth-providers/ad-open-provider/provider-main.c:7914

Currently, I am using a user that is NOT in domain admin group because I saw that it was possible this way (Section - 'Required Permissions when AD User not in Domain Admin Group': https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01101.html#concept_532EEE150EE045DBA642649930F7528C

Any ideas how to solve this problem?

Thank you all :)

Marvin Rhoads · ‎07-25-2020

Yes, I checked the topic in the current (ISE 2.7) admin guide and the steps are the same as in the 2.1 guide you had linked earlier.

I recommend you try opening a TAC case to see if they can assist.

View solution in original post

Marvin Rhoads · ‎07-23-2020

I've included below a text file which we used as a .bat (batch file) during the lab for this feature.

It has some good snippets of code to check and modify things even if you don't want to run it as-is.

If you do choose to run it note that you must first modify the variables in the set commands up front to match your environment. You will also need SetACL and DComPerm utilities which I am not able to share here as they are executable files.

@echo off

set AD-User-Container-DN=CN=users,DC=demo,DC=local
set ISE-PassiveID-Login=ISE-passiveID
set ISE-PassiveID-Password=ISEisC00L
set ISE-PassiveID-Login-DN=CN=%ISE-PassiveID-Login%,%AD-User-Container-DN%
set ISE-IPaddress=10.1.100.21
set src=%~dp0
set SetACL=%SRC%SetACL.exe
set DCOMPERM=%SRC%dcomperm.exe

goto check_Permissions

:check_Permissions
    echo Administrative permissions required. Detecting permissions...

    net session >nul 2>&1
    if %errorLevel% == 0 (
        echo Success: Administrative permissions confirmed.
		echo 
		goto check_required_files
    ) else (
        echo Failure: Current permissions inadequate.
		echo Please re-run the script as administrator
    )

    pause >nul
	exit
	
:check_required_files
	if not exist "%SetACL%" (
		echo Failure: "%SetACL%" missing.
		echo Please move/copy this required file to %SRC%
		pause >nul
		exit
	)
		if not exist "%DCOMPERM%" (
		echo Failure: "%DCOMPERM%" missing.
		echo Please move/copy this required file to %SRC%
		pause >nul
		exit
	)

:script_proper
@echo on
REM add user ise-passiveID with password ISEisC00L to AD
net user "%ISE-PassiveID-Login%" %ISE-PassiveID-Password% /add /domain /fullname:"ISE PassiveID User"

REM update to never expire the user password
dsmod user "%ISE-PassiveID-Login-DN%" -pwdneverexpires yes

pause

REM add user to builtin group Event Log Readers
net localgroup "Event Log Readers" "%ISE-PassiveID-Login%" /add

REM add user to builtin group Distributed COM Users
net localgroup "Distributed COM Users" "%ISE-PassiveID-Login%" /add

pause

@echo off
REM review ise-IDM domain account settings
net user "%ISE-PassiveID-Login%" /domain | more

echo --------------------------------------------------
echo ==== Review the output above before continuing ===
echo --------------------------------------------------

pause

@echo on
REM Registry Permission: Part-1: Owner and Permission
REM Set Owner to Administrators group
"%SetACL%" -on "HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn setowner -ownr "n:Administrators"

REM Set Full Access to the new ower Administrators
"%SetACL%" -on "HKEY_CLASSES_ROOT\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}" -ot reg -actn ace -ace "n:Administrators;p:full"

REM Stop for 5 seconds
@echo off
echo ..
ping -n 2 127.0.0.1 > NUL
echo ...
ping -n 3 127.0.0.1 > NUL

pause

@echo on

REM Registry Permission: Part-2: Add Registry key data

reg add HKCR\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6} /v AppID /t REG_SZ /d "{76A64158-CB41-11D1-8B02-00600806D9B6}"

reg add HKCR\AppID\{76A64158-CB41-11D1-8B02-00600806D9B6} /v DllSurrogate /t REG_SZ /d "  "

@echo off
echo --------------------------------------------------
echo ==== Review the output above before continuing ===
echo --------------------------------------------------

pause

@echo on
REM Add ise-IDM for DCOM
"%DCOMPERM%" -al {76A64158-CB41-11D1-8B02-00600806D9B6} set "%ISE-PassiveID-Login%" permit level:r

pause

REM Add ise-IDM for WMI root\CIMv2
"%SetACL%" -on root\CIMv2 -ot wmi -actn ace -ace "n:%ISE-PassiveID-Login%;p:WBEM_ENABLE,WBEM_METHOD_EXECUTE,WBEM_REMOTE_ACCESS"

pause

REM Enable WMI rule
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

REM Restrict Dynamic Port Range to 49000 - 50000
netsh int ipv4 set dynamicport tcp start=49000 num=1000

REM Allow ISE (e.g. 10.1.100.21) to access AD on the dynamic port range specified
netsh advfirewall firewall add rule name="ISE ID Mapping IPv4 Dynamic Ports" dir=in action=allow protocol=tcp remoteip=%ISE-IPaddress% localport=49000-50000

pause

PedroDias1994 · ‎07-24-2020

Hi Marvin,

I have download the 2 .exe files to the Domain Controller and I have changed all the variables needed but the problem persists...

During the process, I can confirm that every step is successful/successfully confirmed but when I go to the ISE-PIC GUI to test the WMI configuration, it gives the same error (problem executing the IseExec).

Any thoughts or more ideas?

Thank you

Marvin Rhoads · ‎07-24-2020

Could you temporarily test with a user who is a domain admin just to isolate the problem between account rights vs something else.

PedroDias1994 · ‎07-25-2020

Hi Marvin,

With a user in the domain admin group, it works every single time.

Let me know if you need more information. I think I have tried everything...

Thank you

Marvin Rhoads · ‎07-25-2020

Yes, I checked the topic in the current (ISE 2.7) admin guide and the steps are the same as in the 2.1 guide you had linked earlier.

I recommend you try opening a TAC case to see if they can assist.

PedroDias1994 · ‎07-27-2020

Hi Marvin,

I opened a TAC case and they gave me the same script that you sent me a few days ago. Once again, everything was successful and the error was showing every single time I tested it... Once I moved to the tests, everything was working as expected.

I will ask Cisco to make this a defect and upgade the documentation for the Domain Users not in Domain Admin Group. This is a silly error...

I appreciate all your help :)

Thank you!