Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
5
Replies

IPSK manager and PXgrid connectivity ISE 3.3

bnl.infrastructure
Level 1
Level 1

‎01-18-2024 02:29 AM

dear Community,

I wonder if someone had the idea on connecting the ipsk manager with pxgrid to ISE 3.3 patch 1?

I'm looking forward to your input

Greetings

0 Helpful
5 Replies 5

Aref Alsouqi
VIP
VIP

‎01-18-2024 03:15 AM

I don't think it is possible, however, why would you need pxGrid in this case?

0 Helpful

thomas
Cisco Employee
Cisco Employee

‎01-18-2024 05:17 AM

Apparently you did. What is the real question? 8-)

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎01-18-2024 07:42 AM

Yes, the integration is through APIs, though, not pxGrid.
You can't use any MySQL version higher than 5.7 and no PHP version higher than 7.4.  Here are my notes from installing iPSK Manager for ISE 3.3:

iPSK Manager

https://github.com/CiscoDevNet/iPSK-Manager
iPSK (Identity Pre-Shared-Key) Manager portal server for ISE

Preparation

After installing Ubuntu OS, make sure the system is up-to-date:

sudo apt-get update
sudo apt-get upgrade -y

After updating Ubuntu OS, install MySQL 5.7

Install MySQL 5.7

Download the repository

https://www.devart.com/dbforge/mysql/how-to-install-mysql-on-ubuntu/

First, create a dowwnloads/ folder

mkdir downloads/

Download the MySQL repository to the downloads folder by executing the following command

wget https://dev.mysql.com/get/mysql-apt-config_0.8.12-1_all.deb -P downloads/

After the MySQL package has been successfully downloaded, install it

cd downloads/
sudo dpkg -i mysql-apt-config_0.8.12-1_all.deb

Choose

  • Ubuntu Bionic
  • MySQL Server & Cluster
  • mysql-5.7
  • OK

Next, update the APT repository

sudo apt update

If you encounter the "signature couldn't be verified" error like this one: NO_PUBKEY 467B942D3A79BD29, you will need to import the missing gpg key by running the following command (change the key value to the one shown in your error):

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
sudo apt update

To check whether MySQL 5.7 repository has been successfully installed, execute

sudo apt-cache policy mysql-server

You should see MySQL 5.7 repository at the bottom of the list

iseadmin@ipsk:~/downloads$ sudo apt-cache policy mysql-server
mysql-server:
  Installed: (none)
  Candidate: 8.0.33-0ubuntu0.22.04.4
  Version table:
     8.0.33-0ubuntu0.22.04.4 500
        500 http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
     8.0.33-0ubuntu0.22.04.2 500
        500 http://azure.archive.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     8.0.28-0ubuntu4 500
        500 http://azure.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
     5.7.42-1ubuntu18.04 500
        500 http://repo.mysql.com/apt/ubuntu bionic/mysql-5.7 amd64 Packages
        100 /var/lib/dpkg/status

Install

Now that you have a MySQL 5.7 repository in your system, you can proceed to install it. For this, run the following command

sudo apt install -f mysql-client=5.7* mysql-community-server=5.7* mysql-server=5.7*

Press Y to begin the installation and set the root password when asked

MySQL Configuration

(Recommended) Run post installation script for MySQL, this will set the

Password Policy

sudo mysql_secure_installation utility
Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD COMPONENT can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD component?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0

Skipping password set for root as authentication with auth_socket is used by default.
If you would like to use password authentication instead, this can be done with the "ALTER_USER" command.
See https://dev.mysql.com/doc/refman/8.0/en/alter-user.html#alter-user-password-management for more information.

By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) :

 ... skipping.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : N

 ... skipping.
By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Y
Success.

All done!

Note: For more information on the MySQL or MariaDB secure installation utility, please review:

Creating a User

(Recommended) Instead of using MySQL root account, a temporary install account can be created to install the iPSK Manager then removed once completed

sudo mysql -p

Enter the password for the root user

Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

At the mysql> prompt, type these commands (replace `password` with the password you want to set):

CREATE USER 'install' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON *.* TO 'install'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
exit

Install PHP7.4, Apache2, and PHP plugins

Add the PHP repository

sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt upgrade

Apache2, PHP7, MySQL server, and additional modules:

sudo apt-get install php7.4 apache2 php7.4-common libapache2-mod-php7.4 php7.4-cli php7.4-mysql php7.4-ldap php7.4-curl php7.4-mbstring php7.4-xml -y

Enable Apache Modules:

sudo a2enmod rewrite
sudo a2enmod ssl

iPSK Manager Installation

Download iPSK Manager from GitHub into the /var/www/ folder

sudo git clone https://github.com/CiscoSE/iPSK-Manager.git /var/www/iPSK-Manager

Configuration

Change owner of the iPSK-Manager directory (Showing example of Ubuntu distribution which uses www-data user and group for the apache process)

cd /var/www
sudo chown www-data:www-data -R iPSK-Manager

It is recommended to use SSL for security and subsequent section describes how to enable SSL. However, if no certificate is available,follow the instructions in the Appendix on how to use non-SSL port for the portals

Copy the certificate bundle to the linux machine:

sudo wget https://server.com/endpoints/cert_files.zip -P /home/iseadmin/downloads/

To unzip the package, install unzip

sudo nala install unzip -y

Then unzip the certificate package into the .certs/ folder

mkdir .certs && cd downloads
unzip cert_files.zip -d ~/.certs/

(Recommended) Create self-signed certificate using OpenSSL or external tools. You will need private key, signed certificate, and CA chain if applicable

(Recommended) Enable SSL for admin portal. There are sample apache configuration files for the admin portal and end user portal located at the root of the install directory called portal-ssl.sample.conf file. There are 3 sections in the file for admin portal and also for enabling port 8443 & 8445 for SSL. You can simply copy each section in to separate files and place them in /etc/apache2/sites-enabled to get it enabled. The files are shown below. Aside from that you need to make sure to update the path and file names for the certificate. First for admin portal create a file called 443-ssl.conf with following content:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@ipskmanager

DocumentRoot /var/www/iPSK-Manager/adminportal

<Directory /var/www/iPSK-Manager/adminportal>
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/admin-error.log
CustomLog ${APACHE_LOG_DIR}/admin-access.log combined

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

</VirtualHost>
</IfModule>

Note: Make sure to modify the path and file name for the certificate, private key, and the certificate chain

(Recommended) Enable SSL for end user portal port. Next for end user portal create files called 8443-ssl.conf and 8445-ssl.conf with following content:

<IfModule mod_ssl.c>

Listen 8443

<VirtualHost *:8443>

ServerAdmin webmaster@ipskmanager

DocumentRoot /var/www/iPSK-Manager/portals

<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/portal-8443-error.log
CustomLog ${APACHE_LOG_DIR}/portal-8443-access.log combined

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>

Listen 8445

<VirtualHost *:8445>

ServerAdmin webmaster@ipskmanager

DocumentRoot /var/www/iPSK-Manager/portals

<Directory /var/www/iPSK-Manager/portals>
AllowOverride All
</Directory>

ErrorLog ${APACHE_LOG_DIR}/portal-8445-error.log
CustomLog ${APACHE_LOG_DIR}/portal-8445-access.log combined

# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on

# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /home/iseadmin/.certs/public_cert.pem
SSLCertificateKeyFile /home/iseadmin/.certs/public_cert_key.pvk

# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
SSLCertificateChainFile /home/iseadmin/.certs/ca_cert.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

</VirtualHost>
</IfModule>

(Recommended) Once SSL is enabled restart apache. This time you will be asked to enter password to access the private key file:

sudo service apache2 restart
Enter passphrase for SSL/TLS keys for 127.0.1.1:443 (RSA): *********

Finish Installation via Web

Run setup via browser. Open web browser from any machine and go to the IP or hostname (If DNS is already setup) of the IPSK Manager host

You will be greeted with setup screen, click Next and accept the license agreement page and click Next to continue with setup

Installer will also make sure that required PHP modules are installed, if any of the modules are missing go back to the CLI and make sure they are installed and rerun the Installer

Accept default values or change values as needed

Field Name Sample Entry Note
mySQL Server IP/FQDN 127.0.0.1  
iPSK Database Username ipsk-db-user A random password will be generated at the end of installation process
Cisco ISE ODBC Username ipsk-ise-user This is the username ISE will use for SQL connection. A random password will be generated at the end of installation process
iPSK Database Name ipsk  
MySQL Admin/Root Username install If using temporary MySQL install account, if not use root account
MySQL Admin/Root Password ISEisC00L If using temporary MySQL install account, if not use root password
Administrator Password ISEisC00L  

You will also be asked to create local GUI administrator account password

If the install fails, please make sure to go through the steps above to see any of the steps were missed

At the end of setup process, it will automatically download a txt file called 'DONOTDELETE-iPSKMANAGER-Install.txt' which contains the database details including username & password needed for ISE communication such as following:

#Copyright 2021 Cisco Systems, Inc. or its affiliates
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
#  http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.

########################################################
## iPSK Manager
## DO NOT DELETE THIS DATA - STORE IN A SECURE LOCATION
## THIS FILE CONTAINS DETAILS ABOUT YOUR INSTALLATION
########################################################

#Organization SID for iPSK Manager
#---------------------------------
Organization (System) SID Value = S-1-9-1569991369-1569991369-1

#Encryption Key for Encrypting MySQL Sensitive Data
#--------------------------------------------------
Encryption Key = AipsBSIhIJ+TnwsYkLlw1fTPSXc/siDQoP8YaTWZNpY=

#iPSKManager Database Credentials
#--------------------------------
Host = 127.0.0.1
Username = ipsk-db-user
Password = t@DKrkNyZhvXnUTd
Database = ipsk

#Cisco ISE MySQL Credentials
#---------------------------
Username = ipsk-ise-user
Password = e1YV3JefcDQut8g
Database = ipsk

#Cisco ISE Stored Procedures Names
#---------------------------------
iPSK_AttributeFetch
iPSK_AuthMACPlain
iPSK_FetchGroups
iPSK_FetchPasswordForMAC
iPSK_MACLookup

###OPTIONAL### Cisco ISE Replacement Stored Procedures for returning only Non-Expired Endpoints Contained within the iPSK Database
#---------------------------------------------------------------------------------------------------------------------------------
iPSK_AuthMACPlainNonExpired
iPSK_FetchPasswordForMACNonExpired
iPSK_MACLookupNonExpired

Note: Keep this file safe in case iPSK Manager needs to be restored or new ISE / iPSK Manager integration is needed

You should be redirected to the iPSK Manager login page where you can enter the credential (default GUI admin username is administrator) created during the setup to login to proceed with iPSK Manager configuration

Allow SQL connection from other hosts, by editing the /etc/mysql/mysql.conf.d/mysqld.cnf file. Find the line bind-address = 127.0.0.1 and add # at the front to remark it

Note: Please make sure to utilize MySQL security best practices such as FW rules and limiting mySQL user to specific hosts as above allows SQL access from all hosts

Restart MySQL service by running sudo service mysql restart

Remove Temporary install user

(Optional) If temporary MySQL account was created in previous step, run the following to remove the install account

sudo mysql -p
Enter password: 
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1080
Server version: 5.7.27-0ubuntu0.18.04.1 (Ubuntu)

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM 'install'@'%';
mysql> FLUSH PRIVILEGES;
mysql> DROP USER 'install'@'%';

Downgrade to PHP 7.4 (if PHP 8 was installed)

https://github.com/CiscoDevNet/iPSK-Manager/issues/24
Downgrade:

sudo apt install software-properties-common apt-transport-https -y

Install the php 7 repo

sudo add-apt-repository ppa:ondrej/php -y
sudo apt update
sudo apt upgrade -y

Install php7

sudo apt install php7.4 php7.4-common libapache2-mod-php7.4 php7.4-cli -y

Disable php 8

sudo a2dismod php8.1

Enable php 7

sudo a2enmod php7.4

Restart Apache2

sudo systemctl restart apache2

Install php extentions needed for iPSK-Manager

sudo apt install php7.4-mbstring
sudo apt install php7.4-xml
sudo apt install php7.4-ldap
sudo apt install php7.4-mysql
sudo apt install php7.4-curl

Then restart apache2 again:

sudo systemctl restart apache2
0 Helpful

Nick Ciesinski
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎05-04-2024 12:32 PM

Hi Charlie,

iPSK Manager found on GitHub (https://github.com/CiscoDevNet/iPSK-Manager) was updated in the fall of 2023 to support PHP 8.x. It also supports MySQL 8.x but needs a config added so ISE can talk to MySQL as ISE is using older connection libraries and doesn’t support the new password format. The steps to change the config is in the install instructions.  

There has been several updates and enhancements to the project in the last 8-10 months, especially the last month, including updating the installation instructions for Ubuntu 22.04. 

Nick 

0 Helpful

Nick Ciesinski
Cisco Employee
Cisco Employee

‎05-04-2024 12:44 PM

@bnl.infrastructure Are you asking about PxGrid direct support in iPSK Manager? If so, I’ve considered looking to add that functionality to iPSK Manager as a deployment option.  I’d suggest asking for it in the GitHub discussion area for the project.

Nick 

0 Helpful
Customers Also Viewed These Support Documents