简介
本文档介绍如何配置思科身份服务引擎(ISE)3.2与Splunk over Data Connect的集成,以直接从ISE数据库检索报告数据。您可以创建自己的查询,并创建自己的报告。
先决条件
要求
Cisco 建议您了解以下主题:
- 思科ISE 3.2
- 有关Oracle查询的基本知识
- Splunk
使用的组件
本文档中的信息基于以下软件和硬件版本:
- 思科ISE 3.2
- Splunk 9.0.0
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
配置
配置
步骤1.配置ISE数据连接设置
1.启用数据连接
在ISE上,导航至 Administration > System > Settings > Data Connect
并切换按钮 Data Connect
.输入密码并单击 Save
.
![Data Connect Configuration](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-00.png)
记录Data Connect设置,包括 User Name, Hostname, Port, and Service Name .
默认情况下,在分布式部署中的辅助MNT上启用Data Connect,有关故障转移方案的详细信息,请参阅《管理员指南》。
![Data Connect Node settings](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-01.png)
2.导出数据连接证书
中的操作 Step 1.
已触发数据连接证书的创建。它需要由通过数据连接查询ISE的客户端信任。
要导出证书,请导航至 Administration > System > Settings > Cetificate Management > Trusted Certificates
,选择Certificate with Data Connect Certificate
友好名称并单击 Export
.
![Trusted Certificates](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-02.png)
证书将以PEM格式导出。
![DataConnect Certificate](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-03.png)
步骤2.配置Splunk
注意: Splunk安装不在本文档的讨论范围之内。
1.安装Splunk DB Connect应用
点击 + Find More Apps
从主菜单。
![Splunk. Menu](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-04.png)
输入 Splunk DB Connect
在“搜索”菜单中并单击 Install
针对 Splunk DB Connect
如图所示。
![Splunk. Settings](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-05.png)
输入Splunk凭据以安装应用。点击 Agree and Install
如图所示.
![Splunk. Password Settings](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-06.png)
应用安装需要重新启动,请单击 Restart Now.
![Splunk. DB Installation](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-07.png)
2.安装Oracle驱动程序
根据Splunk文档,必须安装JDBC驱动程序。通过用于DB Connect的Splunk加载项安装Oracle驱动程序。点击 Login to Download
如图所示.
![Splunk. DBX Add-on 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-08.png)
点击 Download.
![Splunk. DBX Add-on 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-09.png)
在“主页”(Home)菜单中,点击旁边的“齿轮”(Gear)图标 Apps
如图所示.
![Splunk. Settings](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-10.png)
点击 Install App from File.
![Splunk. App installation 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-11.png)
选择File downloaded early(之前下载的文件),然后单击 Upload
如图所示.
![Splunk. App installation 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-12.png)
导航至 Apps > Splunk DB Connect > Configuration > Settings > Drivers
点击 Reload
.Oracle
驱动程序必须显示为 Installed
.
![Splunk. App installation 3](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-13.png)
3.配置Splunk DB Connect应用标识
注意: 要使Splunk DB Connect应用正常工作,必须安装Java(SE)。出于此应用Java(SE)的目的,安装了11。
C:\Users\Administrator>java --version
java 11.0.15.1 2022-04-22 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.15.1+2-LTS-10)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.15.1+2-LTS-10, mixed mode)
C:\Users\Administrator>
导航至 Apps > Splunk DB Connect > Configuration > Databases > Identities
并点击 New Identity.
![Splunk. Identity 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-14.png)
配置 Identity Name
(任意值), Username
(Dataconnect)和 Password
从 Step 1.
并点击 Save
.
![Splunk. Identity 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-15.png)
4.配置Splunk DB Connect应用连接
导航至 Apps > Splunk DB Connect > Configuration > Databases > Connections
然后点击 New Connection.
![Splunk. Connection 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-16.png)
配置 Connection Name
(任意值)。 选择 Identity
从 Configure Splunk DB Connect App Identity
步选择 Connection Type
作为 Oracle
.将复选框标记为 Edit JDBC URL
并粘贴值:
jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.48.17.20)(PORT=2484))(CONNECT_DATA=(SID=cpm10)))
在步骤中,必须使用MNT节点的IP地址替换HOST Enable Data Connect
如图所示.
![Splunk. Connection 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-17.png)
向下滚动到Certificate部分并粘贴内容 DataConnectCertificate.pem
证书文件并单击 Save
如图所示.
![Splunk. Connection 3](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-18.png)
5.配置Splunk DB连接输入
导航至 Apps > Splunk DB Connect > Data Lab > Inputs and
点击 New Input.
![Splunk. Input 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-19.png)
选择步骤中配置的连接 Configure Splunk DB Connect App Connection .
输入您想要用于轮询的查询,在此示例中使用通过ISE节点进行身份验证查询:
select access_service as allowed_protocol, sum(passed_count) as passed, sum(failed_count) as failed, sum(passed_count) + sum(failed_count) as total, round(to_char(((sum(failed_count) / (sum(passed_count) + sum(failed_count))) * 100)), 2) as failed_percentage, round(to_char(sum(total_response_time)/(sum(passed_count) + sum(failed_count))), 2) as total_response_time, max(max_response_time) as max_response_time from radius_authentication_summary group by access_service;
点击 Execute SQL
要确保查询有效,还需要继续操作。点击 Next
如图所示.
![Splunk. Input 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-20.png)
配置输入 Name
(任意值)。 选择 Application
作为 Splunk DB Connect
.设置 Execution Frequency
(向ISE发送查询的频率)。
![Splunk. Input 3](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-21.png)
配置 Source Type
和 Input
.
![Splunk. Input 4](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-22.png)
验证
使用本部分可确认配置能否正常运行。
要验证并显示响应中的数据,请导航至 Apps > Splunk DB Connect > Data Lab > Inputs
.点击 Find Events.
![Splunk. Events 1](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-23.png)
从 Events
菜单,您可以导航至 Visualization.
![Splunk. Events 2](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-24.png)
您可以调整“搜索”菜单并选择所选的可视化。示例中的查询使用timechart并根据通过的最大身份验证尝试次数构建图。
index=summary sourcetype=custom source=AuthenticationsbyISENode OR source=mi_input://AuthenticationsbyISENode| timechart span=5m max(PASSED)
![Splunk. Events 3](/c/dam/en/us/support/docs/security/identity-services-engine/218190-configure-ise-3-2-data-connect-integrati-25.png)
故障排除
目前没有针对此配置的故障排除信息。