Simplify Endpoint Security with new ISE GUI – Part 2


Welcome to part 2 of the journey to Vanilla ISE, a simplified ISE GUI for endpoint technicians. In part 1 we covered the background and requirements for the UI. In this part 2, we will explore the relevant documentation to find the relevant API calls we will use.

Documentation Exploration

Once I had an idea for the functionality I needed to incorporate with the program, I started breaking it down to individual functions and individual API calls.
We’ll be using several different calls to two different ISE APIs in order to obtain relevant information:

  • ISE ERS API
  • ISE Mnt API

ISE’s REST API is called External RESTful Services (ERS), and the documentation is available on ISE itself (https://<ISE’s IP address>:9060/ers/sdk) and on DevNet.

ISE’s ERS API is not enabled by default, you should enable it prior to running the code. here’s a link to the required steps.

ISE’s ERS API will allow us to modify ISE’s configuration, associate an endpoint to an endpoint group, remove an endpoint from an endpoint group, retrieve a list of Network Access Devices (NADs), etc’.

ERS API endpoints used in Vanilla ISE:

  • To retrieve the network access device list from ISE, use https://ISE:9060/ers/config/networkdevice
  • To update the endpoint group assignment for a given endpoint ID, use https://ISE:9060/ers/config/endpoint/<endpoint ID>
  • To retrieve an endpoint group ID for a given endpoint group name, use https://ISE:9060/ers/config/endpointgroup/name/<group name>
  • To retrieve an endpoint ID for a given endpoint MAC address, use https://ISE:9060/ers/config/endpoint/name/<endpoint MAC>

However, the ISE ERS API does not provide monitoring data, which I’ll be using when checking the status of an endpoint. ISE has a separate set of monitoring APIs that can be used for troubleshooting, with proper documentation on DevNet as well.

Unlike the ERS API, ISE’s monitoring APIs return data in XML format and not JSON. Nothing to worry about, it simply requires different parsing methods.

Monitoring API endpoints used in Vanilla ISE:

  • To retrieve the latest authentication status of an endpoint with a given MAC address, use
    https://ISE/admin/API/mnt/AuthStatus/MACAddress/<endpoint MAC>/<duration in seconds>/<No. of entries>/All

Exploring the APIs using Postman

Postman is my tool of choice to make initial calls to APIs and examine their results. As I explored the API queries required for information gathering, I used postman to try these queries out and verify the information I was looking for is there.

I started with fetching the list of NADs configured on ISE:

… and quickly noticed I am getting the NAD’s hostname back, but not the IP address. In order to retrieve the IP address of the NAD, I needed to use another call for each NAD to get their details.

Vanilla ISE

In a similar manner, fetching the list of endpoints required additional calls to get more detailed information about some of the endpoints (their endpoint group assignment for example).

Vanilla ISE

Vanilla ISE

It wasn’t all about GETting information, I used postman to try POST and PUT as well in order to check my syntax and functionality. Here’s an example of changing the endpoint group association of an endpoint to a variable: {{ise_endpoint_group_id}}

Vanilla ISE

One by one, I created a set of functions that will be used by the program:

1.  To retrieve all NADs configured on ISE, and return a dictionary with the NADs hostname (as configured on ISE) and IP address, use

get_all_NADs

Example output:

{'CSR1Kv.ebc.iseslab.cisco.com': '10.7.250.222',
'Cat9K-1.lab.cisco.com': '10.255.7.15',
'Cat9K-2.lab.cisco.com': '10.255.7.14',
'Metro-3850': '10.7.250.200'}

2.  To return the ISE group id a given group name, use

get_ise_group_id

3.  To assign an endpoint to a given ISE endpoint group (the voucher group, if the endpoint does not exit – it will create it), use

update_ise_endpoint_group

4.  To revert the assignment made in the previous function, use

remove_ise_endpoint_group

5.  To return the authentication status of a given endpoint, use

check_ise_auth_status

Coming next in Part 3, we will continue with devices’ output parsing with pyATS and the “voucher” implementation. In the mean time, please Register for the May 5th Share IT Solutions Huddle where I will be presenting “Vanilla ISE: A simplified Cisco ISE UI for your endpoint technicians.”

 


We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!

Twitter @CiscoDevNet | Facebook | LinkedIn

Visit the new Developer Video Channel





Source link