- T-Mobile Claims Salt Typhoon Did Not Access Customer Data
- Best Black Friday deals 2024: 165+ sales live now featuring some of the lowest prices ever
- Orange acuerda con OpenAI el acceso a sus modelos de IA antes de su lanzamiento
- Flipper Zero goes retro with this cool limited-edition version (and it's back for Black Friday)
- 칼럼 | AI는 만능 대체재가 아니다··· 사이버보안이 피해야 할 'AI 단순화'
Simplify Endpoint Security with new ISE GUI – Part 2
Welcome to part 2 of the journey to Vanilla ISE, a simplified ISE GUI for endpoint technicians. In part 1 we covered the background and requirements for the UI. In this part 2, we will explore the relevant documentation to find the relevant API calls we will use.
Documentation Exploration
Once I had an idea for the functionality I needed to incorporate with the program, I started breaking it down to individual functions and individual API calls.
We’ll be using several different calls to two different ISE APIs in order to obtain relevant information:
- ISE ERS API
- ISE Mnt API
ISE’s REST API is called External RESTful Services (ERS), and the documentation is available on ISE itself (https://<ISE’s IP address>:9060/ers/sdk) and on DevNet.
ISE’s ERS API is not enabled by default, you should enable it prior to running the code. here’s a link to the required steps.
ISE’s ERS API will allow us to modify ISE’s configuration, associate an endpoint to an endpoint group, remove an endpoint from an endpoint group, retrieve a list of Network Access Devices (NADs), etc’.
ERS API endpoints used in Vanilla ISE:
- To retrieve the network access device list from ISE, use https://ISE:9060/ers/config/networkdevice
- To update the endpoint group assignment for a given endpoint ID, use https://ISE:9060/ers/config/endpoint/<endpoint ID>
- To retrieve an endpoint group ID for a given endpoint group name, use https://ISE:9060/ers/config/endpointgroup/name/<group name>
- To retrieve an endpoint ID for a given endpoint MAC address, use https://ISE:9060/ers/config/endpoint/name/<endpoint MAC>
However, the ISE ERS API does not provide monitoring data, which I’ll be using when checking the status of an endpoint. ISE has a separate set of monitoring APIs that can be used for troubleshooting, with proper documentation on DevNet as well.
Unlike the ERS API, ISE’s monitoring APIs return data in XML format and not JSON. Nothing to worry about, it simply requires different parsing methods.
Monitoring API endpoints used in Vanilla ISE:
- To retrieve the latest authentication status of an endpoint with a given MAC address, use
https://ISE/admin/API/mnt/AuthStatus/MACAddress/<endpoint MAC>/<duration in seconds>/<No. of entries>/All
Exploring the APIs using Postman
Postman is my tool of choice to make initial calls to APIs and examine their results. As I explored the API queries required for information gathering, I used postman to try these queries out and verify the information I was looking for is there.
I started with fetching the list of NADs configured on ISE:
… and quickly noticed I am getting the NAD’s hostname back, but not the IP address. In order to retrieve the IP address of the NAD, I needed to use another call for each NAD to get their details.
In a similar manner, fetching the list of endpoints required additional calls to get more detailed information about some of the endpoints (their endpoint group assignment for example).
It wasn’t all about GETting information, I used postman to try POST and PUT as well in order to check my syntax and functionality. Here’s an example of changing the endpoint group association of an endpoint to a variable: {{ise_endpoint_group_id}}
One by one, I created a set of functions that will be used by the program:
1. To retrieve all NADs configured on ISE, and return a dictionary with the NADs hostname (as configured on ISE) and IP address, use
get_all_NADs
Example output:
{'CSR1Kv.ebc.iseslab.cisco.com': '10.7.250.222', 'Cat9K-1.lab.cisco.com': '10.255.7.15', 'Cat9K-2.lab.cisco.com': '10.255.7.14', 'Metro-3850': '10.7.250.200'}
2. To return the ISE group id a given group name, use
get_ise_group_id
3. To assign an endpoint to a given ISE endpoint group (the voucher group, if the endpoint does not exit – it will create it), use
update_ise_endpoint_group
4. To revert the assignment made in the previous function, use
remove_ise_endpoint_group
5. To return the authentication status of a given endpoint, use
check_ise_auth_status
Coming next in Part 3, we will continue with devices’ output parsing with pyATS and the “voucher” implementation. In the mean time, please Register for the May 5th Share IT Solutions Huddle where I will be presenting “Vanilla ISE: A simplified Cisco ISE UI for your endpoint technicians.”
We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!
Twitter @CiscoDevNet | Facebook | LinkedIn
Visit the new Developer Video Channel