I’ve been faced with a fun little challenge on how to make sure our ISE deployment has every NAD (Network Access Device) configured appropriately to allow for successful EAP communications. Originally I was planning on utilizing a CSV and the bulk import tool to regularly import new devices into ISE as they were built. This allows for a number (small or large) of devices to be imported into ISE without taking too much time. This has worked well in the past but creates an reliance on making sure the CSV is proper and that someone (me) still has to manually login and import the file. With that I decided to look into other possibilities to remove the “me” from the process flow. At first I was looking into ways to automatically populate the CSV and then script out away to login to ISE and force the bulk import. While that option would work, it seemed to be too complicated to really deploy and rely on. I finally decided to give another whack at using the REST API ( I had previously tried years prior with ACS but did not have much luck).
There are a two things that need to be done on ISE prior to being able to utilize the REST API. The below screens and settings are based on ISE 2.2 but are similar between all recent releases of ISE:
- Create an account that will be utilized for the REST calls. To do this navigate to: Administration > Admin Access > Administrators > Admin Users and click on “Add”:
Currently there are two different access types you can assign: Read/Write or ReadOnly. For the code about to be run, we need Read/Write.
- Enable ERS (External RESTful Services) to allow REST calls. To do this navigate to: Administration > System > Settings > ERS Settings then select “Enable ERS for Read/Write” under the Primary Administration Node:
This setting must be enabled after each upgrade as its set to disabled during the upgrade. If you plan to utilize the REST API, I recommend adding to your upgrade documentation / process that the REST API is enabled at the end of the upgrade.
After a user account is created and ERS is enabled the REST API can be utilized via HTTPS on port 9060. API documentation can be found at: https://ISE-PAN-IP:9060/ers/sdk
Now that the API is exposed its now for some fun! But first some cautions / warnings..
- This is by no means a tutorial about REST API or Python.
- You really should have a good understanding about REST API before enabling it. I’m still skeptical about the security around access when it comes to REST.
- You should never use a production system to develop code that makes changes to it.
- Use the code shown at your own risk!
And a few notes about the code…
- The below code is not complete, and needs tweaking to be functional. Its intention is simply to show a proof of concept for automating device creation.
- The code calls ‘nad.xml’ which is a separate XML file (can be found on my github repository). I will not be going over the file in this tutorial, but can be manipulated for actual use.
- The final output is not pretty and may not be complete depending on the number of devices being imported.
- The code below is a picture due to me not knowing how to easily paste code that looks nice on wordpress. A copy of the code can by found on my github repository.
- The IP address or FQDN of your ISE PAN needs to be updated prior to running the code.
- A proper authorization key needs to be added prior to running the code. This will be from the account you created earlier.
- It would be a good idea to create a variable for the ISE PAN information to use for multiple URLs.
- It would be a good idea to create a variable for the authorization information to use for multiple calls.
Now its really time for the fun part!
The below code is intended to do two things: Bulk create network devices in ISE and to verify the status of the bulk job:
- Lines 2 – 8 are simply to deal with importing the XML file. You could just include it in the script and assign it to the payload variable (referenced in line 18) but that doesn’t make this usable in a production environment.
- Line 11 is the URL used for the first API call. Don’t forget to update with your ISE PAN information.
- Line 15 is where you should update your authorization information.
- Line 18 has an extra variable in the request which is “verify” set to “False”. This lets you ignore certificate warnings. In my lab I didn’t bother deploying trusted certs so I needed this.
- Line 18 is the actual API call being pushed. If you do not care about the status you could simply end here or just print the response.
- Line 21 grabs just the location header from the response from the API call. The location header is a URL containing the BULK ID that is parsed from the entire URL to use for the second portion of the script.
- Line 28 is the URL used for the second API call + the BULK ID. Don’t forget to update with your ISE PAN information.
- Line 32 is where you should update your authorization information.
- Line 36 has an extra variable in the request which is “verify” set to “False”. This lets you ignore certificate warnings. In my lab I didn’t bother deploying trusted certs so I needed this.
Lets see the code in action!
First we will look to see whats configured in ISE for network devices:Now lets run the script:
As can be seen the XML containing 10 network devices was still in progress when the status check was run. If this was production code there are multiple options to avoid this such as a timer could be implemented, the user could be asked when to run the check, or constant checking until it completes.
Now lets see what we have in ISE:Ten brand new devices!
The API in Cisco ISE has many different functions that can allow for the creation, modification, or deletion of several different objects outside of network devices. This is just one example of the power that is available for automating functions within ISE that have been around for a while.