topic Re: Update NAD fields via API in Network Access Control

Update NAD fields via API

Mike.Cifelli — Thu, 13 Feb 2020 17:57:01 GMT

*Seeking assistance with p3*

Currently working through an automation project that utilizes DNAC and ISE APIs. The objective is to onboard an SDA edge node to our fabric via python & APIs. The phases are as follows:

p1: Add device to inventory (Add Device) --Completed
p2: Assign to site (Assign Device To Site) --Completed
p3: *Update ISE NAD location & group (utilizing ISE APIs) --Almost completed
p4: Join to fabric (Add edge device in SDA Fabric)
p5: Update interfaces for user device & closed auth (Add Port assignment for user device in SDA Fabric)

I am wondering if there is a way to simply just update the NAD fields in ISE that I wish to update without having to pass all fields to ensure information passed via pxgrid from DNAC to ISE once device is added to site is not changed to null/deleted. All I wish to update are the Device location & device type (for policy reasons). Is there syntax to pass for the required fields that will not overwrite or delete information gathered from DNAC (for example coa port or radius shared secret)? I would prefer to not have to populate the json data with specific info and just leave it blank so it is unchanged. However, I tried "" and that deletes the info received from DNAC.

Thanks in advance!

Re: Update NAD fields via API

Greg Gibbs — Thu, 13 Feb 2020 21:34:51 GMT

Using the Update (PUT) method, it looks like the following fields are required at a minimum. I found that updating the Location and Type values using this API call did not affect the settings in the RADIUS section. You might have to test the same if you have the SNMP, TACACS+ and/or TrustSec settings enabled for the network device.

{
"NetworkDevice" : {
"id" : "123456789",
"name" : "testnad1",
"description" : "example nad",
"profileName" : "Cisco",
"coaPort" : 1700,
"NetworkDeviceIPList" : [ {
"ipaddress" : "1.1.1.1",
"mask" : 32
} ],
"NetworkDeviceGroupList" : [ "Location#All Locations#Location2", "Device Type#All Device Types#Type2" ]
}
}

Cheers,

Greg

Re: Update NAD fields via API

Mike.Cifelli — Fri, 14 Feb 2020 14:44:13 GMT

Thanks for the reply. I have been testing to essentially figure out how not to affect the DNAC populated information. I am pretty close to getting what I want. The unfortunate part is I think I have to get the end user to input the NAD "name" during execution of the script. Are you aware of a way to have the "name" field in the json data to not modify the DNAC populated name of the device without appending or statically entering a name? I would prefer to not have the end user required to enter in device name during script execution.

Re: Update NAD fields via API

Greg Gibbs — Mon, 17 Feb 2020 03:07:50 GMT

No, I'm not aware if that is possible. You might have to open a TAC case to get confirmation from the development engineers if there is a way to do that.

Re: Update NAD fields via API

hslai — Fri, 21 Feb 2020 04:28:25 GMT

I agreed with Greg. However, why not taking the name input from the user, doing a search, and populating it with the existing name instead of using the input for the update request?

Re: Update NAD fields via API

Mike.Cifelli — Fri, 21 Feb 2020 13:42:15 GMT

I have a TAC case open at the moment to see if there is another way. My thinking is that I could extract the last two octets from the entered IP address and append that. Our naming convention essentially looks something like this:
abcdefgh<S0><last two octets>
S0 = edge node
Last two octets depict building number and edge node number. However, right now as I work on the IP extraction idea the code prompts user for site code (S0 + last two octets) and the device IP so that I can find the NAD ID in ISE db.

Re: Update NAD fields via API

hslai — Sun, 23 Feb 2020 20:06:42 GMT

Yeah. That would be the way to go -- derived the name from the existing data.

Re: Update NAD fields via API

Mike.Cifelli — Mon, 24 Feb 2020 15:54:01 GMT

Yeah I have not gained much traction from TAC on this concern so here is the current code snippet to achieve what I was looking to do:
def ise_nad_update(IP_ADDR):

NAD_NAME = raw_input("Enter the Edge node site ID: ")
if len(NAD_NAME) > 5:
print"**********************************************************"
print "Error!Must be less than 5 char & in SDA Site ID format"
print "*********************************************************"
sys.exit()

while True:
loc = ["BLDG 1", " BLDG 2", " BLDG 3", " BLDG 4", " BLDG 5"]
LOC = raw_input("Enter the building location: ")
if len(LOC) <= 4 and LOC in loc:
break
else:
print "Please enter a Campus location(309, 300, 510, 602)"
continue
while True:
own = ["owner1", "owner2", "owner3"]
OWNER = raw_input("Enter NAD owner: ").upper()
if len(OWNER) <= 6 and OWNER in own:
break
else:
print "Please enter proper owner of asset(joe, sally, mike)"
continue

print "Grabbing NAD ID from ISE database"

for i in tqdm(range(2)):
sleep(5)
print "*****************"
API_DEVICE = "https://<ISEFQDN>:9060/ers/config/networkdevice?filter=ipaddress.EQ." + IP_ADDR
API_ERS_USER = "<user>","<password>"
HEADERS = {
'Accept': "application/json",
'Content-Type': "application/json",
}
r = requests.get(url=API_DEVICE, auth=API_ERS_USER, headers=HEADERS, verify=True)
temp = r.text
nad_id = json.loads(temp)
for nad in nad_id['SearchResult']['resources']:
temp2 = nad['id']
print "ISE NAD ID:" + temp2
print "Getting ready to update the NAD in ISE"

print "**********************"
print "ISE Request", r.reason
print "**********************"
API_DATA = {
"NetworkDevice": {
"id": temp2,
"name": "<SITE NAME>" + NAD_NAME,
"profileName": "Cisco",
"coaPort": "1700",

"authenticationSettings" : {
},
"snmpsettings" : {
"pollingInterval" : 3600,
"linkTrapQuery" : "false",
"macTrapQuery" : "false",
},
"trustsecsettings" : {
"deviceAuthenticationSettings" : {
},
"sgaNotificationAndUpdates" : {
"downlaodEnvironmentDataEveryXSeconds" : 86400,
"downlaodPeerAuthorizationPolicyEveryXSeconds" : 86400,
"reAuthenticationEveryXSeconds" : 86400,
"downloadSGACLListsEveryXSeconds" : 86400,
"otherSGADevicesToTrustThisDevice" : "true",
"sendConfigurationToDevice" : "true",
"sendConfigurationToDeviceUsing" : "ENABLE_USING_COA",
"coaSourceHost" : "<ISE PSN>",
},
"deviceConfigurationDeployment" : {
"includeWhenDeployingSGTUpdates" : "true",
}
},
"NetworkDeviceIPList": [
{
"ipaddress": IP_ADDR,
"mask": 32,
}
],
"NetworkDeviceGroupList": [
"Location#All Locations#" + LOC,
"Device Type#All Device Types#SDA#" + OWNER,
"IPSEC#Is IPSEC Device#No",
]
}
}

API_DEVICE = "https://<ISE FQDN>:9060/ers/config/networkdevice/" + temp2
API_ERS_USER = "<user>","<password>"
r = requests.put(url=API_DEVICE, auth=API_ERS_USER, json=API_DATA, verify=True)
print r.text
print "***************"
print "ISE Request", r.reason
print "***************"
sys.exit()
I pass IP_ADDR from another function. Then ask the user for building, owner, and the site id which then gets appended to 'name' so that I do not overwrite the NAD name obtained from DNAC via pxgrid. Thank you all.

Re: Update NAD fields via API

Mike.Cifelli — Fri, 28 Feb 2020 16:41:11 GMT

FYSA
Per TAC: There is no way to perform an update of a network device and not include a name field in your syntax.
I have asked to file an enhancement request to make the name field not required, and rely on the ID of the NAD.

Re: Update NAD fields via API

Mike.Cifelli — Mon, 02 Mar 2020 14:54:17 GMT

FYSA
Enhancement request: CSCvt24887