topic ISE MNT APIs and Python in Network Access Control

ISE MNT APIs and Python

Mike.Cifelli — Mon, 06 Jan 2020 18:44:37 GMT

Posting an update from an earlier post where I mentioned an automation idea utilizing ISE Monitoring APIs in an attempt to gather assistance or suggestions, and help others:

The idea is for an IA member to move a computer object in AD to another security group (quarantine for ex.) upon desire/need to quarantine, run the py script, answer two questions, either shut port or re-auth an endpoint via ISE coa and move them into quarantine based on different authz results in ISE. The questions are:
1- Do you wish to terminate session or force re-auth?
2- Enter the endpoint MAC
Depending on user input the scipt runs different functions (Term_Sess or CoA_Reauth). It then parses the returned xml output to provide feedback to the IA user.

Where I am still working is the Sess_Update part. The goal here would be to provide the IA user with some sort of update that the endpoint session status was successful with actual verification of a vlan or ip move. Two tags I am working on targeting are:
<vlan>
<framed_ip_address>
This way the IA user can identify that a host has now moved to quarantine. The Sess_Update function needs work and is currently not working. However, when issuing a session update get request using curl I see returned xml output. The curl command used to identify the above tags I would like to reference is:
curl -k --include --user <USER/PASS> --request GET https://<ISE NODE>/admin/API/mnt/Session/MACAddress/XX:XX:XX:XX:XX:XX

See attached for script.
Thoughts? Any other ideas for endpoint update for IA user? Thanks!

Re: ISE MNT APIs and Python

Mike.Cifelli — Mon, 06 Jan 2020 18:49:18 GMT

*Note: updated script to exit upon failed or unknown mac CoA result so that Sess_Update is not called. Thanks

Re: ISE MNT APIs and Python

Mike.Cifelli — Tue, 07 Jan 2020 18:43:35 GMT

Seeking assistance on the easiest way in python to ensure that user raw input is a valid IP and in int/proper format.

UPDATE:: I have the CoA_Reauth function and Sess_Update functions working now in tandem (ignore spacing from copy/paste):
def CoA_Reauth():
HW_ADDR, HOST_IP = Endpoint_Input()
API_DEVICE = "https://ISE MNT NODE/admin/API/mnt/CoA/Reauth/MNT NODE/" + HW_ADDR + "/0/"
API_ERS_USER = "<user>","<pass>"

r = requests.get(url=API_DEVICE, auth=API_ERS_USER, verify=True)

#print r.content #prints xml output from ISE; Aided in identifying unique tags to reference
tree = ET.fromstring(r.content)
if tree.findtext('results') == 'false':
print "**************************************************************************"
print "ISE CoA Result: Failed"
print "**************************************************************************"

elif tree.findtext('results') == 'true':
print "**************************************************************************"
print "ISE Change of Authorization Result: Successful"
print "**************************************************************************"
else:
print "**************************************************************************"
print "ISE CoA Error: Ensure you have the right MAC"
print "**************************************************************************"
Sess_Update(HW_ADDR, HOST_IP)

def Sess_Update(HW_ADDR, HOST_IP):
print "**************************************************************************"
print "**************************************************************************"
print "Pinging Endpoint old IP Address" #validates change of session
response = os.system("ping -c 4 " + HOST_IP)
print "**************************************************************************"
print "**************************************************************************"

API_DEVICE = "https://ISE MNT NODE/admin/API/mnt/Session/MACAddress/" + HW_ADDR
API_ERS_USER = "<user>","<pass>"

r = requests.get(url=API_DEVICE, auth=API_ERS_USER, verify=True)
print r
print "**************************************************************************"

tree = ET.fromstring(r.content)
print "Endpoint is connected to SDA Switch:", tree.findtext('nas_ip_address')
#print "Endpoint Session Update Vlan:", tree.findtext('vlan') ###for some reason I dont get this xml tag in output
print "Endpoint new IP address is:", tree.findtext('framed_ip_address')

IA user will provide mac, current IP, and desire for re-auth after moving AD object to quarantine sec group. CoA_Reauth func will trigger reauth, the Sess_Update will get session update to verify change in status and ping the old ip showing user good results. TIA!

Re: ISE MNT APIs and Python

hslai — Tue, 14 Jan 2020 04:07:42 GMT

I hope you already found the answer yourself.

The net says, validate IP addresses and python - How do I validate the format of a MAC address? - Stack Overflow

I am not using Python enough to be proficient on it.

Re: ISE MNT APIs and Python

Mike.Cifelli — Tue, 14 Jan 2020 13:35:35 GMT

@hslai

Yes. Thank you for your response. I have the script working the way I expect it to work, but I am working with TAC for a CoA issue at the moment. For the IP check::

import re

....Skipping lines....

regex = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)'''

IP_ADDR = raw_input("Enter IP Address: ")

if (re.search(regex, IP_ADDR)):
print IP_ADDR
else:
print ("Invalid IP")

Re: ISE MNT APIs and Python

hslai — Wed, 15 Jan 2020 03:43:40 GMT

Great to learn you are able to resolve it yourself. As CoA itself is separate and you are working with TAC, I will close this thread.