topic Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system in Network Access Control

Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

SamuelFullman6827 — Tue, 06 Aug 2019 23:33:15 GMT

Here is a rough approximation of what I'm doing:

            var envelope = new XmlDocument();

            var ns = new XmlNamespaceManager(envelope.NameTable);
            ns.AddNamespace("ns3", "identity.ers.ise.cisco.com");

            var requestNode = envelope.CreateElement("ns3", "endpointBulkRequest", "identity.ers.ise.cisco.com");

            var mtAttr = envelope.CreateAttribute("resourceMediaType");
            mtAttr.InnerText = "vnd.com.cisco.ise.ers.identity.endpoint.1.0+xml";
            requestNode.Attributes.Append(mtAttr);

            var otAttr = envelope.CreateAttribute("operationType");
            otAttr.InnerText = "create";
            requestNode.Attributes.Append(otAttr);

            var resourceList = envelope.CreateElement("ns3","resourcesList", "identity.ers.ise.cisco.com");

            var i = 0;
            foreach (var mac in macs)
            {
                var description = descriptions[i];
                i++;
                var resource = envelope.CreateElement("ns3", "endpoint", "identity.ers.ise.cisco.com");

                // Add attributes to the endpoint element
                var descAttr = envelope.CreateAttribute("description");
                descAttr.InnerText = description;
                resource.Attributes.Append(descAttr);

                var nameAttr = envelope.CreateAttribute("name");
                nameAttr.InnerText = $"Device MAC: {mac}";
                resource.Attributes.Append(nameAttr);

                // Add child elements to the endpoint element
                var groupId = envelope.CreateElement("groupId");
                groupId.InnerText = _config.IseGroupId;
                resource.AppendChild(groupId);

                var identityStore = envelope.CreateElement("identityStore");
                resource.AppendChild(identityStore);

                var identityStoreId = envelope.CreateElement("identityStoreId");
                resource.AppendChild(identityStoreId);

                var macElem = envelope.CreateElement("mac");
                macElem.InnerText = mac;
                resource.AppendChild(macElem);

                var staticGroupAssignment = envelope.CreateElement("staticGroupAssignment");
                staticGroupAssignment.InnerText = "true";
                resource.AppendChild(staticGroupAssignment);

                var staticProfileAssignment = envelope.CreateElement("staticProfileAssignment");
                staticProfileAssignment.InnerText = "false";
                resource.AppendChild(staticProfileAssignment);

                resourceList.AppendChild(resource);
            }

            requestNode.AppendChild(resourceList);
            envelope.AppendChild(requestNode);

And that is being sent to `https://{my-instance}:9060/ers/config/endpoint/bulk`

And it works fine, except when a MAC address (endpoint) is already in the system (perhaps in another identity group, perhaps just unattached, I haven't checked), in which case it will not be added to the current identity group. How can I overcome this?

Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

Francesco Molino — Wed, 07 Aug 2019 03:13:56 GMT

Hi

You can check if the endpoint exists and update it and if not (else) you create it like your doing.
You can insert that condition if else in your loop where you check mac in macs.

Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

Mike.Cifelli — Wed, 07 Aug 2019 12:05:02 GMT

Your script is working as expected since you are only utilizing create. Focus on other CRUD options like retrieve and update for the already existing hosts. I have been able to accomplish this using python and requests.put/requests.get. A few things you could focus on in your are:
xx/ers/config/endpoint?filter=mac.EQ."+ {MAC} -- for your retrieve/get
xx/ers/config/endpoint/"+ {variable that stores endpoint ID} -- for your update/put

Good luck & HTH!

Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

SamuelFullman6827 — Thu, 08 Aug 2019 13:43:03 GMT

Can you paste in the XML document you use for the update? And I'm wondering:

1. does that move the endpoint out of any other identity group(s) - which is not objectionable in my case but good-to-know, and

2. can an update be done in bulk?

Thanks!

Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

Mike.Cifelli — Thu, 08 Aug 2019 18:50:46 GMT

1: The requests.put will move the endpoint from one group to another group. Just specify staticGroupAssignment to true, and specify your groupId in your json.
2: I have not attempted bulk. I developed a script for single endpoints. However, I do not see why you couldnt loop through a csv file for your MACs, use requests.get, and store the results to later reference in your "updating of the group assignment" requests.put.

Re: Unable to add a MAC to an identity group, if the MAC (endpoint) is already in the system

Francesco Molino — Fri, 09 Aug 2019 02:43:15 GMT

You can do an update on multiple devices by looping on your csv or other db.
I did it for a customer looping on an sql db.