topic Re: ISE cannot find a network device if it is created by the ERS API in Network Access Control

ISE cannot find a network device if it is created by the ERS API

ArminGradascevic1123 — Mon, 22 Jul 2019 14:54:07 GMT

Hello everyone, I am running into an issue with ISE and authentication. If I run my script to create a network device it does so and it shows up in ISE, however when I try to have the device authenticate with ISE, in the radius logs, I can see that ISE gives me the following error:

ISE Code: 2.4.0.357

Event	5405 RADIUS Request dropped
Failure Reason	11007 Could not locate Network Device or AAA Client
Resolution	Verify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root cause	Could not find the network device or the AAA Client while accessing NAS by IP during authentication.
NAS IPv4 Address	10.11.38.253

The weird part is if I go into the device itself and click, "Save" (Without making any changes, just simply clicking on the IP address then clicking on the white space then save), it will then work.

Has anyone faced any issues like this? In the past two weeks, this is the second bug behavior I have ran into, the other one was with the X-CSRF-TOKEN in post messages to ERS.

Here is my code if anyone is wondering (IP address and UN/PWD omitted):

import requests
import requests.auth
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

Username = ("x")
Password = ("x")

headers = {'Content-Type': 'application/json', 'Accept': 'application/json'}

devicename = input("Enter Device Name:")
deviceid= devicename + "-" + "PyGenerated"
deviceip = input("Enter Device IP Address:")
deviceipmask = input("Enter Device IP Mask [0-32]:")
devicedescription = input("Enter Device Description:")
devicesecret = input("Enter Device Secret:")
#devicelocation = input("Enter Device Location:")
#devicetype = input("Enter Device Type:")

GETDEVICENAME = requests.get("https://x.x.x.x:9060/ers/config/networkdevice", verify=False, auth=(Username, Password), headers=headers)

ParseName = json.loads(GETDEVICENAME.text)

for STORENAME in ParseName['SearchResult']['resources']:
CheckNAME = STORENAME["name"]
if devicename == CheckNAME:
print("ERROR: A duplicate Device Name has been detected, please re-run the script and use a unique Device Name!")
exit()

ISEjson= {
"NetworkDevice" : {
"id" : deviceid,
"name" : devicename,
"description" : devicedescription,
"authenticationSettings" : {
"radiusSharedSecret" : devicesecret,
"enableKeyWrap" : False,
"dtlsRequired" : False,
"keyEncryptionKey" : "",
"messageAuthenticatorCodeKey" : "",
"keyInputFormat" : "ASCII"
},
"profileName" : "Cisco",
"coaPort" : 1700,
"dtlsDnsName" : False,
"NetworkDeviceIPList" : [ {
"ipaddress" : deviceip,
"mask" : deviceipmask
} ],
"NetworkDeviceGroupList" : [ "Location#All Locations", "Device Type#All Device Types" ]
}
}

ISE = requests.post("https://x.x.x.x:9060/ers/config/networkdevice", verify=False, auth=(Username, Password), headers=headers, json=ISEjson)

if ISE.status_code < 400:
print("SUCCESS: The device has been created and implemented into ISE! Status Code:", ISE.status_code)

if ISE.status_code > 399:
print("FAILURE: The code has not been pushed to ISE to create the device! Status Code:", ISE.status_code, "\nHere is the error recieved from the API", ISE.text)

Re: ISE cannot find a network device if it is created by the ERS API

hslai — Mon, 22 Jul 2019 22:34:11 GMT

CSCvq59887

is recently logged by our TAC on this issue reported by another customer. This defect is not visible externally yet. The workaround section says,

This can be rectified by two methods:
1. Reload the node and try to re-authenticate. Result = Authentication Successful
2. If we remove "id", "Profile", and "COAPort" from the POST, the newly created NetworkDevice becomes usable instantly.

Re: ISE cannot find a network device if it is created by the ERS API

ArminGradascevic1123 — Tue, 23 Jul 2019 17:34:00 GMT

Hslai,

I tried both of those and the issue is still present. I tried to view the bug, but I could not. Is there any type of update from Cisco on what is causing this bug to occur?

Re: ISE cannot find a network device if it is created by the ERS API

hslai — Wed, 24 Jul 2019 01:15:41 GMT

Please try it with a simpler body. Below worked for me. I will try yours later when I have more time.

{
  "NetworkDevice" : {
    "name" : "dag",
    "authenticationSettings" : {
      "networkProtocol" : "RADIUS",
      "radiusSharedSecret" : "myRadSecret"
    },
    "NetworkDeviceIPList" : [
 {
      "ipaddress" : "10.1.100.43",
      "mask" : 32
    } ],
    "NetworkDeviceGroupList" : [ "Location#All Locations", "IPSEC#Is IPSEC Device#No" ]
  }
}

Re: ISE cannot find a network device if it is created by the ERS API

ArminGradascevic1123 — Wed, 24 Jul 2019 20:19:19 GMT

Thank you! What worked is adding this in the json code:

"authenticationSettings" : {
"networkProtocol" : "RADIUS",
"radiusSharedSecret" : devicesecret,

I was wondering if you guys have any clue as to what causes this bug to occur? We are on 2.4.0.357, thanks for your help mate 🙂