topic Re: Automate removal of Authentication on an ISE Node using REST and SSH in Network Access Control

Automate removal of Authentication on an ISE Node using REST and SSH

eespin — Thu, 27 Dec 2018 21:44:58 GMT

Hello!

I'm fairly new to these forums and looking for some guidance in providing an elegant solution to our problem.

My organization leverages ISE with all access layer endpoints. Essentially all workstations, laptops etc, with the exception of some statically configured devices like printers.

Currently the Network team is being flooded with tickets from Service Desk when troubleshooting connectivity issues. It has become process like behaviors to first request ISE to be removed from a users port (essentially removed from their access switch). This process was manual in the sense that a wall jack would be labeled with the Network switch used, and a letter, however the letter can represent up to 4 network ports on that jack (not granular enough or consistent). So someone has to manually go to the switch and see which port is active, and then remove authentication on that port and follow up.

I looked at the REST services available and am able to see the active sessions by hitting the PSN with the following call:

https://$psn/ise/mnt/api/Session/ActiveList

and drilling through the attributes in the returned ['activeSession'] these include ['calling_station_id'] and ['nas_ip_address'] which is essentially the endpoints Mac Address and the Network swtich used.

THIS IS PERFECT- if it worked.

I scripted a process to snag the mac address, ssh to the switch, send an arp table through cli, regex for interface used by the mac then send cli commands to remove authentication. However it doesn't work.

It seems if authentication is challenged or if ISE is actually keeping the endpoint off the network, then it in fact is not on the "activeSession" list returned by the PSN api. Are the ones currently challenged returned elsewhere? Is what we're trying to do possible via this method?

Re: Automate removal of Authentication on an ISE Node using REST and SSH

dodgerfan78 — Mon, 31 Dec 2018 13:27:11 GMT

Perhaps you need to actually delete the endpoint? This is what I do in my lab when I need to refresh things to test new policy. To do this I get the endpoint ID from the MAC, and then delete the Endpoint ID.

GET https://$psn:9060/ers/config/endpoint/name/$mac

DELETE https://$psn:9060/ers/config/endpoint/$endpointid

Re: Automate removal of Authentication on an ISE Node using REST and SSH

paul — Wed, 02 Jan 2019 18:50:45 GMT

You really shouldn't be removing ISE from ports. You should be putting a method in place for the Service Desk to put MAC addresses into a temporary bypass condition so troubleshooting can occur. You can use a MyDevices portal for this or allow the Service Desk to use the context visibility screen in ISE to put MAC addresses into a specific endpoint identity group.

Re: Automate removal of Authentication on an ISE Node using REST and SSH

eespin — Mon, 14 Jan 2019 22:14:12 GMT

Unfortunately the way our organization is, they don't and won't be allowed access to ISE directly so we'd like to abstract that by front ending some of the functionality through the API. Can a MAC address be placed in bypass condition using ERS?

Re: Automate removal of Authentication on an ISE Node using REST and SSH

dodgerfan78 — Mon, 14 Jan 2019 22:42:44 GMT

I believe you would just change the endpoint profile to your whitelist, and then send a CoA. These can be done via the API.

Re: Automate removal of Authentication on an ISE Node using REST and SSH

paul — Tue, 15 Jan 2019 13:16:26 GMT

The Temp bypass portal using the MyDevices portal is not allowing direct access to the ISE GUI. This is a separate GUI whose only job is to put MAC addresses into a particular endpoint identity group (whitelist). Basically if you spend time coding a REST API method to do this and created a front end GUI around your API you would be simply recreating something ISE already offers.

Re: Automate removal of Authentication on an ISE Node using REST and SSH

dodgerfan78 — Tue, 15 Jan 2019 13:25:14 GMT

If you block someone from doing something but still want them to do that thing, then yes, I believe it is accurate to say, you will need to copy that original thing into a space where they are allowed to do it. Automation can often involve particular tasks from other GUIs or systems that already exist, because you are putting them into the context of a particular workflow that has some other benefit or value.

Re: Automate removal of Authentication on an ISE Node using REST and SSH

Jason Kunst — Tue, 15 Jan 2019 16:28:04 GMT

You can also look at automation using Adaptive Network Control policies
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html

Recommend segmenting using SGTs as well instead of switch ACL or VLANs

Re: Automate removal of Authentication on an ISE Node using REST and SSH

eespin — Mon, 11 Feb 2019 21:55:02 GMT

We are just cautious of the level of access we grant, do you know what permissions are required.