topic ISE API add MAC address to specified Identity Group in Network Access Control

ISE API add MAC address to specified Identity Group

SamuelFullman6827 — Fri, 14 Dec 2018 17:20:29 GMT

We have an ISE instance set up for testing, I'm a developer but have never used ISE before.

What I'm wanting to do should be simple but I've not found docs on it so far after searching. I want to add a MAC address to a specified Identity Group. More specifically I want to set it up using the API. My tool of choice here is CURL.

In this API call, the Identity Group will already be defined, however the MAC address will be new to ISE (a brand new device). How would I do this?

I have seen some great docs here like this: ISE ERS API Examples - but it just doesn't cover this specific case. Please remember I'm new to ISE and actually a coder. Thanks!

Re: ISE API add MAC address to specified Identity Group

dodgerfan78 — Fri, 14 Dec 2018 18:57:24 GMT

I believe the online documentation shows this (https://<ise-ip>:9060/ers/sdk). Go to API Documentation > Endpoint > Create. Is that what you are looking for?

Re: ISE API add MAC address to specified Identity Group

SamuelFullman6827 — Fri, 14 Dec 2018 19:11:01 GMT

No, I do not want to create an endpoint. In fact nothing to do with Endpoints. I want to add a new *MAC address* to an existing *Identity Group*

It's irrelevant to this post, but that Identity group does contain endpoints. So my device with the new MAC will get on those endpoints because of how the Identity Group is set up. But again, I don't want to add an endpoint.

Re: ISE API add MAC address to specified Identity Group

Damien Miller — Fri, 14 Dec 2018 20:27:05 GMT

I think there might be some confusion on the terminology here because an endpoint in ISE is referenced by a unique mac address. Each mac address corresponds to an endpoint.

For purposes of this, mac address = endpoint/device.

A device such as a laptop with both a wired and wireless adapter is currently treated as two endpoints in ISE, two unique mac addresses.

Re: ISE API add MAC address to specified Identity Group

dodgerfan78 — Fri, 14 Dec 2018 20:33:53 GMT

I believe he might be trying to add a MAC to a profile condition so that the device automatically gets put in the right Identity Group based on MAC address during profiling. Certainly doable, but I don't see those capabilities in the API.

Re: ISE API add MAC address to specified Identity Group

howon — Fri, 14 Dec 2018 21:16:25 GMT

As Damien noted, endpoint is mac address. With the create endpoint operation you can also put it into the group as well during creation. This essentially maps the MAC address to the endpoint group, which you can use to influence policy for the MAC.

Re: ISE API add MAC address to specified Identity Group

SamuelFullman6827 — Fri, 14 Dec 2018 21:39:05 GMT

@dodgerfan78 say I may be "trying to add a MAC to a profile condition" - possibly but here's a screenshot now that I'm getting more familiar. What you see when I click the green "Add" button, I'm wanting to do via API - ie, add MAC address FF:FF:FF:FF:FF:FF to the `RegisteredUsers` Group shown.

Re: ISE API add MAC address to specified Identity Group

dodgerfan78 — Fri, 14 Dec 2018 22:28:02 GMT

Ok, those are Endpoints. This is how I did it. First get the group ID:

tools$ curl --tlsv1.1 -k -H 'ACCEPT: application/json' -H 'ERS-Media-Type: identity.endpointgroup.1.1' "https://admin:1111111@1.1.1.1:9060/ers/config/endpointgroup/name/RegisteredDevices" 

    "id" : "aa13bb40-8bff-11e6-996c-525400b48521",

Create a file with mac address and the group id of the desired group (above). I am not a coder so I may have extra stuff in here I don't need:

mac.xml:

<?xml version="1.0" encoding="UTF-8"?>
<ns0:endpoint xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
<groupId>aa13bb40-8bff-11e6-996c-525400b48521</groupId>
<mac>00:01:02:03:04:05</mac>
<staticGroupAssignment>true</staticGroupAssignment>
<staticProfileAssignment>false</staticProfileAssignment>
</ns0:endpoint>

The do this:

curl -v -X POST --tlsv1.1 -v -k -H 'ACCEPT: application/xml' -H 'ERS-Media-Type: identity.endpoint.1.2' --header 'Content-Type:application/xml' https://admin:11111@1.1.1.1:9060/ers/config/endpoint -d @mac.xml

Re: ISE API add MAC address to specified Identity Group

SamuelFullman6827 — Wed, 06 Feb 2019 15:39:00 GMT

Hi There, I have accepted your answer and it did work, however, I thought I'd add something I learned.

This is not to attach an existing endpoint to an identity group, it looks like it can only attach a NEW endpoint to an existing identity group. Otherwise, you'll get something like this:

<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:ersResponse operation="POST-create-endpoint" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"><link rel="related" href="https://1.1.1.1:9060/ers/config/endpoint" type="application/xml"/><messages><message type="ERROR" code="CRUD operation exception"><title> Failed to update endpoint 55:01:00:00:00:01 to aa13bb40-8bff-11e6-996c-525400b48521 null</title></message></messages></ns3:ersResponse>

which is not very helpful 🙂