topic Re: API Queries in Network Access Control

API Queries

abinjola — Thu, 13 Dec 2018 17:24:50 GMT

What API can be used to whitelist MAC address with a time limit. By calling EndPoint API we can Add an end point, but it seems end point API does not have any start time and expiry time field ?
Can a MAC address be added within time bound for whitelisting does the MAC from whitelisted endpoint gets purged or removed upon reaching time expiration ?

3. Which API to be called for bulk uploading MAC address for exception list using template?

Appreciate any feedback on questions below

Re: API Queries

Jason Kunst — Thu, 13 Dec 2018 19:27:07 GMT

There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.

Which API to be called for bulk uploading MAC address for exception list using template?
https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId-1183657558
https://developer.cisco.com/docs/identity-services-engine/#!bulk-operations/monitoring-bulk-execution-status

Re: API Queries

abinjola — Fri, 14 Dec 2018 00:50:07 GMT

>> There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.
So time and date is available as a policy condition on ISE UI but those attributes not exposed to API’s ? is there a API I can use to track when this session ends and maybe use that session-ID to invoke API to kill/remove that endpoint ? Just trying to figure out how to automate this simple task of
mac whitelisted--->user connects---->time expires--->endpoint removed/purged

Re: API Queries

Jason Kunst — Fri, 14 Dec 2018 01:41:07 GMT

Authorization rules are not tied to endpoint groups for removal. They simply authorize based on criteria. Endpoint purging removes endpoints with respect to days

There are no variables assigned to an endpoint to remove from a list. No such mechanism.

What exactly are you trying to accomplish? Please explain your use case . There might be a better way to accomplish this

Re: API Queries

abinjola — Fri, 14 Dec 2018 02:00:07 GMT

Whitelisting MAC for certain time period only. These whitelisted MACs only need access for certain time. Once the time expires, ISE should remove/delete/undo this MACs from whitelist.

Re: API Queries

paul — Fri, 14 Dec 2018 14:00:27 GMT

As Jason said I think the easiest approach would be to put the MAC address into an endpoint identity group that is purged on a set schedule. I use this for my ISE Temp Bypass concept. The help desk, desktop team, etc can add MAC addresses into a ISE so they can troubleshoot a device, but the devices in the list are purged out every night at 3:00 a.m. when the purge job runs.

Re: API Queries

Jason Kunst — Fri, 14 Dec 2018 14:38:16 GMT

Please provide more details exactly the flow and why they need this. Might be another way to do this. Also what happens after they expire. What type of users are they? Will they be back? Is there any authentication taking place? What happens when the come back next day, etc

The only way to do what you’re saying with the info you provided is to create your own tracking mechanism on Linux machine that calls api to put into one group and then another group when they want to change access

Checking http://cs.co/ise-guest

What about guest access 1 hour in a day hotspot?