topic Re: Check PAN status programatically in Network Access Control

Check PAN status programatically

Amir Asfandyarov — Mon, 08 May 2017 15:18:37 GMT

Hello Team,

Does anybody know if it is possible to somehow get PAN role (Active/Standby) programmatically (via API) or manually via CLI (SSH session)?

Use case is: I have an API script running every night to do certain stuff on ISE (clean up Guests in my particular case). However my script is always connecting to a particular IP/hostname I specify in a cron job or manually via script options. If failover happens, I have no way to connect to a newly active (primary) PAN to do a nightly job.

I could use either API or SSH (via Expect/Pexpect) but I could find neither API nor CLI way of doing that - that is, of getting a definite answer on whether this particular box is Primary or Secondary PAN.

There is a line in "show tech" but triggering show tech every time I need to get a role is a bit too heavy, I think:

Node Config Details

NAME PERSONA ROLE ACTIVE REPLICATION

------------------- --------------- ---------- ---------- ---------------

test-ISE PAN,MNT,PSN STANDALONE ACTIVE Not Applicable

Thank you!

Amir

Re: Check PAN status programatically

hslai — Tue, 09 May 2017 00:06:09 GMT

I responded to your original thread with archived discussions in using the fact that we would be getting HTTP 401 if performing non-read-only CRUD operations against non-Primary node. You could also parse the application deployment.log but again it's too heavy.

Re: Check PAN status programatically

Arne Bier — Tue, 09 May 2017 00:10:52 GMT

Hi Amir

There doesn't seem to be a CLI show command, nor does the SNMP MIB offer any hints. But there is another way.

You can enable the ERS in your Policy Nodes and then run a curl command to query via REST API.

In the examples below, 192.168.21.100 is my PAN (it should always have a good view of the system status) - you would have to make this flexible to ensure you hit the currently active PAN.

To demonstrate the return values, I use the Get-By-Name method to query status of "ise02" (which is a PSN), and "ise01" (which is my one and only PAN). I think this reflects the Admin node personas and their status.

abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise02' | grep PapNode

"isPapNode" : false,

"isPrimaryPapNode" : false,

[abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise01' | grep PapNode

"isPapNode" : true,

"isPrimaryPapNode" : true,

Re: Check PAN status programatically

hslai — Tue, 09 May 2017 00:28:13 GMT

This is added in ISE 2.2 but, of course, everyone should be using 2.2. 😉

Re: Check PAN status programatically

Amir Asfandyarov — Tue, 09 May 2017 08:53:00 GMT

Hello Arne!

Many-many thanks for your answer - yes, that is exactly what I needed but this is 2.2-specific, that is why I haven't noticed that in my 2.1 SDK portal

That is very useful info still, many thanks!

Regards, Amir

Re: Check PAN status programatically

Amir Asfandyarov — Tue, 09 May 2017 14:46:10 GMT

Arne's method is the suggested one, I think.

Meanwhile, for those of us who are not yet on 2.2 , the following will work: try to create user via API.

While primary will respond with HTTP 201, Secondary will tell you:

<!DOCTYPE html>

<html>

<head>

<title>

- Error report

</title>

H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}

</style>

</head>

<body>

<h1>

HTTP Status 401 - The requested operation is allowd on PAP Node only.

</h1>

---snip---

You can parse response (I did that with Beautifulsoup on a python - so picking h1 header) and correctly identify secondary/primary PAN. Not an ideal solution, but works well.