topic Re: ISE and CoA in Network Access Control

ISE and CoA

cvailler — Wed, 18 Aug 2021 12:38:20 GMT

Hello,

When I modify an endpoint custom attribute in ISE (thru the API) (MAB authenticated), the "authorization profile" change, but not the "endpoint profile".
I need to do a clear session for the endpoint on the switch on which the endpoint is connected to have ISE "endpoint profile" the endpoint correctly.
Can I do it directly from ISE and how ?
Rgds,

Cyril

Re: ISE and CoA

Greg Gibbs — Wed, 18 Aug 2021 22:18:47 GMT

Session management functions, including CoA, are supported by the Monitoring API on the MnT. See the Reauth API call in the Reference Guide.

Re: ISE and CoA

cvailler — Fri, 20 Aug 2021 13:12:39 GMT

Hello,

I have a "quick" question regarding python and ISE API:

When using my browser, with this URL : https://10.1.23.14/admin/API/mnt/CoA/Reauth/ise24/"Mac@"/2, it does "RERUN" reauth as expected for the specified Mac@ in ISE.

When I perform the same request in a python script, nothing happen, even if I receive a 200 status code

resp1 = requests.get(base_url_coa + endpoint_details['mac'] + '/2', headers=headers, auth=auth, verify=False)

resp1 ==> <Response [200]>

resp1.headers :

{'Cache-Control': 'private', 'Expires': 'Thu, 01 Jan 1970 00:00:00 GMT', 'Set-Cookie': 'JSESSIONIDSSO=DE4FD9CCD4A2F3C459D639E000220DAD; Path=/; Secure; HttpOnly, APPSESSIONID=21CBAC5A1C6A545BE4B2BFC3264BE15C; Path=/admin; Secure; HttpOnly', 'X-Frame-Options': 'SAMEORIGIN', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains', 'X-Content-Type-Options': 'nosniff', 'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;", 'X-XSS-Protection': '1; mode=block', 'Content-Type': 'text/html;charset=UTF-8', 'Content-Length': '0', 'Date': 'Fri, 20 Aug 2021 13:03:41 GMT', 'Server': ''}

Any idea ?

Re: ISE and CoA

hslai — Sun, 22 Aug 2021 03:10:17 GMT

On the MnT session API, you should see the response body with some text similar to:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><remoteCoA requestType="reauth"><results>true</results></remoteCoA>

ISE Profiling has this setting below under ISE admin web UI > Administration > System > Profiling:

[ ] Custom Attribute for Profiling Enforcement

This, by default, is disabled, and needs enabled manually if we are using any of the endpoint custom attributes.

Re: ISE and CoA

cvailler — Mon, 23 Aug 2021 08:51:06 GMT

Hello, I know and it is configured.
The point here is that when I use a browser and send

https://10.1.23.14/admin/API/mnt/CoA/Reauth/ise24/00:22:BD:F7:39:21/2
it works (it does what it is expected, it does the reauth)

but when I generate the same
get.requests in my python script, I receive the code 200, and nothing happen.
(requests.get(base_url_coa + endpoint_details['mac'] + '/2', headers=headers, auth=auth, verify=False))
The URL is OK (I print it to check), but it does nothing( no reauth)

I don't know where I can troubleshoot that in ISE

Rgds,
Cyril

Re: ISE and CoA

hslai — Tue, 24 Aug 2021 02:06:09 GMT

I would suggest printing out the full URL and the request parameters and then use cURL to verify. If still no go, please send me a copy of your script.

Re: ISE and CoA

cvailler — Tue, 24 Aug 2021 14:48:11 GMT

Hello,

It does work with the URL from a browser, and using cURL :

$ curl -v https://10.1.23.14/admin/API/mnt/CoA/Reauth/ise24/00:22:BD:F7:39:21/2 -u "admin:1SEC1sc0123&"

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 10.1.23.14...

* TCP_NODELAY set

* Connected to 10.1.23.14 (10.1.23.14) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* successfully set certificate verify locations:

* CAfile: /etc/ssl/cert.pem

CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

} [205 bytes data]

* TLSv1.2 (IN), TLS handshake, Server hello (2):

{ [81 bytes data]

* TLSv1.2 (IN), TLS handshake, Certificate (11):

{ [1425 bytes data]

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

{ [333 bytes data]

* TLSv1.2 (IN), TLS handshake, Server finished (14):

{ [4 bytes data]

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

} [70 bytes data]

* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

} [1 bytes data]

* TLSv1.2 (OUT), TLS handshake, Finished (20):

} [16 bytes data]

* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):

{ [1 bytes data]

* TLSv1.2 (IN), TLS handshake, Finished (20):

{ [16 bytes data]

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

* subject: C=Fr; ST=IdF; L=Paris; O=Cisco; OU=IoT; CN=ise24.iot-fr.local

* start date: May 11 12:33:42 2020 GMT

* expire date: May 11 12:33:42 2022 GMT

* subjectAltName: host "10.1.23.14" matched cert's IP address!

* issuer: DC=local; DC=iot-fr; CN=iot-fr-WIN-AD-IND-CA

* SSL certificate verify ok.

* Server auth using Basic with user 'admin'

> GET /admin/API/mnt/CoA/Reauth/ise24/00:22:BD:F7:39:21/2 HTTP/1.1

> Host: 10.1.23.14

> Authorization: Basic YWRtaW46MVNFQzFzYzAxMjMm

> User-Agent: curl/7.64.1

> Accept: */*

< HTTP/1.1 200 OK

< Cache-Control: private

< Expires: Thu, 01 Jan 1970 00:00:00 GMT

< Set-Cookie: JSESSIONIDSSO=F750302ADB5975D8A065A0B71AFE6D55; Path=/; Secure; HttpOnly

< Set-Cookie: APPSESSIONID=F8BD31AEB87E9D979EA664C1690BE3C1; Path=/admin; Secure; HttpOnly

< X-Frame-Options: SAMEORIGIN

< Strict-Transport-Security: max-age=31536000; includeSubDomains

< X-Content-Type-Options: nosniff

< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;

< X-XSS-Protection: 1; mode=block

< Date: Tue, 24 Aug 2021 09:38:43 GMT

< Content-Type: application/xml;charset=UTF-8

< Content-Length: 122

< Server:

{ [122 bytes data]

100 122 100 122 0 0 622 0 --:--:-- --:--:-- --:--:-- 619

* Connection #0 to host 10.1.23.14 left intact

* Closing connection 0

From my script

....
base_url_coa = 'https://' + ISE_instance + '/admin/API/mnt/CoA/Reauth/ise24/'
headers = {
'Accept': 'application/json'
}
auth = (ISE_username, ISE_password)
s = requests.session()
resp1 = s.get(base_url_coa + endpoint_details['mac'] + '/2', headers=headers, auth=auth, verify=False)

Re: ISE and CoA

hslai — Tue, 24 Aug 2021 23:21:08 GMT

That is not a full script...

Anyhow... https://github.com/petermoorey/cisco-ise has ise-coa.py which is doing what you're trying here.
Also, take a look at (Cisco Community) ISE MNT APIs and Python

Re: ISE and CoA

cvailler — Wed, 25 Aug 2021 06:38:57 GMT

It works :

I removed headers from :

resp1 = s.get(base_url_coa + endpoint_details['mac'] + '/2', headers=headers, auth=auth, verify=False)

resp1 = s.get(base_url_coa + endpoint_details['mac'] + '/2', auth=auth, verify=False)

Re: ISE and CoA

cvailler — Thu, 26 Aug 2021 07:36:16 GMT

the headers was :

headers = {
'Accept': 'application/json'
}

While the request sends back :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><remoteCoA requestType="reauth"><results>true</results></remoteCoA>

So it is XML content and not json