topic Re: Cisco ISE API's for CoA in Network Access Control

Cisco ISE API's for CoA

network_geek1979 — Wed, 28 Sep 2022 08:28:44 GMT

Folks, we are trying to search for the correct API's to trigger a CoA with Port Bounce.

Here is what we had:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/api_ref_guide/api_ref_book/ise_api_ref_ch4.html

However, we are having some trouble identifying the API call which corresponds to the CoA port bounce feature available via the web UI.

We use ISE 3.0

Any suggestions?

Regards,

Re: Cisco ISE API's for CoA

Charlie Moreton — Wed, 28 Sep 2022 12:50:54 GMT

You can see it at the https://cs.co/ise-api Devnet site, specifically HERE. Search for Session Disconnect. Also detailed HERE. Looks like PORT_BOUNCE was not supported in 2.7.

Coincidentally, Thomas Howard is giving a webinar on ISE APIs on October 4th, and he covers a great deal of information. Register at https://cs.co/ise-webinars

Re: Cisco ISE API's for CoA

davidgfriedman — Thu, 29 Sep 2022 10:05:41 GMT

While I made a postman runner for this, including custom javascript, work won't let me share it. However, I can give you the two generic calls to help your research:

1. Get session info with:
GET https://{{ISE_SERVER}}/admin/API/mnt/Session/MACAddress/{{MACAddress}}
Replaced ISE_SERVER with https://1.2.3.4:9060
Replace MACAddress with MAC Address in a colon separated format, upper case.

2. Send disconnect with port bounce:
GET https://{{ISE_SERVER}}/admin/API/mnt/CoA/Disconnect/:MntNode/:MACAddress/1/:Switch/:PSN
replace ISE_SERVER with https://1.2.3.4:9060
replace :Switch with device_ip_address field from step 1
replace :PSN with destination_ip_address field from step 1
replace :MntNode with acs_server field from step 1

Enjoy!

Re: Cisco ISE API's for CoA

network_geek1979 — Thu, 29 Sep 2022 05:43:21 GMT

Hi David, Thanks a ton.
Again from an API novice standpoint, this Send Disconnect will be a POST call.
Right?

Regards!!

Re: Cisco ISE API's for CoA

davidgfriedman — Thu, 29 Sep 2022 10:10:12 GMT

I have edited my post to show they are both GET statements in my postman runner, which I've tested on video for our security team using a wired MAB endpoint, a wired 802.1x endpoint and a wireless 802.1x endpoint.

What I have not mentioned is the other calls and javascript code in my postman runner, which chain the commands together, and also get + set custom attributes. The security team can set the "quarantine" custom attribute to one of 2 keywords (then update the endpoint in the runner instantly) so when the port disconnect + re-auth occurs, the 3 types of endpoints tested could be pushed into a blocked state, a state where the security team can scan it from a limited subnet (cidr in DACL), or even re-run without the quarantine custom attribute being set, to go back to normal (ex: cleared if suspected of having a virus or successfully cleaned if it had a virus [or more]).

-David

Re: Cisco ISE API's for CoA

network_geek1979 — Tue, 04 Oct 2022 06:54:08 GMT

Hi David,
Our team was going through the below document:
https://developer.cisco.com/docs/identity-services-engine/latest/#!using-change-of-authorization-rest-apis/session-disconnect-api-call

Do you also need GU access to send the COA call?

We are confused as the document says GUI access in the "Invoking the Reauth API Call".
I guess this is only to get the URL and nothing else.

So what this is saying that is the login page give you:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash

then replace the "/admin/" with "/admin/API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>:"

which will now make the API GET request as :
https://acme123/admin//API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>

or is it:
https://acme123/admin//API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash?

Thanks for the help.

Regards,

Re: Cisco ISE API's for CoA

Charlie Moreton — Tue, 04 Oct 2022 11:56:59 GMT

{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}} is simply the URL to send to ISE to get the response. You still need your headers:

The full request (using cURL) will look like this:

curl --include --insecure --location \
--header 'Accept: application/json' \
--user {{ise_username}}:{{ise_password}} \
--request GET https://{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}}

--include = Include protocol response headers in the output

--insecure = Allow insecure connections when using SSL (you don't have to present a certificate to authenticate)

--location = Follow redirects

You can write this all on the same line as shown here:

curl --include --insecure --location --header 'Accept: application/json' --user {{ise_username}}:{{ise_password}} --request GET https://{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}}

but the use of the \ when using cURL allows for a line break and makes your API request infinitely more readable.

Once you install cURL into your terminal application, issue the curl --help command to explore all the options.

Re: Cisco ISE API's for CoA

davidgfriedman — Tue, 04 Oct 2022 12:27:18 GMT

My calls used BASIC auth and did not need any initial login, nor, to my knowledge, did it store cookies for sessions. It just sends BASIC credentials for each request.

Re: Cisco ISE API's for CoA

network_geek1979 — Tue, 04 Oct 2022 13:20:57 GMT

Hi Charlie, this should also work on Postman.
Correct?

I am able to do successful GET calls to "/ers" but not to "/admin".
Any suggestions?

Regards,