Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
2
Helpful
6
Replies

Ansible and ISE

Go to solution
HouNet
Level 1
Level 1

‎04-17-2023 09:56 AM

Hi is there a forum dedicated to using Ansible with ISE or is this the best place to ask questions if I am having trouble getting Ansible playbooks to work with ISE 3.1.0.518?

Thanks,

Eric

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to HouNet

‎04-17-2023 06:27 PM

All ERS and OpenAPI calls must be directed to the PAN, unless you have configured another node as the API Gateway. All of the current information on the ISE APIs can be found at the following link:

https://cs.co/ise-api

The ERS API call you are trying to execute has a lot of details in the output. It takes time to return this info via cURL (it took over a minute in my single-node deployment), so I doubt you will get this output from the browser.

The newer OpenAPI provides a number of options related to the Deployment, so it would be better to use those API calls. Depending on which API calls are used by the Ansible module and how long the module waits, this may need to be raised as an issue on the GitHut repository.

View solution in original post

6 Replies 6

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-17-2023 10:24 AM

You can refer this guide for more details.

0 Helpful

Go to solution
HouNet
Level 1
Level 1
In response to Nancy Saini

‎04-17-2023 11:06 AM

Thank you for the link. That example uses cisco.ise.network_device_info which works fine for me. For some reason I can't seem to get cisco.ise.deployment_info to work and I am trying to figure out why. 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to HouNet

‎04-17-2023 04:01 PM - edited ‎04-17-2023 04:14 PM

You might have a look at the following Ansible code example for promoting the Primary PAN and joining the remaining nodes to the deployment. This was used for a previous ISE Webinar.

https://github.com/hosukw/Full_ISE_Terraform_Ansible_AWS/blob/main/ansible/demo_all.yml

 

 

Any issues with the ansible modules would need to be raised on the official GitHub repository for the Ansible collections (after confirming that the API calls work properly):

https://github.com/CiscoISE/ansible-ise/issues

 

0 Helpful

Go to solution
HouNet
Level 1
Level 1
In response to Greg Gibbs

‎04-17-2023 05:32 PM - edited ‎04-17-2023 05:34 PM

Thank you, I am hung up on confirming that the API calls work properly. When I run the playbook in debug mode I see this

 

Request
        URL: https://xxx.xxxxxx.xxx/ers/config/deploymentinfo/getAllInfo
        Method: GET

 

 
which makes me believe that I can simply put that URL in my browser, type my credentials and I should see the correct output (or use curl, of course). But I get an empty answer when I use the admin node and a login page when I use a PSN node. I can't seem to find anything that specified which node I should be using. All of the examples are just something like "ise_nodes". Before I try reporting this can anyone explain to me which nodes I should be using? Or should everything work through the main admin node?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to HouNet

‎04-17-2023 06:27 PM

All ERS and OpenAPI calls must be directed to the PAN, unless you have configured another node as the API Gateway. All of the current information on the ISE APIs can be found at the following link:

https://cs.co/ise-api

The ERS API call you are trying to execute has a lot of details in the output. It takes time to return this info via cURL (it took over a minute in my single-node deployment), so I doubt you will get this output from the browser.

The newer OpenAPI provides a number of options related to the Deployment, so it would be better to use those API calls. Depending on which API calls are used by the Ansible module and how long the module waits, this may need to be raised as an issue on the GitHut repository.

Go to solution
HouNet
Level 1
Level 1
In response to Greg Gibbs

‎04-17-2023 08:00 PM

That was exactly what I needed. I thought a timeout of 300 was really long but after reading your reply I changed it to 900 and it worked. Thank you for your help.

Customers Also Viewed These Support Documents