Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2176
Views
20
Helpful
4
Replies

API for CoA - disconnect with port bounce

Dave Lewis
Level 1
Level 1

‎02-20-2019 09:27 AM - edited ‎03-08-2019 07:12 PM

Hello,

 

I am trying to use the monitoring API for CoA as detailed in - https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/api_ref_guide/api_ref_book/ise_api_ref_ch4.html

 

I have successfully retrieved the endpoint details based on the MAC address and now I want to initiate a port-bounce disconnect but ISE is not allowing me to do so and returns 'false' in the results field.

 

The documentation mentions the following fields but doesn't really explain them, could someone please assist if they've managed to get this working:

 

<Disconnect> = This isn't a variable I think? It's just "Disconnect"?

<serverhostname> = Is this the PSN that authenticated the last session or the monitoring node?
<macaddress> = MAC address of the endpoint I want to disconnect

<portoptiontype> = 0, 1 or 2 as per the documentation so 1 for port-bounce

<nasipaddress> = IP of the switch/AP the device is connected to

<destinationipaddress> = IP address of the client? Sometimes this isn't available.

 

Here's an example call with details changed:

 

https://mymntnode.fqdn/admin/API/mnt/CoA/Disconnect/mypsnnode/00:CC:0C:01:05:04/1/10.5.5.1/10.5.28.176

 

The details are correct as per the 'admin/API/mnt/Session/MACAddress/00:CC:0C:01:05:04' call but I always receive:

 

<remoteCoA requestType="disconnect">
<results>false</results>
</remoteCoA>
 
Any ideas appreciated. This is on ISE 2.2 patch 9.
 
Thanks,

Dave
1 person had this problem
0 Helpful
4 Replies 4

nicklas
Level 1
Level 1

‎10-23-2021 12:53 AM

Interested in solution, I also want to make portbounce via rest-api, based on  mac address.

 

Also wondering if there are alternatives. When changing a endpoints group through ISE ERS it seems that ISE is not performing a port-bpunce for me. Can it be adressed with profiles?

Greg Gibbs
Cisco Employee
Cisco Employee
In response to nicklas

‎10-24-2021 03:54 PM

I just tested the CoA port bounce via MNT API call in ISE 3.0 p4 as per the API Reference and it worked as expected. The switchport was bounced and I received a 200 OK response with the following payload.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<remoteCoA requestType="disconnect">
    <results>true</results>
</remoteCoA>

nicklas
Level 1
Level 1
In response to Greg Gibbs

‎10-25-2021 03:12 AM

Yeah, i have read the documentation for this API, but am a little confused in how to use it from code...

 

 

Step 1 Enter the Cisco ISE URL in the address bar of your browser (for example, https://<ise hostname or ip address>/admin/ ).

Step 2 Enter the username and case-sensitive password, that was specified and configured during the initial Cisco ISE setup.

Step 3 Click Login or press Enter .

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

.../admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash

 

Step 4 Enter the Disconnect API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/admin/API/mnt/CoA/<Disconnect>/<serverhostname>/
<macaddress>/<portoptiontype>/<nasipaddress>/<destinationipaddress>:

.../admin/API/mnt/CoA/Disconnect/server12/00:26:82:7B:D2:51/2/10.10.10.10/192.168.1.1

Note:  You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.

Step 5 Press Enter to issue the API call.

------------------------------------------------------------------------------------

 

 

For example step 1-3 is not something you do from code...

 

Can I use Basic authentication in the httprequest?, a Token?   and directly do the disconnect request?

.../admin/API/mnt/CoA/Disconnect/server12/00:26:82:7B:D2:51/2/10.10.10.10/192.168.1.1

 

I read that you did not have to enter the IP-addresses (wich is good because i can nog find out what these would be from the ISE ERS api, but i do have the MAC-address and it should be enough, i home.

 

... and where can i get the serverhostname? (what serverhostname?, the CoA server?, the "server"/"client" i want a port-bounce for?)

 

w. Regards

/N

 

 

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to nicklas

‎10-25-2021 03:16 PM

The ISE API supports only Basic authentication, so you would an Authorization header with the base64-encoded username and password for a user with at least MnT Admin role permissions.

The documentation for the API call includes the current endpoint IP address (destinationipaddress). The API will throw a 404 error if this is excluded, so I'm not aware of a way around including this value. If an active endpoint session does not have an associated IP address, that might require some investigation first.

The 'serverhostname' value is the hostname of the PSN node that is owning the endpoint session. These attributes can be quite dynamic in a large environment, so you would typically need to get the detailed session information by either MAC adddress or IP address and use the values from that response in your Disconnect API call.

Example from session detail response:

<sessionParameters>
..snip..
    <calling_station_id><macaddress></calling_station_id>
    <device_ip_address><nasipaddress></device_ip_address>
    <acs_server><serverhostname></acs_server>
    <framed_ip_address><destinationipaddress></framed_ip_address>
Customers Also Viewed These Support Documents