Solved: Re: API Queries

abinjola · ‎12-13-2018

What API can be used to whitelist MAC address with a time limit. By calling EndPoint API we can Add an end point, but it seems end point API does not have any start time and expiry time field ?
Can a MAC address be added within time bound for whitelisting does the MAC from whitelisted endpoint gets purged or removed upon reaching time expiration ?

3. Which API to be called for bulk uploading MAC address for exception list using template?

Appreciate any feedback on questions below

Jason Kunst · ‎12-14-2018

Please provide more details exactly the flow and why they need this. Might be another way to do this. Also what happens after they expire. What type of users are they? Will they be back? Is there any authentication taking place? What happens when the come back next day, etc

The only way to do what you’re saying with the info you provided is to create your own tracking mechanism on Linux machine that calls api to put into one group and then another group when they want to change access

Checking http://cs.co/ise-guest

What about guest access 1 hour in a day hotspot?

View solution in original post

Jason Kunst · ‎12-13-2018

There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.

Which API to be called for bulk uploading MAC address for exception list using template?
https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId-1183657558
https://developer.cisco.com/docs/identity-services-engine/#!bulk-operations/monitoring-bulk-execution-status

abinjola · ‎12-13-2018

>> There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.
So time and date is available as a policy condition on ISE UI but those attributes not exposed to API’s ? is there a API I can use to track when this session ends and maybe use that session-ID to invoke API to kill/remove that endpoint ? Just trying to figure out how to automate this simple task of
mac whitelisted--->user connects---->time expires--->endpoint removed/purged

Jason Kunst · ‎12-13-2018

Authorization rules are not tied to endpoint groups for removal. They simply authorize based on criteria. Endpoint purging removes endpoints with respect to days

There are no variables assigned to an endpoint to remove from a list. No such mechanism.

What exactly are you trying to accomplish? Please explain your use case . There might be a better way to accomplish this

abinjola · ‎12-13-2018

Whitelisting MAC for certain time period only. These whitelisted MACs only need access for certain time. Once the time expires, ISE should remove/delete/undo this MACs from whitelist.

paul · ‎12-14-2018

As Jason said I think the easiest approach would be to put the MAC address into an endpoint identity group that is purged on a set schedule. I use this for my ISE Temp Bypass concept. The help desk, desktop team, etc can add MAC addresses into a ISE so they can troubleshoot a device, but the devices in the list are purged out every night at 3:00 a.m. when the purge job runs.

Jason Kunst · ‎12-14-2018

Please provide more details exactly the flow and why they need this. Might be another way to do this. Also what happens after they expire. What type of users are they? Will they be back? Is there any authentication taking place? What happens when the come back next day, etc

The only way to do what you’re saying with the info you provided is to create your own tracking mechanism on Linux machine that calls api to put into one group and then another group when they want to change access

Checking http://cs.co/ise-guest

What about guest access 1 hour in a day hotspot?