cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
6
Replies

API Queries

abinjola
Cisco Employee
Cisco Employee
  1. What API can be used to whitelist MAC address with a time limit. By calling EndPoint API we can Add an end point, but it seems end point API does not have any start time and expiry time field ?
  2. Can a MAC address be added within time bound for  whitelisting does the MAC from whitelisted endpoint gets purged or removed  upon reaching time expiration ?

 3. Which API to be called for bulk uploading MAC address for exception list using template?

 

Appreciate any feedback on questions below

1 Accepted Solution

Accepted Solutions

Please provide more details exactly the flow and why they need this. Might be another way to do this. Also what happens after they expire. What type of users are they? Will they be back? Is there any authentication taking place? What happens when the come back next day, etc

The only way to do what you’re saying with the info you provided is to create your own tracking mechanism on Linux machine that calls api to put into one group and then another group when they want to change access

Checking http://cs.co/ise-guest

What about guest access 1 hour in a day hotspot?

View solution in original post

6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee
There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.

Which API to be called for bulk uploading MAC address for exception list using template?
https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId-1183657558
https://developer.cisco.com/docs/identity-services-engine/#!bulk-operations/monitoring-bulk-execution-status


>> There is no API with a time limit. You would have to build a system to monitor that and call the API when you wanted it removed.
So time and date is available as a policy condition on ISE UI but those attributes not exposed to API’s ? is there a API I can use to track when this session ends and maybe use that session-ID to invoke API to kill/remove that endpoint ? Just trying to figure out how to automate this simple task of
mac whitelisted--->user connects---->time expires--->endpoint removed/purged

Authorization rules are not tied to endpoint groups for removal. They simply authorize based on criteria. Endpoint purging removes endpoints with respect to days

There are no variables assigned to an endpoint to remove from a list. No such mechanism.

What exactly are you trying to accomplish? Please explain your use case . There might be a better way to accomplish this

Whitelisting MAC for certain time period only. These whitelisted MACs only need access for certain time. Once the time expires, ISE should remove/delete/undo this MACs from whitelist.

As Jason said I think the easiest approach would be to put the MAC address into an endpoint identity group that is purged on a set schedule.  I use this for my ISE Temp Bypass concept.  The help desk, desktop team, etc can add MAC addresses into a ISE so they can troubleshoot a device, but the devices in the list are purged out every night at 3:00 a.m. when the purge job runs.

 

 

Please provide more details exactly the flow and why they need this. Might be another way to do this. Also what happens after they expire. What type of users are they? Will they be back? Is there any authentication taking place? What happens when the come back next day, etc

The only way to do what you’re saying with the info you provided is to create your own tracking mechanism on Linux machine that calls api to put into one group and then another group when they want to change access

Checking http://cs.co/ise-guest

What about guest access 1 hour in a day hotspot?