Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5805
Views
30
Helpful
11
Replies

Automate ISE endpoint export

Go to solution
mike.ng.kl
Level 1
Level 1

‎11-23-2018 02:26 PM

Hi ISE experts

 

Is there a way to schedule endpoint export to a csv file regularly on ISE? I can see the export button but would like to automate it. Cannot find anything about the related automation in ISE documentation. 

 

Thank you in advance. 

 

Cheers

Mike Ng

2 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
pan
Cisco Employee
Cisco Employee
In response to mike.ng.kl

‎11-25-2018 09:11 AM

You can export the endpoint from CLI as well. What you can do is write some script which can login to ISE and run command "application configure ise".

 

ise-01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[0]Exit

Option 16 is what you have to select. File will be present in /localdisk and then you can export them using copy command.

 

View solution in original post

11 Replies 11

Go to solution
Nadav
Level 7
Level 7

‎11-24-2018 04:55 AM - edited ‎11-24-2018 05:09 AM

One option is an ERS script. Check out:

https://hostname:9060/ers/sdk#Get-All

 

Just make sure ERS is enabled on your PAN and the user is in the ERS Admins group.

Go to solution
mike.ng.kl
Level 1
Level 1
In response to Nadav

‎11-25-2018 08:46 AM

Thank you for your reply but ERS API does not scale. It took 18 hours to dump 200K mac addresses with endpoint group information. The export button on GUI only took 15 mins. Is there a way to replicate the GUI export action? 

0 Helpful

Go to solution
pan
Cisco Employee
Cisco Employee
In response to mike.ng.kl

‎11-25-2018 09:11 AM

You can export the endpoint from CLI as well. What you can do is write some script which can login to ISE and run command "application configure ise".

 

ise-01/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[0]Exit

Option 16 is what you have to select. File will be present in /localdisk and then you can export them using copy command.

 

Go to solution
mike.ng.kl
Level 1
Level 1
In response to pan

‎11-25-2018 03:33 PM

Thank you will test it out. 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to mike.ng.kl

‎11-25-2018 10:32 AM

If ERS is really that much slower than using a local application call,
maybe it's worth opening a TAC case whether you go the REST route or not.
0 Helpful

Go to solution
mike.ng.kl
Level 1
Level 1
In response to Nadav

‎11-25-2018 03:38 PM

It is apparently a design issue of ERS API. The get-all ERS call only dump the endpoint ID and MAC but not any details. To dump endpoint group and profile of each endpoint, it needs one get endpoint call per endpoint. So for 200K endpoints, the script needs to call the ERS API for 200K times - a definitely high number. If ERS can support get endpoint bulk call, it should resolve the issue - but unfortunately not. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mike.ng.kl

‎12-19-2018 07:25 PM

thanks i would recommend opening a tac case and getting a defect filed. I will also bring up with our PM for API. Please let us know the defect id

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎12-20-2018 07:38 AM

I believe the other issue is the endpoints are only shown in increments of a 100.  So you have to constantly make further calls to parse through the Get-All process.  On my large install with 600k+ endpoints that is a non-starter.

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to paul

‎12-20-2018 09:09 PM

I have faced similar challenge for one of my customer. We have filed below defect.

 

CSCve05681 ERS Get-All takes very long time for response
CSCvg64354 ENH ISE ERS calls should be processed much faster
 
 
 
0 Helpful

Go to solution
Michael Burk
Level 1
Level 1

‎10-08-2020 09:28 AM

Man this is a really great thread and saved alot of research. Would anyone be willing to share what their SSH script looked like? Thanks!

0 Helpful

Go to solution
elahtrebor
Level 1
Level 1
In response to Michael Burk

‎02-04-2022 01:25 PM - edited ‎02-04-2022 01:59 PM

I know this is a late answer but here is short script enumerating the ERS api using PERL and CURL to export all devices. (Attached)

Note must have CURL and set your ERS user, PW, and ISE host in the script. Dumps the JSON but can easily be parsed.

The script just calls a loop against the ERS api and looks for "nextPage" in the output.

 

 

exportDevices.pl.zip
Customers Also Viewed These Support Documents