Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2068
Views
0
Helpful
8
Replies

Automate removal of Authentication on an ISE Node using REST and SSH

Go to solution
eespin
Level 1
Level 1

‎12-27-2018 01:44 PM

Hello!

 

I'm fairly new to these forums and looking for some guidance in providing an elegant solution to our problem.

 

My organization leverages ISE with all access layer endpoints. Essentially all workstations, laptops etc, with the exception of some statically configured devices like printers.

 

Currently the Network team is being flooded with tickets from Service Desk when troubleshooting connectivity issues. It has become process like behaviors to first request ISE to be removed from a users port (essentially removed from their access switch). This process was manual in the sense that a wall jack would be labeled with the Network switch used, and a letter, however the letter can represent up to 4 network ports on that jack (not granular enough or consistent). So someone has to manually go to the switch and see which port is active, and then remove authentication on that port and follow up. 

 

I looked at the REST services available and am able to see the active sessions by hitting the PSN with the following call:

https://$psn/ise/mnt/api/Session/ActiveList

and drilling through the attributes in the returned ['activeSession'] these include ['calling_station_id'] and ['nas_ip_address'] which is essentially the endpoints Mac Address and the Network swtich used.

 

THIS IS PERFECT- if it worked. 

I scripted a process to snag the mac address, ssh to the switch, send an arp table through cli, regex for interface used by the mac then send cli commands to remove authentication. However it doesn't work.

 

It seems if authentication is challenged or if ISE is actually keeping the endpoint off the network, then it in fact is not on the "activeSession" list returned by the PSN api. Are the ones currently challenged returned elsewhere? Is what we're trying to do possible via this method?

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎01-02-2019 10:50 AM

You really shouldn't be removing ISE from ports.  You should be putting a method in place for the Service Desk to put MAC addresses into a temporary bypass condition so troubleshooting can occur.  You can use a MyDevices portal for this or allow the Service Desk to use the context visibility screen in ISE to put MAC addresses into a specific endpoint identity group.

View solution in original post

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to eespin

‎01-15-2019 05:16 AM

The Temp bypass portal using the MyDevices portal is not allowing direct access to the ISE GUI.  This is a separate GUI whose only job is to put MAC addresses into a particular endpoint identity group (whitelist).  Basically if you spend time coding a REST API method to do this and created a front end GUI around your API you would be simply recreating something ISE already offers.

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dodgerfan78

‎01-15-2019 08:28 AM

You can also look at automation using Adaptive Network Control policies
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html

Recommend segmenting using SGTs as well instead of switch ACL or VLANs


View solution in original post

0 Helpful
8 Replies 8

Go to solution
dodgerfan78
Level 1
Level 1

‎12-31-2018 05:27 AM

Perhaps you need to actually delete the endpoint? This is what I do in my lab when I need to refresh things to test new policy. To do this I get the endpoint ID from the MAC, and then delete the Endpoint ID.

 

GET https://$psn:9060/ers/config/endpoint/name/$mac

DELETE https://$psn:9060/ers/config/endpoint/$endpointid

0 Helpful

Go to solution
paul
Level 10
Level 10

‎01-02-2019 10:50 AM

You really shouldn't be removing ISE from ports.  You should be putting a method in place for the Service Desk to put MAC addresses into a temporary bypass condition so troubleshooting can occur.  You can use a MyDevices portal for this or allow the Service Desk to use the context visibility screen in ISE to put MAC addresses into a specific endpoint identity group.

0 Helpful

Go to solution
eespin
Level 1
Level 1
In response to paul

‎01-14-2019 02:14 PM

Unfortunately the way our organization is, they don't and won't be allowed access to ISE directly so we'd like to abstract that by front ending some of the functionality through the API. Can a MAC address be placed in bypass condition using ERS?
0 Helpful

Go to solution
dodgerfan78
Level 1
Level 1
In response to eespin

‎01-14-2019 02:42 PM

I believe you would just change the endpoint profile to your whitelist, and then send a CoA. These can be done via the API. 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to eespin

‎01-15-2019 05:16 AM

The Temp bypass portal using the MyDevices portal is not allowing direct access to the ISE GUI.  This is a separate GUI whose only job is to put MAC addresses into a particular endpoint identity group (whitelist).  Basically if you spend time coding a REST API method to do this and created a front end GUI around your API you would be simply recreating something ISE already offers.

0 Helpful

Go to solution
dodgerfan78
Level 1
Level 1
In response to paul

‎01-15-2019 05:25 AM

If you block someone from doing something but still want them to do that thing, then yes, I believe it is accurate to say, you will need to copy that original thing into a space where they are allowed to do it. Automation can often involve particular tasks from other GUIs or systems that already exist, because you are putting them into the context of a particular workflow that has some other benefit or value. 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dodgerfan78

‎01-15-2019 08:28 AM

You can also look at automation using Adaptive Network Control policies
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html

Recommend segmenting using SGTs as well instead of switch ACL or VLANs


0 Helpful

Go to solution
eespin
Level 1
Level 1
In response to paul

‎02-11-2019 01:55 PM

We are just cautious of the level of access we grant, do you know what permissions are required.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents