05-08-2017 08:18 AM
Hello Team,
Does anybody know if it is possible to somehow get PAN role (Active/Standby) programmatically (via API) or manually via CLI (SSH session)?
Use case is: I have an API script running every night to do certain stuff on ISE (clean up Guests in my particular case). However my script is always connecting to a particular IP/hostname I specify in a cron job or manually via script options. If failover happens, I have no way to connect to a newly active (primary) PAN to do a nightly job.
I could use either API or SSH (via Expect/Pexpect) but I could find neither API nor CLI way of doing that - that is, of getting a definite answer on whether this particular box is Primary or Secondary PAN.
There is a line in "show tech" but triggering show tech every time I need to get a role is a bit too heavy, I think:
Node Config Details
NAME PERSONA ROLE ACTIVE REPLICATION
------------------- --------------- ---------- ---------- ---------------
test-ISE PAN,MNT,PSN STANDALONE ACTIVE Not Applicable
Thank you!
Amir
Solved! Go to Solution.
05-08-2017 05:10 PM
Hi Amir
There doesn't seem to be a CLI show command, nor does the SNMP MIB offer any hints. But there is another way.
You can enable the ERS in your Policy Nodes and then run a curl command to query via REST API.
In the examples below, 192.168.21.100 is my PAN (it should always have a good view of the system status) - you would have to make this flexible to ensure you hit the currently active PAN.
To demonstrate the return values, I use the Get-By-Name method to query status of "ise02" (which is a PSN), and "ise01" (which is my one and only PAN). I think this reflects the Admin node personas and their status.
abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise02' | grep PapNode
"isPapNode" : false,
"isPrimaryPapNode" : false,
[abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise01' | grep PapNode
"isPapNode" : true,
"isPrimaryPapNode" : true,
05-08-2017 05:06 PM
I responded to your original thread with archived discussions in using the fact that we would be getting HTTP 401 if performing non-read-only CRUD operations against non-Primary node. You could also parse the application deployment.log but again it's too heavy.
05-08-2017 05:10 PM
Hi Amir
There doesn't seem to be a CLI show command, nor does the SNMP MIB offer any hints. But there is another way.
You can enable the ERS in your Policy Nodes and then run a curl command to query via REST API.
In the examples below, 192.168.21.100 is my PAN (it should always have a good view of the system status) - you would have to make this flexible to ensure you hit the currently active PAN.
To demonstrate the return values, I use the Get-By-Name method to query status of "ise02" (which is a PSN), and "ise01" (which is my one and only PAN). I think this reflects the Admin node personas and their status.
abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise02' | grep PapNode
"isPapNode" : false,
"isPrimaryPapNode" : false,
[abier@centos ~]$ curl --tlsv1.1 -s -k -X GET -H 'ACCEPT: application/json' 'https://ers:password@192.168.21.100:9060/ers/config/node/name/ise01' | grep PapNode
"isPapNode" : true,
"isPrimaryPapNode" : true,
05-08-2017 05:28 PM
This is added in ISE 2.2 but, of course, everyone should be using 2.2. ;-)
05-09-2017 01:53 AM
Hello Arne!
Many-many thanks for your answer - yes, that is exactly what I needed but this is 2.2-specific, that is why I haven't noticed that in my 2.1 SDK portal
That is very useful info still, many thanks!
Regards, Amir
05-09-2017 07:46 AM
Arne's method is the suggested one, I think.
Meanwhile, for those of us who are not yet on 2.2 , the following will work: try to create user via API.
While primary will respond with HTTP 201, Secondary will tell you:
<!DOCTYPE html>
<html>
<head>
<title>
- Error report
</title>
<style type="text/css">
H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}
</style>
</head>
<body>
<h1>
HTTP Status 401 - The requested operation is allowd on PAP Node only.
</h1>
---snip---
You can parse response (I did that with Beautifulsoup on a python - so picking h1 header) and correctly identify secondary/primary PAN. Not an ideal solution, but works well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide