Re: GET ALL ENDPOINTS/MAC ADDRESS( EXCEPT DOT1X )CONNECTED TO A NAS

g.arjuna · ‎04-25-2022

Hi Everyone,

We are building a portal to assist users in SD access migration. As soon as an L2 is brought under SD access domain certain endpoints authenticate through dot1x. Rest of the endpoints do not get access. We have a requirement to list down all potential MAB endpoints connected on to a NAS so that an site admin (not ISE admin) can login into the portal , click on the particular NAS ip and then proceed on to assign a static group assignment (which can be automated through an ERS call).

Can you suggest which approach would be ideal to list down all MAC address corresponding to a NAS that are yet to be assigned a valid profile for automation. is there a ERS call that lists down THE mac-nas mapping ? or can it be done through PxGrid ?

Any help is much appreciated.

Mike.Cifelli · ‎04-25-2022

Sharing as this may help: ISE ERS API Examples - Cisco Community

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ch2.html

I think there are a few options that may work for this type of request. Some easier than others, but I am sharing my thoughts on a couple in hopes one of the following options would work:
-You mentioned this: Can you suggest which approach would be ideal to list down all MAC address corresponding to a NAS that are yet to be assigned a valid profile for automation; My first thought is could you query the Unknown endpoint identity group to get a list of MACs that ISE classifies with Unknown endpoint profile. Yes, this would not present the NAD--MAC mapping, but it would be a starting point for obtaining a list. You could then take this list and potentially run queries where you would consume MNT APIs on each client session. Kicker here is parsing the returned data to extract what you want (AKA what NAD it is connected to).

-IMO an easier option: Rely on something like ansible/python to connect to NADs, run a 'show access-session | i mab'; then dump this info into a csv or something so you have this info you are looking for;

Curl commands that may help:
-----
Get Unique Group ID string:
----
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user user:pass --request GET https://xx.xx.xx.xx:9060/ers/config/endpointgroup?filter=name.EQ.Unknown

Get list of MACs with groupId string filter:
----
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user user:pass --request GET https://xx:xx:xx:xx:9060/ers/config/endpoint?filter=groupId.EQ.6cd78cb0-xx-xx-a867-1e4ebebfb039&size=100

Get session details for given MAC:
----
curl -k --include --user user:pass --request GET https://xx.xx.xx.xx/admin/API/mnt/Session/MACAddress/3C:xx:xx:92:xx:xx

Good luck & HTH!

g.arjuna · ‎05-07-2022

Hey Mike thanks very much for the answer !. We pretty much settled on the following stack to achieve our aim . the backend app (django) in our case starts the workflow by pulling a list of NAS devices from ISE. When a site admin logs in he should be able to see the list of NAS devices of his site only, so we are filtering the NAS devices based on location and displaying key info like Serial number of NAS , ip address. From there they will be able to go to the individual EN edge node workflow where the list of auth sessions will be displayed. To acheive this we went to a much simpler approach of talking to the switch itself and getting the out put of "sh auth sessions". For all un auth endpoints the user will be able to further complete the workflow by adding a MAB entry which will be pushed through ISE. All NAS devices and endpoints have been modeled as django models to give a faster user experience to the users.

Thanks very much for your answer , it helped us start in the right direction. Much appreciated.