Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2292
Views
15
Helpful
3
Replies

GET request for all SGT-IP mapping

Go to solution
racygin_max
Level 1
Level 1

‎08-10-2020 04:26 AM - edited ‎08-10-2020 07:17 AM

Hi all,

 

i am trying to fetch all SGT-IP bindings from my Cisco ISE in lab environment.

i use this uri https://ISENODE:9060/ers/config/sgmapping with GET request and next headers:

Accept:                application/json

Content-Type:      application/json

ERS-Media-Type  trustsec.sgmapping.1.0

 

and that's what i got as response:

{
  "SearchResult": {
    "total"1,
    "resources": []
  }
}

 

on ISE i have one static mapping (it fetches successfully by another request) and other learned from SXP device.

i expect to see all ip-sgt mapping (local, session, sxp)

 

Preview file
129 KB
Preview file
102 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-10-2020 03:57 PM

There is no single API call that will provide IP-SGT bindings for all methods (dynamic endpoint classifications, SXP, static IP-SGT mappings). These are configured in different parts of the UI and the values would be in different parts of the database with no direct linkage.

The API call you reference in your post would only give you the values listed in the Work Centers > TrustSec > Components > IP SGT Static Mapping section of the GUI.

For SXP, you would use the SXP Local Bindings API calls.

ISE does not technically keep a mapping of the IP address to SGT for endpoints. The SGT is assigned to the session and ISE tracks the endpoint by MAC Address. If ISE is getting the IP address from Device Sensor or the DHCP profiling probe, it should have the current IP address for the endpoint, but it does not link the two. To determine the SGT assigned to a particular active endpoint session, you would need to use the Monitoring Session API calls.

View solution in original post

3 Replies 3

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-10-2020 03:57 PM

There is no single API call that will provide IP-SGT bindings for all methods (dynamic endpoint classifications, SXP, static IP-SGT mappings). These are configured in different parts of the UI and the values would be in different parts of the database with no direct linkage.

The API call you reference in your post would only give you the values listed in the Work Centers > TrustSec > Components > IP SGT Static Mapping section of the GUI.

For SXP, you would use the SXP Local Bindings API calls.

ISE does not technically keep a mapping of the IP address to SGT for endpoints. The SGT is assigned to the session and ISE tracks the endpoint by MAC Address. If ISE is getting the IP address from Device Sensor or the DHCP profiling probe, it should have the current IP address for the endpoint, but it does not link the two. To determine the SGT assigned to a particular active endpoint session, you would need to use the Monitoring Session API calls.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-11-2020 03:57 PM - edited ‎08-11-2020 03:58 PM

I just tried this on an ISE 2.4 deployment that has 2 static mappings and received a similar result as you, @racygin_max . It counted the total correctly but failed to show the actual resources[]  list with both XML and JSON.  I'm suspecting a big with this resource API.

 

image.png

https://ise:9060/ers/config/sgmapping :

JSON:

{
  "SearchResult": {
    "total": 2,
    "resources": []
  }
}

 

XML:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:searchResult total="2" xmlns:ns5="ers.ise.cisco.com" xmlns:ers-v2="ers-v2" xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns3="v2.ers.ise.cisco.com">
    <ns3:resources/>
</ns3:searchResult>

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to thomas

‎08-11-2020 05:34 PM

As a comparison, I ran the same API call against my ISE 2.7 p2 instance and I see the individual resources. If you're using the latest patch for 2.4 (p12 at this time), it may be a bug in that version.

 

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:searchResult total="2" xmlns:ns5="ers.ise.cisco.com" xmlns:ers-v2="ers-v2" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="v2.ers.ise.cisco.com">
    <ns3:resources>
        <ns5:resource id="6af2b2d1-02fb-4130-9cdf-c9cee9774962" name="192.168.100.116/32">
            <link rel="self" href="https://ise27-sa:9060/ers/config/sgmapping/6af2b2d1-02fb-4130-9cdf-c9cee9774962" type="application/xml"/>
        </ns5:resource>
        <ns5:resource id="eb784712-3be5-4d3e-ae4a-fb481d668a87" name="192.168.100.25/32">
            <link rel="self" href="https://ise27-sa:9060/ers/config/sgmapping/eb784712-3be5-4d3e-ae4a-fb481d668a87" type="application/xml"/>
        </ns5:resource>
    </ns3:resources>
</ns3:searchResult>
0 Helpful
Customers Also Viewed These Support Documents