cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4167
Views
0
Helpful
9
Replies

ISE 2.0 ERS failed to register End Point via Python script

michelbijnsdorp
Level 1
Level 1

Hi,

 

With the ERS API documentation (PAN:9060/ers) in the hand I try to import a MAC adres into ISE internal dB .

 

ISE version: 2.0.0.306 patch 4

 

part of the pyhton Script:

putheaders={'Content-Type':'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf- 8','Accept':'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

 

 xmldata ="<?xml version='1.0' encoding='UTF-8' standalone='yes'?> \

<ns4:endpoint description='"+networkdevicename+"' id='id' name='"+macadr+"' \ xmlns:ers='ers.ise.cisco.com' xmlns:xs='http://www.w3.org/2001/XMLSchema' \ xmlns:ns4='identity.ers.ise.cisco.com'> \

 <groupId>testmac</groupId> \

 <mac>"+macadr+"</mac> \

 <staticGroupAssignment>true</staticGroupAssignment> \

 <staticProfileAssignment>false</staticProfileAssignment> \

    </ns4:endpoint>"

 

 puturl = "x.x.x.x:9060/ers/config/endpoint/register"

 

putresp = requests.put(puturl, data=xmldata, headers=putheaders, auth=('xxxx’, 'xxxxx'))

 

script output:

{'Content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf-8', 'Accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'}

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

 <ns4:endpoint description='xxxxx' id='' name='b0:7d:47:d0:d9:f8' xmlns:ers='ers.ise.cisco.com' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:ns4='identity.ers.ise.cisco.com'>

 <groupId>testmac</groupId>

 <mac>b0:7d:47:d0:d9:f8</mac>

<staticGroupAssignment>true</staticGroupAssignment>

<staticProfileAssignment>false</staticProfileAssignment>

</ns4:endpoint>

<Response [204]>

 

With the use of the ISE REST SDK I manged to build a python script which is working for the ‘PUT.endpoint register’function, however the MAC adr is learned but not assigned on the correct group (testmac). Furthermore the DeviceRegistrationStatus stays ‘pendig” and therefore can not be used in the ISE policy.  I used the requests.put register function which gets me a http.result “204”  which is correct according to the SDK register output.

 

When I use the requests.post.create function and I change also the  http statement to “https://x.x.x.x:9060/ers/config/endpoint  I get a hard http.result “500” error code. Which I believe that the used headers and XML content according to the API online ISE PAN server documentation is the same for both methods. Also I used as start the minimum required attributes which is stated in the documentation.

 

 

Question1:  What is correct method to be used in order to insert a new MAC address ( API function PUT:endpoint register or POST:endpoint create )?

 

Question2: Why is the attribute ‘id’ required by the documentation as a new MAC address can not have a ‘id’ because it is not known yet by the ISE system? 

(I try to find on this forum an eindpoint insert example but I could not find it)

 

Question3: When a MAC adres is inserted into the ISE database via de PUT:endpoint register function, why is an “Exeed allowed License usage (PLUS license) warning generated?

 -------------------------------------------------------------------------------

 

 

In order to slay the 405 dragon, I build a very simple ERS create endpoint python script without any further functions based on following ref guide;

 

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers2.html and on the PAN server ref guide URL: https://<ISE-ADMIN-NODE>:9060/ers/sdk.

 

-------------------------------------------------------------

TEST.PY scipt :

-------------------------------------------------------------

#!/usr/bin/env python

 

from socket import *

import os,re,requests,ssl

from base64 import b64encode

 

xml = open('imt.xml', 'r')

payload = xml.read()

print "\n-INPUT XML DATA FILE:\n"+payload

 

userpas = b64encode(b"ers-admin:secret")

userpass = 'Basic '+userpas

print "\n-INPUT HTTPS PASSWORD STRING:\n"+userpass

 

putheaders = {

                'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml',

                'authorization': userpass,

                'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

                }

print "\n-INPUT HTTPS HEADERS:"

print putheaders2

 

puturi = "https://1.1.1.1:9060/ers/config/endpoint"

 

putresp = requests.request("PUT", putri, data=payload, headers=putheaders)

print "\n-OUTPUT Python REQUEST:\n"

print putresp

 

print "\n-OUTPUT HEADERS:"

print putresp.request.headers

print "\n-OUTPUT DATA:"

print putresp.request.data

print "\n-OUTPUT RESPONSE:"

print putresp

 --------------------------------------------------------

 Python output:

---------------------------------------------------------

server# ./test.py

 

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<mac>00:01:02:03:04:05</mac>

<staticGroupAssignment>true</staticGroupAssignment>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLKLkbWluOkMxc2NvMUIc

 

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc'}

 

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

 

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<mac>00:01:02:03:04:05</mac>

<staticGroupAssignment>true</staticGroupAssignment>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-OUTPUT RESPONSE:

<Response [405]>

 

 

So the big question stays why I get these 405 errors ?

405 Method Not Allowed - The HTTP verb specified in the request (DELETE, GET, HEAD, POST, PUT) is not supported for this request URI.)

 

 As it clearly state in the ref guide that a POST method ,ust be used ?

InkedKnipsel_LI.jpg

 

btw: tried a million things in changing headers en python put/post structures but so far no luck.

 

Any assistance is highly appreciated

 

With Kind regards,

 

Michel

 

1 Accepted Solution

Accepted Solutions

XML Prolog is this line :

 

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
Which looks fine, but if the option in curl  -d xmldata is supposed to reference a file, you need a @ in front of the filename. If you are not using a file for your xml data, then maybe try that?
 

View solution in original post

9 Replies 9

michelbijnsdorp
Level 1
Level 1

In order to slay the 405 dragon, I build a very simple ERS create endpoint python script without any further functions based on following two ref guides with the same name, but with different URLs????

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#34313

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers1.html

-------------------------------------------------------------

TEST.PY scipt :

-------------------------------------------------------------

#!/usr/bin/env python

 

from socket import *

import os,re,requests,ssl

from base64 import b64encode

 

xml = open('imt.xml', 'r')

payload = xml.read()

print "\n-INPUT XML DATA FILE:\n"+payload

 

userpas = b64encode(b"ers-admin:secret")

userpass = 'Basic '+userpas

print "\n-INPUT HTTPS PASSWORD STRING:\n"+userpass

 

putheaders = {

                'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml',

                'authorization': userpass,

                'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

                }

print "\n-INPUT HTTPS HEADERS:"

print putheaders2

 

puturi = "https://1.1.1.1:9060/ers/config/endpoint"

 

postresp = requests.request("PUT", putri, data=payload, headers=putheaders)

print "\n-OUTPUT Python REQUEST:\n"

print postresp

 

print "\n-OUTPUT HEADERS:"

print postresp.request.headers

print "\n-OUTPUT DATA:"

print postresp.request.data

print "\n-OUTPUT RESPONSE:"

print postresp

 --------------------------------------------------------

 Python output:

---------------------------------------------------------

server# ./test.py

 

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<mac>00:01:02:03:04:05</mac>

<staticGroupAssignment>true</staticGroupAssignment>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLKLkbWluOkMxc2NvMUIc

 

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc'}

 

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

 

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<mac>00:01:02:03:04:05</mac>

<staticGroupAssignment>true</staticGroupAssignment>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-OUTPUT RESPONSE:

<Response [405]>

 

 

So the big question stays why I get these 405 errors ?

405 Method Not Allowed

The HTTP verb specified in the request (DELETE, GET, HEAD, POST, PUT) is not supported for this request URI.)

 As it clearly state in the ref guide that a POST method ,ust be used ?

 

afbeelding.png

 

btw: tried a million things in changing headers en python put/post structures but so far no luck.

 

Any assistance is highly appreciated

 

With Kind regards,

 

Michel

jan.nielsen
Level 7
Level 7
It's a POST you should use, Endpoint Group is not identified in the xml by name, but by id, which you can obtain by getting the list of groups (send a GET to https://ise:9060/ers/config/endpointgroup) Just put something in id and name, doesn't matter, won't be used. xxx-xxx-xxx-xxx-xxx 11:22:33:44:55:66 true false

Hi Jan,

 

I followed your approach that the groupId is pointing to a ID instead of a name. As you can see the groupID format is different then your suggested format:xxx-xxx-xxx-xxx-xxx. do you have any further idea what is wrong ?

 

Server:  curl -k -X GET 'https://admin-user:pass@1.1.1.1:9060/ers/config/endpointgroup' -H 'Accept:application/vnd.com.cisco.ise.identity.endpointgroup.1.0+xml' | grep 'TEMP'

 

<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:searchResult total="11" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">

<resources>

 

<resource description="temporary data group" id="40a0ec80-c84b-11e7-8e06-0050568e8e02" name="TEMP_Data"     ><link rel="self" href="https://1.1.1.1:9060/ers/config/endpointgroup/40a0ec80-c84b-11e7-8e06-0050568e8e02" type="application/xml"/>

 

</resource>

 -----------------------------------------

Sever:~$ ./test.py

 

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="test" id="" description="test" xmlns:ns2="ers.ise.cisco.com"  xmlns:ns3="identity.ers.ise.cisco.com">

    <groupId>40a0ec80-c84b-11e7-8e06-0050568e8e02</groupId>

    <mac>11:22:33:44:55:66</mac>

    <staticGroupAssignment>true</staticGroupAssignment>

    <staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLWFkbWluOkMxc2NvMTIz

 

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLWFkbWluOkMxc2NvMTIz'}

 

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLWFkbWluOkMxc2NvMTIz', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

 

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="test" id="" description="test" xmlns:ns2="ers.ise.cisco.com"  xmlns:ns3="identity.ers.ise.cisco.com">

    <groupId>40a0ec80-c84b-11e7-8e06-0050568e8e02</groupId>

    <mac>11:22:33:44:55:66</mac>

    <staticGroupAssignment>true</staticGroupAssignment>

    <staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

 

-OUTPUT RESPONSE:

<Response [405]>

 

WIth Kind regards,

 

Michel

the xxx-xxx i put in there was just to indicate that you cant use the name.

The 405 Error should also give you some message, try using curl -v to get all the headers back.

We are a littlebit further it becomes now an error: 400 instead of 405

 

curl -v -k -X POST "https://user:pass@1.1.1.1:9060/ers/config/endpoint" -H "Content-Type:application/vnd.com.cisco.ise.identity.endpoint.1.1+xml" -d xmldata

 

 

< HTTP/1.1 400 Bad Request

< Content-Type: application/vnd.com.cisco.ise.ers.ersresponse.1.1+xml;charset=utf-8

< Content-Length: 484

< Connection: close

< Server:

* Closing connection #0

* SSLv3, TLS alert, Client hello (1):

<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:ersResponse operation="POST-create-endpoint" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"><link rel="related" href="https://1.1.1.1:9060/ers/config/endpoint" type="application/xml"/><messages><message type="ERROR" code="Schema validation exception"><title>XML Schema Validation Failed :: at line 1, column 1 : Content is not allowed in prolog.</title></message></messages></ns3:ersResponse>

 

more xmldata

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="name" id="id" description="description" xmlns:ns2="ers.ise.cisco.com"  xmlns:ns3="identity.ers.ise.cisco.com">

    <groupId>40a0ec80-c84b-11e7-8e06-0050568e8e02</groupId>

    <mac>00:01:02:03:04:05</mac>

    <staticGroupAssignment>true</staticGroupAssignment>

    <staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>


Even with an additional header accept:application/vnd.com.cisco.ise.identity.endpoint.1.1+xml or changing the version number from 1.0+xml  to 1.1+xml I get the same HTTP cause code.400

 

Kind regards Michel

Who  has any idea's of this error code "Content is not allowed in prolog" because I tested the different Pyhton whitespace removal options ?

 

Kind Regards,

 

Michel

XML Prolog is this line :

 

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
Which looks fine, but if the option in curl  -d xmldata is supposed to reference a file, you need a @ in front of the filename. If you are not using a file for your xml data, then maybe try that?
 

Jan,  thanks for your support It pointed me into the correct direction, so both the CURL and the python script option is now working.

 

Btw>  I noticed that the a endpoint by default is not assigned to an endpoint profileId, but by using the CURL command it was no problem to obtain the endpointgroup id and apply that information in the create profileID value.  So I be able to create an endpoint, put it in the correct group with the GroupId and profiled it to the correct profilename.

 

Many thanks,

 

With kind regards Michel

Glad i could help, good luck with your ISE API project :-)