Cisco Identity Services Engine API Reference Guide, Release 1.2

michelbijnsdorp · ‎11-09-2017

Hi,

With the ERS API documentation (PAN:9060/ers) in the hand I try to import a MAC adres into ISE internal dB .

ISE version: 2.0.0.306 patch 4

part of the pyhton Script:

putheaders={'Content-Type':'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf- 8','Accept':'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

xmldata ="<?xml version='1.0' encoding='UTF-8' standalone='yes'?> \

<ns4:endpoint description='"+networkdevicename+"' id='id' name='"+macadr+"' \ xmlns:ers='ers.ise.cisco.com' xmlns:xs='http://www.w3.org/2001/XMLSchema' \ xmlns:ns4='identity.ers.ise.cisco.com'> \

<groupId>testmac</groupId> \

<mac>"+macadr+"</mac> \

<staticGroupAssignment>true</staticGroupAssignment> \

<staticProfileAssignment>false</staticProfileAssignment> \

</ns4:endpoint>"

puturl = "x.x.x.x:9060/ers/config/endpoint/register"

putresp = requests.put(puturl, data=xmldata, headers=putheaders, auth=('xxxx’, 'xxxxx'))

script output:

{'Content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf-8', 'Accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'}

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>

<ns4:endpoint description='xxxxx' id='' name='b0:7d:47:d0:d9:f8' xmlns:ers='ers.ise.cisco.com' xmlns:xs='http://www.w3.org/2001/XMLSchema' xmlns:ns4='identity.ers.ise.cisco.com'>

<groupId>testmac</groupId>

<staticProfileAssignment>false</staticProfileAssignment>

</ns4:endpoint>

With the use of the ISE REST SDK I manged to build a python script which is working for the ‘PUT.endpoint register’function, however the MAC adr is learned but not assigned on the correct group (testmac). Furthermore the DeviceRegistrationStatus stays ‘pendig” and therefore can not be used in the ISE policy. I used the requests.put register function which gets me a http.result “204” which is correct according to the SDK register output.

When I use the requests.post.create function and I change also the http statement to “https://x.x.x.x:9060/ers/config/endpoint I get a hard http.result “500” error code. Which I believe that the used headers and XML content according to the API online ISE PAN server documentation is the same for both methods. Also I used as start the minimum required attributes which is stated in the documentation.

Question1: What is correct method to be used in order to insert a new MAC address ( API function PUT:endpoint register or POST:endpoint create )?

Question2: Why is the attribute ‘id’ required by the documentation as a new MAC address can not have a ‘id’ because it is not known yet by the ISE system?

(I try to find on this forum an eindpoint insert example but I could not find it)

Question3: When a MAC adres is inserted into the ISE database via de PUT:endpoint register function, why is an “Exeed allowed License usage (PLUS license) warning generated?

-------------------------------------------------------------------------------

In order to slay the 405 dragon, I build a very simple ERS create endpoint python script without any further functions based on following ref guide;

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers2.html and on the PAN server ref guide URL: https://<ISE-ADMIN-NODE>:9060/ers/sdk.

-------------------------------------------------------------

TEST.PY scipt :

-------------------------------------------------------------

#!/usr/bin/env python

from socket import *

import os,re,requests,ssl

from base64 import b64encode

xml = open('imt.xml', 'r')

payload = xml.read()

print "\n-INPUT XML DATA FILE:\n"+payload

userpas = b64encode(b"ers-admin:secret")

userpass = 'Basic '+userpas

print "\n-INPUT HTTPS PASSWORD STRING:\n"+userpass

putheaders = {

'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml',

'authorization': userpass,

'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

}

print "\n-INPUT HTTPS HEADERS:"

print putheaders2

puturi = "https://1.1.1.1:9060/ers/config/endpoint"

putresp = requests.request("PUT", putri, data=payload, headers=putheaders)

print "\n-OUTPUT Python REQUEST:\n"

print putresp

print "\n-OUTPUT HEADERS:"

print putresp.request.headers

print "\n-OUTPUT DATA:"

print putresp.request.data

print "\n-OUTPUT RESPONSE:"

print putresp

--------------------------------------------------------

Python output:

---------------------------------------------------------

server# ./test.py

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLKLkbWluOkMxc2NvMUIc

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc'}

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-OUTPUT RESPONSE:

So the big question stays why I get these 405 errors ?

405 Method Not Allowed - The HTTP verb specified in the request (DELETE, GET, HEAD, POST, PUT) is not supported for this request URI.)

As it clearly state in the ref guide that a POST method ,ust be used ?

btw: tried a million things in changing headers en python put/post structures but so far no luck.

Any assistance is highly appreciated

With Kind regards,

Michel

jan.nielsen · ‎11-13-2017

XML Prolog is this line :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

Which looks fine, but if the option in curl -d xmldata is supposed to reference a file, you need a @ in front of the filename. If you are not using a file for your xml data, then maybe try that?

View solution in original post

michelbijnsdorp · ‎11-11-2017

In order to slay the 405 dragon, I build a very simple ERS create endpoint python script without any further functions based on following two ref guides with the same name, but with different URLs????

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#34313

Cisco Identity Services Engine API Reference Guide, Release 1.2

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/api_ref_guide/api_ref_book/ise_api_ref_ers1.html

-------------------------------------------------------------

TEST.PY scipt :

-------------------------------------------------------------

#!/usr/bin/env python

from socket import *

import os,re,requests,ssl

from base64 import b64encode

xml = open('imt.xml', 'r')

payload = xml.read()

print "\n-INPUT XML DATA FILE:\n"+payload

userpas = b64encode(b"ers-admin:secret")

userpass = 'Basic '+userpas

print "\n-INPUT HTTPS PASSWORD STRING:\n"+userpass

putheaders = {

'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml',

'authorization': userpass,

'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

}

print "\n-INPUT HTTPS HEADERS:"

print putheaders2

puturi = "https://1.1.1.1:9060/ers/config/endpoint"

postresp = requests.request("PUT", putri, data=payload, headers=putheaders)

print "\n-OUTPUT Python REQUEST:\n"

print postresp

print "\n-OUTPUT HEADERS:"

print postresp.request.headers

print "\n-OUTPUT DATA:"

print postresp.request.data

print "\n-OUTPUT RESPONSE:"

print postresp

--------------------------------------------------------

Python output:

---------------------------------------------------------

server# ./test.py

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLKLkbWluOkMxc2NvMUIc

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc'}

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLKLkbWluOkMxc2NvMUIc', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="testmac" id="" description="test endpoint" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<groupId>testmac</groupId>

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-OUTPUT RESPONSE:

<Response [405]>

So the big question stays why I get these 405 errors ?

405 Method Not Allowed

The HTTP verb specified in the request (DELETE, GET, HEAD, POST, PUT) is not supported for this request URI.)

As it clearly state in the ref guide that a POST method ,ust be used ?

btw: tried a million things in changing headers en python put/post structures but so far no luck.

Any assistance is highly appreciated

With Kind regards,

Michel

jan.nielsen · ‎11-12-2017

It's a POST you should use, Endpoint Group is not identified in the xml by name, but by id, which you can obtain by getting the list of groups (send a GET to https://ise:9060/ers/config/endpointgroup) Just put something in id and name, doesn't matter, won't be used. xxx-xxx-xxx-xxx-xxx 11:22:33:44:55:66 true false

michelbijnsdorp · ‎11-13-2017

Hi Jan,

I followed your approach that the groupId is pointing to a ID instead of a name. As you can see the groupID format is different then your suggested format:xxx-xxx-xxx-xxx-xxx. do you have any further idea what is wrong ?

Server: curl -k -X GET 'https://admin-user:pass@1.1.1.1:9060/ers/config/endpointgroup' -H 'Accept:application/vnd.com.cisco.ise.identity.endpointgroup.1.0+xml' | grep 'TEMP'

<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:searchResult total="11" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">

</resource>

-----------------------------------------

Sever:~$ ./test.py

-INPUT XML DATA FILE:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="test" id="" description="test" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-INPUT HTTPS PASSWORD STRING:

Basic ZXJzLWFkbWluOkMxc2NvMTIz

-INPUT HTTPS HEADERS:

{'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLWFkbWluOkMxc2NvMTIz'}

-OUTPUT HEADERS:

{'User-Agent': 'python-requests/0.8.2', 'content-Type': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'authorization': 'Basic ZXJzLWFkbWluOkMxc2NvMTIz', 'accept': 'application/vnd.com.cisco.ise.identity.endpoint.1.0+xml', 'Accept-Encoding': 'identity, deflate, compress, gzip'}

-OUTPUT DATA:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="test" id="" description="test" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

-OUTPUT RESPONSE:

WIth Kind regards,

Michel

jan.nielsen · ‎11-13-2017

the xxx-xxx i put in there was just to indicate that you cant use the name.

The 405 Error should also give you some message, try using curl -v to get all the headers back.

michelbijnsdorp · ‎11-13-2017

We are a littlebit further it becomes now an error: 400 instead of 405

curl -v -k -X POST "https://user:pass@1.1.1.1:9060/ers/config/endpoint" -H "Content-Type:application/vnd.com.cisco.ise.identity.endpoint.1.1+xml" -d xmldata

< HTTP/1.1 400 Bad Request

< Content-Type: application/vnd.com.cisco.ise.ers.ersresponse.1.1+xml;charset=utf-8

< Content-Length: 484

< Connection: close

< Server:

<

* Closing connection #0

* SSLv3, TLS alert, Client hello (1):

<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:ersResponse operation="POST-create-endpoint" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"><link rel="related" href="https://1.1.1.1:9060/ers/config/endpoint" type="application/xml"/><messages><message type="ERROR" code="Schema validation exception"><title>XML Schema Validation Failed :: at line 1, column 1 : Content is not allowed in prolog.</title></message></messages></ns3:ersResponse>

more xmldata

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<ns3:endpoint name="name" id="id" description="description" xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">

<staticProfileAssignment>false</staticProfileAssignment>

</ns3:endpoint>

Even with an additional header accept:application/vnd.com.cisco.ise.identity.endpoint.1.1+xml or changing the version number from 1.0+xml to 1.1+xml I get the same HTTP cause code.400

Kind regards Michel

michelbijnsdorp · ‎11-13-2017

Who has any idea's of this error code "Content is not allowed in prolog" because I tested the different Pyhton whitespace removal options ?

Kind Regards,

Michel

jan.nielsen · ‎11-13-2017

XML Prolog is this line :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

Which looks fine, but if the option in curl -d xmldata is supposed to reference a file, you need a @ in front of the filename. If you are not using a file for your xml data, then maybe try that?

michelbijnsdorp · ‎11-14-2017

Jan, thanks for your support It pointed me into the correct direction, so both the CURL and the python script option is now working.

Btw> I noticed that the a endpoint by default is not assigned to an endpoint profileId, but by using the CURL command it was no problem to obtain the endpointgroup id and apply that information in the create profileID value. So I be able to create an endpoint, put it in the correct group with the GroupId and profiled it to the correct profilename.

Many thanks,

With kind regards Michel

jan.nielsen · ‎11-14-2017

Glad i could help, good luck with your ISE API project :-)

ISE 2.0 ERS failed to register End Point via Python script

Cisco Identity Services Engine API Reference Guide, Release 1.2

Cisco Identity Services Engine API Reference Guide, Release 1.2