12-14-2018 09:20 AM
We have an ISE instance set up for testing, I'm a developer but have never used ISE before.
What I'm wanting to do should be simple but I've not found docs on it so far after searching. I want to add a MAC address to a specified Identity Group. More specifically I want to set it up using the API. My tool of choice here is CURL.
In this API call, the Identity Group will already be defined, however the MAC address will be new to ISE (a brand new device). How would I do this?
I have seen some great docs here like this: ISE ERS API Examples - but it just doesn't cover this specific case. Please remember I'm new to ISE and actually a coder. Thanks!
Solved! Go to Solution.
12-14-2018 02:26 PM - edited 12-14-2018 02:28 PM
Ok, those are Endpoints. This is how I did it. First get the group ID:
tools$ curl --tlsv1.1 -k -H 'ACCEPT: application/json' -H 'ERS-Media-Type: identity.endpointgroup.1.1' "https://admin:1111111@1.1.1.1:9060/ers/config/endpointgroup/name/RegisteredDevices"
"id" : "aa13bb40-8bff-11e6-996c-525400b48521",
Create a file with mac address and the group id of the desired group (above). I am not a coder so I may have extra stuff in here I don't need:
mac.xml:
<?xml version="1.0" encoding="UTF-8"?> <ns0:endpoint xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name"> <groupId>aa13bb40-8bff-11e6-996c-525400b48521</groupId> <mac>00:01:02:03:04:05</mac> <staticGroupAssignment>true</staticGroupAssignment> <staticProfileAssignment>false</staticProfileAssignment> </ns0:endpoint>
The do this:
curl -v -X POST --tlsv1.1 -v -k -H 'ACCEPT: application/xml' -H 'ERS-Media-Type: identity.endpoint.1.2' --header 'Content-Type:application/xml' https://admin:11111@1.1.1.1:9060/ers/config/endpoint -d @mac.xml
12-14-2018 10:57 AM
I believe the online documentation shows this (https://<ise-ip>:9060/ers/sdk). Go to API Documentation > Endpoint > Create. Is that what you are looking for?
12-14-2018 11:11 AM
No, I do not want to create an endpoint. In fact nothing to do with Endpoints. I want to add a new *MAC address* to an existing *Identity Group*
It's irrelevant to this post, but that Identity group does contain endpoints. So my device with the new MAC will get on those endpoints because of how the Identity Group is set up. But again, I don't want to add an endpoint.
12-14-2018 12:27 PM
I think there might be some confusion on the terminology here because an endpoint in ISE is referenced by a unique mac address. Each mac address corresponds to an endpoint.
For purposes of this, mac address = endpoint/device.
A device such as a laptop with both a wired and wireless adapter is currently treated as two endpoints in ISE, two unique mac addresses.
12-14-2018 12:32 PM - edited 12-14-2018 12:33 PM
I believe he might be trying to add a MAC to a profile condition so that the device automatically gets put in the right Identity Group based on MAC address during profiling. Certainly doable, but I don't see those capabilities in the API.
12-14-2018 01:16 PM
As Damien noted, endpoint is mac address. With the create endpoint operation you can also put it into the group as well during creation. This essentially maps the MAC address to the endpoint group, which you can use to influence policy for the MAC.
12-14-2018 01:39 PM
@dodgerfan78 say I may be "trying to add a MAC to a profile condition" - possibly but here's a screenshot now that I'm getting more familiar. What you see when I click the green "Add" button, I'm wanting to do via API - ie, add MAC address FF:FF:FF:FF:FF:FF to the `RegisteredUsers` Group shown.
12-14-2018 02:26 PM - edited 12-14-2018 02:28 PM
Ok, those are Endpoints. This is how I did it. First get the group ID:
tools$ curl --tlsv1.1 -k -H 'ACCEPT: application/json' -H 'ERS-Media-Type: identity.endpointgroup.1.1' "https://admin:1111111@1.1.1.1:9060/ers/config/endpointgroup/name/RegisteredDevices"
"id" : "aa13bb40-8bff-11e6-996c-525400b48521",
Create a file with mac address and the group id of the desired group (above). I am not a coder so I may have extra stuff in here I don't need:
mac.xml:
<?xml version="1.0" encoding="UTF-8"?> <ns0:endpoint xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name"> <groupId>aa13bb40-8bff-11e6-996c-525400b48521</groupId> <mac>00:01:02:03:04:05</mac> <staticGroupAssignment>true</staticGroupAssignment> <staticProfileAssignment>false</staticProfileAssignment> </ns0:endpoint>
The do this:
curl -v -X POST --tlsv1.1 -v -k -H 'ACCEPT: application/xml' -H 'ERS-Media-Type: identity.endpoint.1.2' --header 'Content-Type:application/xml' https://admin:11111@1.1.1.1:9060/ers/config/endpoint -d @mac.xml
02-01-2019 02:10 PM - edited 02-06-2019 07:39 AM
Hi There, I have accepted your answer and it did work, however, I thought I'd add something I learned.
This is not to attach an existing endpoint to an identity group, it looks like it can only attach a NEW endpoint to an existing identity group. Otherwise, you'll get something like this:
<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:ersResponse operation="POST-create-endpoint" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"><link rel="related" href="https://1.1.1.1:9060/ers/config/endpoint" type="application/xml"/><messages><message type="ERROR" code="CRUD operation exception"><title> Failed to update endpoint 55:01:00:00:00:01 to aa13bb40-8bff-11e6-996c-525400b48521 null</title></message></messages></ns3:ersResponse>
which is not very helpful :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide