cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

603
Views
0
Helpful
4
Replies

ISE cannot find a network device if it is created by the ERS API

Hello everyone, I am running into an issue with ISE and authentication. If I run my script to create a network device it does so and it shows up in ISE, however when I try to have the device authenticate with ISE, in the radius logs, I can see that ISE gives me the following error:

 

ISE Code: 2.4.0.357

Event5405 RADIUS Request dropped
Failure Reason11007 Could not locate Network Device or AAA Client
ResolutionVerify whether the Network Device or AAA client is configured in: Administration > Network Resources > Network Devices
Root causeCould not find the network device or the AAA Client while accessing NAS by IP during authentication.
NAS IPv4 Address10.11.38.253

 

 

The weird part is if I go into the device itself and click, "Save" (Without making any changes, just simply clicking on the IP address then clicking on the white space then save),  it will then work. 

 

Has anyone faced any issues like this? In the past two weeks, this is the second bug behavior I have ran into, the other one was with the X-CSRF-TOKEN in post messages to ERS.

 

 

Here is my code if anyone is wondering (IP address and UN/PWD omitted): 

 

 

 

 

 

 

 

import requests
import requests.auth
import json
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

Username = ("x")
Password = ("x")

headers = {'Content-Type': 'application/json', 'Accept': 'application/json'}

devicename = input("Enter Device Name:")
deviceid= devicename + "-" + "PyGenerated"
deviceip = input("Enter Device IP Address:")
deviceipmask = input("Enter Device IP Mask [0-32]:")
devicedescription = input("Enter Device Description:")
devicesecret = input("Enter Device Secret:")
#devicelocation = input("Enter Device Location:")
#devicetype = input("Enter Device Type:")

GETDEVICENAME = requests.get("https://x.x.x.x:9060/ers/config/networkdevice", verify=False, auth=(Username, Password), headers=headers)


ParseName = json.loads(GETDEVICENAME.text)

for STORENAME in ParseName['SearchResult']['resources']:
CheckNAME = STORENAME["name"]
if devicename == CheckNAME:
print("ERROR: A duplicate Device Name has been detected, please re-run the script and use a unique Device Name!")
exit()

ISEjson= {
"NetworkDevice" : {
"id" : deviceid,
"name" : devicename,
"description" : devicedescription,
"authenticationSettings" : {
"radiusSharedSecret" : devicesecret,
"enableKeyWrap" : False,
"dtlsRequired" : False,
"keyEncryptionKey" : "",
"messageAuthenticatorCodeKey" : "",
"keyInputFormat" : "ASCII"
},
"profileName" : "Cisco",
"coaPort" : 1700,
"dtlsDnsName" : False,
"NetworkDeviceIPList" : [ {
"ipaddress" : deviceip,
"mask" : deviceipmask
} ],
"NetworkDeviceGroupList" : [ "Location#All Locations", "Device Type#All Device Types" ]
}
}

ISE = requests.post("https://x.x.x.x:9060/ers/config/networkdevice", verify=False, auth=(Username, Password), headers=headers, json=ISEjson)

if ISE.status_code < 400:
print("SUCCESS: The device has been created and implemented into ISE! Status Code:", ISE.status_code)

if ISE.status_code > 399:
print("FAILURE: The code has not been pushed to ISE to create the device! Status Code:", ISE.status_code, "\nHere is the error recieved from the API", ISE.text)

1 ACCEPTED SOLUTION

Accepted Solutions

Please try it with a simpler body. Below worked for me. I will try yours later when I have more time.

{
  "NetworkDevice" : {
    "name" : "dag",
    "authenticationSettings" : {
      "networkProtocol" : "RADIUS",
      "radiusSharedSecret" : "myRadSecret"
    },
    "NetworkDeviceIPList" : [
 {
      "ipaddress" : "10.1.100.43",
      "mask" : 32
    } ],
    "NetworkDeviceGroupList" : [ "Location#All Locations", "IPSEC#Is IPSEC Device#No" ]
  }
}  

 

View solution in original post

4 REPLIES 4
hslai
Cisco Employee

CSCvq59887

is recently logged by our TAC on this issue reported by another customer. This defect is not visible externally yet. The workaround section says,

This can be rectified by two methods:
1. Reload the node and try to re-authenticate. Result = Authentication Successful
2. If we remove "id", "Profile", and "COAPort" from the POST, the newly created NetworkDevice becomes usable instantly.

 

Hslai,

 

I tried both of those and the issue is still present. I tried to view the bug, but I could not. Is there any type of update from Cisco on what is causing this bug to occur? 

Please try it with a simpler body. Below worked for me. I will try yours later when I have more time.

{
  "NetworkDevice" : {
    "name" : "dag",
    "authenticationSettings" : {
      "networkProtocol" : "RADIUS",
      "radiusSharedSecret" : "myRadSecret"
    },
    "NetworkDeviceIPList" : [
 {
      "ipaddress" : "10.1.100.43",
      "mask" : 32
    } ],
    "NetworkDeviceGroupList" : [ "Location#All Locations", "IPSEC#Is IPSEC Device#No" ]
  }
}  

 

Thank you! What worked is adding this in the json code: 

 

"authenticationSettings" : {
"networkProtocol" : "RADIUS",
"radiusSharedSecret" : devicesecret,

 

I was wondering if you guys have any clue as to what causes this bug to occur? We are on 2.4.0.357, thanks for your help mate :) 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube