Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3032
Views
25
Helpful
2
Replies

ISE MNT CoA API Tool

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-21-2020 06:41 AM - edited ‎04-21-2020 07:34 PM

I was recently working on an ISE auto tool that would allow other admins the ability to leverage MNT APIs to issue a change of authorization (Reauth/terminate session) and get an updated session status.  Essentially the idea was to allow IA/server team to move comp objects to other security groups in AD that are referenced in ISE to quarantine and restrict access for clients authenticating via 8021x upon the issued CoA.  Unfortunately after working with the BU/TAC for some time we were unable to get the script to properly function in a distributed deployment with individual PSNs and separate MNT nodes.  However, the script will work for those running the MNT & PSN personas on an individual node so I thought I would share.  See below:

 

#!/usr/bin/python
import requests
import warnings
import sys
import os
import re
import xml.etree.ElementTree as ET

#ignore invalid cert warnings
warnings.filterwarnings("ignore")

HW_ADDR = ("")
MNT_TYPE = ("")
HOST_IP = ("")

def Endpoint_Input():
#Prompt user for MAC of host and make sure in proper format for MNT APIs;Also converts user string to UPPER; Grabs current endpoint IP;
    HW_ADDR = raw_input("Enter MAC: ").upper()
    if len(HW_ADDR) != 17:
        print "**************************************************************************"
        print "Error! Must be 17 characters & in the following format: AA:BB:CC:DD:EE:FF"
        print "**************************************************************************"
        sys.exit()
	HOST_IP = raw_input("Enter Current Endpoint IP: ")
    regex = '''^(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\.(
            25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)'''
    if (re.search(regex, HOST_IP)):
        return HW_ADDR, HOST_IP
    else:
        print "**************************************************************************"
        print "Error! Must be less than 15 characters & in IP format: ex: 1.1.1.1"
        print "**************************************************************************"
        sys.exit()

def Sess_Update(HW_ADDR, HOST_IP):
#Ping old IP to ensure endpoint movement
    print "**************************************************************************"
    print "**************************************************************************"
    print "Pinging Endpoint old IP Address"
    response = os.system("ping -c 4 " + HOST_IP)
    print "**************************************************************************"
    print "**************************************************************************"
    #sys.exit()

    API_DEVICE = "https://ise_node/admin/API/mnt/Session/MACAddress/" + HW_ADDR
    API_ERS_USER = "user","password"

    r = requests.get(url=API_DEVICE, auth=API_ERS_USER, verify=True)
    print r
    print "**************************************************************************"

    tree = ET.fromstring(r.content)
    print "Endpoint is connected to SDA Switch:", tree.findtext('nas_ip_address')
    #print "Endpoint Session Update Vlan:", tree.findtext('vlan')
    print "Endpoint new ip address is:", tree.findtext('framed_ip_address')

def CoA_Reauth():
    HW_ADDR, HOST_IP = Endpoint_Input()
    API_DEVICE = "https://ise_node/admin/API/mnt/CoA/Reauth/<ise node>/" + HW_ADDR + "/1/"
    API_ERS_USER = "user","password"
    
    r = requests.get(url=API_DEVICE, auth=API_ERS_USER, verify=True)
    
    #print r.content	#prints xml output from ISE; Aided in identifying unique tags to reference
    tree = ET.fromstring(r.content)
    if tree.findtext('results') == 'false':
        print "**************************************************************************"
        print "ISE CoA Result: Failed"
        print "**************************************************************************"

    elif tree.findtext('results') == 'true':
        print "**************************************************************************"
        print "ISE Change of Authorization Result: Successful"
        print "**************************************************************************"
    else:
        print "**************************************************************************"
        print "ISE CoA Error: Ensure you have the right MAC"
        print "**************************************************************************"
 
    #print "ISE CoA Result:", tree.find('results').text
    #print "ISE CoA Error:", tree.find('status').text
       
    Sess_Update(HW_ADDR, HOST_IP)

def Term_Sess():
    HW_ADDR = Endpoint_Input()
    API_DEVICE = "https://ise_node/admin/API/mnt/CoA/Disconnect/<ise node>/" + HW_ADDR + "/2/"
    API_ERS_USER = "user","password"
    
    r = requests.get(url=API_DEVICE, auth=API_ERS_USER, verify=True)
    #print r.content
    tree = ET.fromstring(r.content)
    if tree.findtext('results') == 'false':
        print "**************************************************************************"
        print "ISE CoA Result: Failed"
        print "**************************************************************************"

    elif tree.findtext('results') == 'true':
        print "**************************************************************************"
        print "ISE Change of Authorization Result: Successful"
        print "**************************************************************************"
    else:
        print "**************************************************************************"
        print "ISE CoA Error: Ensure you have the right MAC"
        print "**************************************************************************"

    Sess_Update(HW_ADDR)  

def main():
#Prompt user to identify MNT Session Management choice (CoA or Term)
    MNT_TYPE = raw_input("Do you wish to force Reauth (1) or Terminate Session (2)? Enter type, 1 or 2: ")
#Ensure proper type is entered   
    while MNT_TYPE not in ('1','2'):
        print "************************************"
        print "Error! You must enter 1 (Reauth) or 2 (Terminate Session)"
        print "************************************"
        sys.exit()
    if MNT_TYPE == '1':
        CoA_Reauth()
    else:
        Term_Sess()

if __name__ == "__main__":
    main()

Note that my environment is running 2.4p9.  The identified bug issued to public is here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt65853

 

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎08-05-2020 10:09 AM

FYSA
I have been advised the fix for this issue is being released in ISE 2.7 patch 3 which is expected to release late September/early October.
0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-26-2021 08:03 AM

FYSA

The bug is still present in ISE 2.7p3.  Bug Search (cisco.com)

TAC's latest response:

We’ve been working with our development team, you’re facing a similar behavior of the bug that you mentioned at the beginning https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt65853. However, on that bug they tested only on a 2 node deployment with the following settings:

 

1) 2 node deployment (PAN + MnT, PSN).

2) 2 node deployment (PAN + MnT + PSN, PSN).

3) 2 node deployment (PAN + MnT, PSN).

 

We have confirmed that ISE 2.7 patch 3 is still affected by this behavior when having the MnT persona isolated on one node on a 3+ nodes deployment.

 

This defect is already assigned to the development team. You can enable notifications on that bug to get an alert when the defect is solved. Let me know if you need something else or if we’re good to archive this case.

 

HTH!

Customers Also Viewed These Support Documents