Solved: Re: ISE policy-sync between two ISE depyoments via REST-ApI

rmueller@cisco.com · ‎05-14-2018

Hi all,

is there a way to sync authentication/authorization policies between two distinct deployments automatically via REST-API?

Thanks in advance.

Roland

Craig Hyps · ‎05-14-2018

The short answer is "partial support". The current ERS API does support the export/import of many different objects but there are a number of items such as Auth Policy which cannot be imported (Admin UI export only). Profiler objects can be exported and imported from Admin UI, but not API. To see the range of object/policy items that can be synced via API, check the online SDK at https://<primary-pan>:9060/ers/sdk (Assumes ERS enabled under global deployment settings and ERS admin user created for admin access to ERS API.

View solution in original post

kvenkata1 · ‎05-14-2018

I don't see an issue why this can't be done, of course with a robust custom application/script.

Can you please explain the use case - Why is it being sought? Will both deployments be changed or only one will be the (sync) source & the other (sync) destination? Will the two deployments be across a WAN?

- Krish

Craig Hyps · ‎05-14-2018

The short answer is "partial support". The current ERS API does support the export/import of many different objects but there are a number of items such as Auth Policy which cannot be imported (Admin UI export only). Profiler objects can be exported and imported from Admin UI, but not API. To see the range of object/policy items that can be synced via API, check the online SDK at https://<primary-pan>:9060/ers/sdk (Assumes ERS enabled under global deployment settings and ERS admin user created for admin access to ERS API.

rmueller@cisco.com · ‎05-15-2018

Hi Krish,

thanks a lot for the response. The use-case for having separate deployments is because this customer has multiple tenants with overlapping address spaces, which would mean we have duplicate NAD addresses. So the customer might have to use at least two separate deployments, but with same policies. So the policies (Authz-policies especially) would be managed on deployment1, and then they would like to replicate the policy to deployment2.

Roland

Roland Mueller

CONSULTING SYSTEMS ENGINEER.SECURITY SALES

rmueller@cisco.com<mailto:rmueller@cisco.com>

Tel: +49 711 2391 1306

Cisco Systems, Inc.

City Plaza - 4th Floor Rotebuehlplatz 21-25

STUTTGART

70178

Germany

cisco.com

Think before you print.

This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.

Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information.

Jason Kunst · ‎05-15-2018

Please get your requests to the ISE product management team for feature request

paul · ‎05-15-2018

Roland,

This is an interesting one. I am trying to think of the scenarios here where you could do this in a single deployment. I think in most cases the only things the customer's network should need to access is the PSNs assuming the management company is doing all the ISE management.

I am assuming the customers are separated by a VRF. If you had a management VRF that was allowed to leak through to the customer VRFs you could put your Admin and M&T nodes there and then the PSNs would sit in the customer VRFs.

So Customer A PSNs sit in Customer A VRF, Customer B PSNs sit in Customer B VRF. All PSNs are talking to the M&T and Admin nodes sitting in the management VRF via leaked routes. As long as the subnets the PSNs and Admin/M&T aren't overlapping it could work.

Again just trying to think if is possible to do this in a single deployment.

I am sure Craig will tell me "No way!", but an interesting setup to think about.