Solved: Cisco ISE 2.3 export guest account

Augustgood · ‎04-10-2018

Hi all

how i can export guest account list to an external ftp repository, i found this solution not very practical :

- rest api

- resend and print account list from sponsor portal (but it does not seem to work)

How can help me ? thx

Arne Bier · ‎04-10-2018

I am working on a very similar requirement and I am happy to share my ERS code below. Out of the box ISE does not provide the information that you are asking for, hence, ERS is the only solution we have.

I wrote the Python code below based on the skeleton code that Cisco provides in their ISE Online SDK.

All you need to do is to change the host, user and password details of your ISE PAN, and the ERS username and password (remember that this is not the ERS admin, but an internal user that is in the ERS Admin group - the SDK has a section explaining this)

I will caveat this by saying that my script is NOT complete yet (I only started yesterday) and my next challenge is to get the API to return more than 20 items. The default behaviour of ERS is to return 20 results (which can be changed) but I am unsure how to manage the case where there might be hundreds or thousands of results. It's a page by page type of concept.

import http.client
import base64
import ssl
import sys
import json

# host and authentication credentials
#host = "10.220.113.42"
host = "10.220.69.42"
user = "ersguest"
password = "Encryption123"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))

headers = {
    'accept': "application/json",
    'authorization': " ".join(("Basic",encodedAuth)),
    'cache-control': "no-cache",
    }

conn.request("GET", "/ers/config/guestuser/", headers=headers)

res = conn.getresponse()
data = res.read()

Rawjsondata = json.loads(data.decode("utf-8"))
blob = Rawjsondata["SearchResult"]["resources"]

for item in blob:
    print (item["name"],",",end='') # print the guest username
    conn.request("GET", item["link"]["href"], headers=headers) #Fetch the guest details data
    res = conn.getresponse() 
    data = res.read()
    Rawjsondata = json.loads(data.decode("utf-8"))
    subblob = Rawjsondata["GuestUser"] # This is the Guest detail containing stuff we want
    print(subblob["guestType"],",",end='') # Guest Type
    print(subblob["status"],",",end='') # Guest account status
    print(subblob["guestInfo"]["lastName"],",",end='') # Last name
    print(subblob["guestInfo"]["firstName"],",",end='') # First name
    print(subblob["guestInfo"]["emailAddress"]) # Login username - this is the final item

when you run the above, you can expect output like this (these are the data points I am interested in)

>>> 
 RESTART: C:\Users\arne\AppData\Local\Programs\Python\Python36\Scripts\PAN-GetAllGuestUsers.py 
jsmith ,Visitor_30 ,ACTIVE ,Smith ,Johnny ,johnny@mail.com
ledmonds ,Visitor_30 ,AWAITING_INITIAL_LOGIN ,Edmonds ,Lisa ,lisa@mail.com

View solution in original post

Arne Bier · ‎04-10-2018

I am working on a very similar requirement and I am happy to share my ERS code below. Out of the box ISE does not provide the information that you are asking for, hence, ERS is the only solution we have.

I wrote the Python code below based on the skeleton code that Cisco provides in their ISE Online SDK.

All you need to do is to change the host, user and password details of your ISE PAN, and the ERS username and password (remember that this is not the ERS admin, but an internal user that is in the ERS Admin group - the SDK has a section explaining this)

I will caveat this by saying that my script is NOT complete yet (I only started yesterday) and my next challenge is to get the API to return more than 20 items. The default behaviour of ERS is to return 20 results (which can be changed) but I am unsure how to manage the case where there might be hundreds or thousands of results. It's a page by page type of concept.

import http.client
import base64
import ssl
import sys
import json

# host and authentication credentials
#host = "10.220.113.42"
host = "10.220.69.42"
user = "ersguest"
password = "Encryption123"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))

headers = {
    'accept': "application/json",
    'authorization': " ".join(("Basic",encodedAuth)),
    'cache-control': "no-cache",
    }

conn.request("GET", "/ers/config/guestuser/", headers=headers)

res = conn.getresponse()
data = res.read()

Rawjsondata = json.loads(data.decode("utf-8"))
blob = Rawjsondata["SearchResult"]["resources"]

for item in blob:
    print (item["name"],",",end='') # print the guest username
    conn.request("GET", item["link"]["href"], headers=headers) #Fetch the guest details data
    res = conn.getresponse() 
    data = res.read()
    Rawjsondata = json.loads(data.decode("utf-8"))
    subblob = Rawjsondata["GuestUser"] # This is the Guest detail containing stuff we want
    print(subblob["guestType"],",",end='') # Guest Type
    print(subblob["status"],",",end='') # Guest account status
    print(subblob["guestInfo"]["lastName"],",",end='') # Last name
    print(subblob["guestInfo"]["firstName"],",",end='') # First name
    print(subblob["guestInfo"]["emailAddress"]) # Login username - this is the final item

when you run the above, you can expect output like this (these are the data points I am interested in)

>>> 
 RESTART: C:\Users\arne\AppData\Local\Programs\Python\Python36\Scripts\PAN-GetAllGuestUsers.py 
jsmith ,Visitor_30 ,ACTIVE ,Smith ,Johnny ,johnny@mail.com
ledmonds ,Visitor_30 ,AWAITING_INITIAL_LOGIN ,Edmonds ,Lisa ,lisa@mail.com

ajc · ‎03-25-2019

Hi Arne,

Did you get more than 20 entries?. Would you mind sharing your code?

thanks

Arne Bier · ‎03-25-2019

Hi @ajc

I have not touched this stuff in ages. I am battling to get my REST API talking to my ISE 2.4 patch 6 node - the REST call is working in general, but not working when I try to access the guest user stuff.

Maybe you can remind me of the quirks involved to get this working?

As you can see below I am using a local Admin ERS user called restapi and the password is Encryption123

I can query the current node details via REST API

(ise) [admin-biera@iptel-centos-01 ise]$ curl -k -X GET https://restapi:Encryption123@192.168.0.221:9060/ers/config/node/ -H 'ACCEPT: application/json'
{
  "SearchResult" : {
    "total" : 1,
    "resources" : [ {
      "id" : "aee5cb10-42d6-11e8-9914-0050568a2395",
      "name" : "ise01",
      "link" : {
        "rel" : "self",
        "href" : "https://192.168.0.221:9060/ers/config/node/aee5cb10-42d6-11e8-9914-0050568a2395",
        "type" : "application/xml"
      }
    } ]
  }
}
(ise) [admin-biera@iptel-centos-01 ise]$

But when I try the same thing to the guestusers I get 401 error

(ise) [admin-biera@iptel-centos-01 ise]$ curl -k -X GET https://restapi:Encryption123@192.168.0.221:9060/ers/config/guestusers/ -H 'ACCEPT: application/json'


<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The request has not been applied because it lacks valid authentication credentials for the target resource.</p><hr class="line" /><h3></h3></body></html>

(ise) [admin-biera@iptel-centos-01 ise]$

I remembered that one has to enable REST support udner Sponsor Group explicitly - I only have one Active Sponsor Group as shown below - but still doesn't work for me. I don't know where I have gone wrong.

The restapi user is a member of the default ERS Admin Group.

Arne Bier · ‎03-26-2019

Hi @ajc

I saw a related posting from someone else on this forum and they shared their python code when dealing with multiple pages of data

def get_device_list(s):
    """
    Return list of the Network Devices
    Maximum is 100 devices per page ?size=100
    Go through the pages &page = 1
    """
    url = "https://" + ISE_SERVER + ":9060/ers/config/networkdevice?size=100&page="
    url = url + "1"
     resp= requests.request("GET", url, data=payload, headers=headers, params=querystring)
    
    device_list = []

    if resp.status_code == 200:
        result  = resp.json()['SearchResult']
        total = result['total']
        pages = total / 100 + 1
        for page in range (1, int(pages + 1)):
            resp= requests.request("GET", url + str(page), data=payload, headers=headers, params=querystring)
            if resp.ok:
                result = resp.json()['SearchResult']['resources']
                for item in result:
                    device = {}
                    device['id'] = item['id']
                    device['name'] = item['name']
                    """ Not all devices has description field """
                    # device['description'] = item['description']
                    device['link'] = item['link']['href']
                    device_list.append(device)

    return device_list