cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
149
Views
5
Helpful
1
Replies
Highlighted
Beginner

Using Ansible/Nornir to remove authentication open for ISE enforcement

Hi

 

I am working on putting ISE into enforcement mode on production switches for 802.1x wired auth.

 

Currently the access interfaces all have authentication open which needs to be removed.

 

I have Ansible installed and ready to configure switches. I could also use python with Nornir.

 

Is there anyway I could configure a playbook to find any interfaces that have 'authentication open' and remove it? It would help if this same playbook could be used to revert if enforcement doesn't work.

 

This type of config would also help switch to c3pl down the road.

 

Thanks!

Waqas

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

Hi

If you use your python script with nornir or other librairy, you'll need to get the content of each interface and parse it to see which one has authentication open vs which one doesn't. 

You can parse it using regex or textfsm or ciscoconfparse.

Then, based on that you'll need to apply the new setting and I recommend you save the information of switch and interface modified into a database or json file (the one you prefer). So, if you need to revert, you'll need connect only on switches present in this database and modify only the modified interfaces (you avoid parsing again all config).

 

With ansible, there is a collection cisco.ios and especially the module ios_interface.py (https://github.com/ansible-collections/cisco.ios/blob/main/plugins/modules/ios_interface.py).

This module allows to modify basic interface configuration but you can personalize it for your specific dot1x config by using a parameter dot1x with value open or close. So, when you build your playbook, you'll have a parameter with the value close to change the authentication to close mode and put open when you want to revert.

 

Hope this is clear and helpful.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 REPLY 1
Highlighted
VIP Mentor

Hi

If you use your python script with nornir or other librairy, you'll need to get the content of each interface and parse it to see which one has authentication open vs which one doesn't. 

You can parse it using regex or textfsm or ciscoconfparse.

Then, based on that you'll need to apply the new setting and I recommend you save the information of switch and interface modified into a database or json file (the one you prefer). So, if you need to revert, you'll need connect only on switches present in this database and modify only the modified interfaces (you avoid parsing again all config).

 

With ansible, there is a collection cisco.ios and especially the module ios_interface.py (https://github.com/ansible-collections/cisco.ios/blob/main/plugins/modules/ios_interface.py).

This module allows to modify basic interface configuration but you can personalize it for your specific dot1x config by using a parameter dot1x with value open or close. So, when you build your playbook, you'll have a parameter with the value close to change the authentication to close mode and put open when you want to revert.

 

Hope this is clear and helpful.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post