Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1175
Views
5
Helpful
1
Replies

Using Ansible/Nornir to remove authentication open for ISE enforcement

Go to solution
waqas gondal
Level 1
Level 1

‎09-14-2020 01:16 PM

Hi

 

I am working on putting ISE into enforcement mode on production switches for 802.1x wired auth.

 

Currently the access interfaces all have authentication open which needs to be removed.

 

I have Ansible installed and ready to configure switches. I could also use python with Nornir.

 

Is there anyway I could configure a playbook to find any interfaces that have 'authentication open' and remove it? It would help if this same playbook could be used to revert if enforcement doesn't work.

 

This type of config would also help switch to c3pl down the road.

 

Thanks!

Waqas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-16-2020 08:08 PM

Hi

If you use your python script with nornir or other librairy, you'll need to get the content of each interface and parse it to see which one has authentication open vs which one doesn't. 

You can parse it using regex or textfsm or ciscoconfparse.

Then, based on that you'll need to apply the new setting and I recommend you save the information of switch and interface modified into a database or json file (the one you prefer). So, if you need to revert, you'll need connect only on switches present in this database and modify only the modified interfaces (you avoid parsing again all config).

 

With ansible, there is a collection cisco.ios and especially the module ios_interface.py (https://github.com/ansible-collections/cisco.ios/blob/main/plugins/modules/ios_interface.py).

This module allows to modify basic interface configuration but you can personalize it for your specific dot1x config by using a parameter dot1x with value open or close. So, when you build your playbook, you'll have a parameter with the value close to change the authentication to close mode and put open when you want to revert.

 

Hope this is clear and helpful.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-16-2020 08:08 PM

Hi

If you use your python script with nornir or other librairy, you'll need to get the content of each interface and parse it to see which one has authentication open vs which one doesn't. 

You can parse it using regex or textfsm or ciscoconfparse.

Then, based on that you'll need to apply the new setting and I recommend you save the information of switch and interface modified into a database or json file (the one you prefer). So, if you need to revert, you'll need connect only on switches present in this database and modify only the modified interfaces (you avoid parsing again all config).

 

With ansible, there is a collection cisco.ios and especially the module ios_interface.py (https://github.com/ansible-collections/cisco.ios/blob/main/plugins/modules/ios_interface.py).

This module allows to modify basic interface configuration but you can personalize it for your specific dot1x config by using a parameter dot1x with value open or close. So, when you build your playbook, you'll have a parameter with the value close to change the authentication to close mode and put open when you want to revert.

 

Hope this is clear and helpful.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents