Python wrapper for Cisco ISE ERS API
Project description
ISE
Python module to manage Cisco ISE via the REST API.
History
All initial work is done by https://github.com/bobthebutcher and https://github.com/mpenning.
I forked from them and updated so it worked with ISE 2.2.x and changed all functions to json calls.
- Merged back from the work that https://github.com/karrots has done efter I paused the updates.
- Converted to pipenv packages instead of requirements.txt
- Updated to ISE 2.4.x
- Merged back from the work that https://github.com/msom has done with some good device fixes.
- One big thing is that module is now renamed from ise.cream to just ise.
- First publish to PyPi with the help of https://github.com/JonasKs.
- Add support for ISE CSRF and some TrustSec objects (SGT, SGACL, Egress Policy Matrix) https://github.com/joshand.
Status
Tested and used in our environment at work. But as usual it's up to you to test this out in a test environment so everything works as intended.
Is you have any suggestions or find a bug, create a issue and I'll try to fix it :)
Testing
Testing has been completed on the following ISE versions:
- v2.4.0.357 and with python 3.7.3
- v2.4.0.357 (Patch 11), Python 3.7.7 (joshand)
- v2.7.0.356 (Patch 1), Python 3.7.7 (joshand)
Until a mock of ERS-API is done, a simple test is in test/test_ers.py
To run tests:
- make a copy of config-DEFAULT.py to config.py
- edit uri with settings to your test ise
- run python test-ers.py
Enable REST API
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ers1.html#pgfId-1079790 Need to add an ISE Administrator with the "ERS-Admin" or "ERS-Operator" group assignment is required to use the API.
Installation
From PyPi
pip install ISE
From Repository
mkdir path/to/ise
cd path/to/ise
git clone https://github.com/falkowich/ise.git
Add to path
import sys
sys.path.append('/path/to/ise/')
Usage
from ise import ERS
ise = ERS(ise_node='192.168.0.10', ers_user='ers', ers_pass='supersecret', verify=False, disable_warnings=True)
If ISE is configured to require CSRF for ERS requests for Enhanced Security, you can add the "use_csrf" tag:
from ise import ERS
ise = ERS(ise_node='192.168.0.10', ers_user='ers', ers_pass='supersecret', verify=False, disable_warnings=True, use_csrf=True)
Methods return a result dictionary
{
'success': True/False,
'response': 'Response from request',
'error': 'Error if any',
}
Get a list of identity groups
ise.get_identity_groups()['response']
[('NetworkAdmin',
'5f0b74f0-14e9-11e5-a7a6-00505683258b',
'Group for Network Admins with CLI access to network equipment'),
('OWN_ACCOUNTS (default)',
'cecdab40-8d30-11e5-82ce-005056834dc2',
'Default OWN_ACCOUNTS (default) User Group'),
('GuestType_Contractor (default)',
'c9b6b890-8d30-11e5-82ce-005056834dc2',
'Identity group mirroring the guest type '),
...]
Get details about an identity group
ise.get_identity_group(group='Employee')['response']
{'description': 'Default Employee User Group',
'id': 'f80e5ce0-f42e-11e2-bd54-005056bf2f0a',
'link': {'href': 'https://10.8.2.61:9060/ers/config/identitygroup/f80e5ce0-f42e-11e2-bd54-005056bf2f0a',
'rel': 'self',
'type': 'application/xml'},
'name': 'Employee',
'parent': 'NAC Group:NAC:IdentityGroups:User Identity Groups'}
Get details about an endpoint
ise.get_endpoint_group(group='Resurs')['response']
{'description': '',
'id': 'bf6bdcf0-14ed-11e5-a7a6-00505683258b',
'link': {'href': 'https://10.8.2.61:9060/ers/config/endpointgroup/bf6bdcf0-14ed-11e5-a7a6-00505683258b',
'rel': 'self',
'type': 'application/xml'},
'name': 'Resurs',
'systemDefined': False}
Get endpoint identity groups
ise.get_endpoint_groups()['response']
[('Cisco-IP-Phone',
'265079a0-6d8e-11e5-978e-005056bf2f0a',
'Identity Group for Profile: Cisco-IP-Phone'),
('Resurs', '32c8eb40-6d8e-11e5-978e-005056bf2f0a', ''),
...]
Add endpoint
ise.add_endpoint(name='test02', mac='AA:BB:CC:00:11:24', group_id='bf6bdcf0-14ed-11e5-a7a6-00505683258b', description='test02')
{'response': 'test02 Added Successfully', 'success': True, 'error': ''}
Delete endpoint
ise.delete_endpoint(mac='AA:BB:CC:00:11:27')
{'error': '', 'response': 'AA:BB:CC:00:11:27 Deleted Successfully', 'success': True}
Get a list of internal users
ise.get_users()['response']
[('test01', '85fd1eb0-c6fa-11e5-b6b6-000c297b78b4'),
('test02', '54fd1eb0-c5fb-54e5-b6b6-00204597b28b1'),
...]
Get details about an internal user
ise.get_user(user_id='test02')['response']
{'changePassword': False,
'customAttributes': {},
'enablePassword': '*******',
'enabled': True,
'expiryDateEnabled': False,
'id': '54fd1eb0-c5fb-54e5-b6b6-00204597b28b1',
'identityGroups': '5f0b74f0-14e9-11e5-a7a6-00505683258b',
'link': {'href': 'https://10.8.2.61:9060/ers/config/internaluser/a837bd55-f2b7-41e3-b0ff-c5ddf9af398c',
'rel': 'self',
'type': 'application/xml'},
'name': 'test02',
'password': '*******',
'passwordIDStore': 'Internal Users'}
Add an internal user
ise.add_user(user_id='test11', password='TeStInG11', user_group_oid='5f0b74f0-14e9-11e5-a7a6-00505683258b')
{'error': '', 'response': 'test11 Added Successfully', 'success': True}
Delete an internal user
ise.delete_user(user_id='test11')
{'error': '', 'response': 'test11 Deleted Successfully', 'success': True}
Get a list of devices
ise.get_devices()['response']
[('TestDevice01', '6680f410-5277-11e5-9a52-05505683258b'),
('TestDevice02', '64d9b32-5c56-11e5-9a52-00502683258b'),
...]
Get details about a device
ise.get_device(device='TestDevice02')['response']
{'NetworkDeviceGroupList': ['Stage#Stage',
'Device Type#All Device Types#Linux',
'Location#All Locations'],
'NetworkDeviceIPList': [{'ipaddress': '10.8.1.55', 'mask': 32}],
'authenticationSettings': {'enableKeyWrap': False,
'keyInputFormat': 'ASCII',
'networkProtocol': 'RADIUS',
'radiusSharedSecret': '******'},
'coaPort': 0,
'id': '74d9b830-5c76-11e5-9a52-00505683258b',
'link': {'href': 'https://10.8.2.61:9060/ers/config/networkdevice/74d9b830-5c76-11e5-9a52-00505683258b',
'rel': 'self',
'type': 'application/xml'},
'modelName': 'Linux',
'name': 'TestDevice02',
'profileName': 'Cisco'}
Get a list of device groups
ise.get_device_groups()['response']
[('Device Type#All Device Types', '526240e0-f42e-11e2-bd54-005056bf2f0a'),
('Device Type#All Device Types#Switch', 'e25bd190-14e6-11e5-a7a6-00505683258b'),
('Device Type#All Device Types#Wism', 'e6b085b0-14e6-11e5-a7a6-00505683258b'),
('IPSEC#Is IPSEC Device', '0d3f19b0-30c1-11e7-88b5-005056834dc2'),
('IPSEC#Is IPSEC Device#No', '0dac0c50-30c1-11e7-88b5-005056834dc2'),
('IPSEC#Is IPSEC Device#Yes', '0d74f6c0-30c1-11e7-88b5-005056834dc2'),
('Location#All Locations', '522b7970-f42e-11e2-bd54-005056bf2f0a'),
...]
Add a device
ise.add_device(name='testdevice03',
ip_address='192.168.10.10',
radius_key='foo',
snmp_ro='bar',
dev_group='Stage#Stage#Closed',
dev_location='Location#All Locations#Site21',
dev_type='Device Type#All Device Types#Switch')
{'error': '', 'response': 'testdevice03 Added Successfully', 'success': True}
Delete a device
ise.delete_device(device='testdevice03')
{'error': '', 'response': 'testdevice03 Deleted Successfully', 'success': True}
Get all Security Groups (SGTs)
ise.get_sgts()
{'success': True, 'response': [('Contractors', '4f9c8050-8f9f-11ea-b8e4-ca18718347e2'), ('Employees', 'a34ae530-59a2-11ea-a6b9-26b516ce162b'), ('Guest', '440dd8b0-7da7-11ea-bb75-261e6ff61f42'), ('IoT_Devices', '55bd68f0-8f9f-11ea-b8e4-ca18718347e2'), ('IoT_Servers', '36369eb0-8fa0-11ea-b8e4-ca18718347e2'), ('Servers', '385cbd90-8fa1-11ea-b8e4-ca18718347e2'), ('TrustSec_Devices', '947832a0-8c01-11e6-996c-525400b48521'), ('Unknown', '92adf9f0-8c01-11e6-996c-525400b48521')], 'error': '', 'total': 8}
Get Specific SGT
ise.get_sgt("Unknown")
ise.get_sgt(0)
ise.get_sgt("92adf9f0-8c01-11e6-996c-525400b48521")
{'success': True, 'response': {'id': '92adf9f0-8c01-11e6-996c-525400b48521', 'name': 'Unknown', 'description': 'Unknown Security Group', 'value': 0, 'generationId': '1', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/92adf9f0-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}
Add a SGT
ise.add_sgt("Python_Users", "Group used for all Python Users", 56789, return_object=True)
{'success': True, 'response': {'id': 'd4696690-97ba-11ea-9614-caf56bcd6712', 'name': 'Python_Users', 'description': 'Group used for all Python Users', 'value': 56789, 'generationId': '0', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/d4696690-97ba-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Update a SGT
ise.update_sgt("d4696690-97ba-11ea-9614-caf56bcd6712", "Python_Tests", "Testing for Python Users", 45678, return_object=True)
{'success': True, 'response': {'id': 'd4696690-97ba-11ea-9614-caf56bcd6712', 'name': 'Python_Tests', 'description': 'Testing for Python Users', 'value': 45678, 'generationId': '0', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/d4696690-97ba-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Delete a SGT
ise.delete_sgt("d4696690-97ba-11ea-9614-caf56bcd6712")
{'success': True, 'response': 'd4696690-97ba-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}
Get all Security Groups ACLs (SGACLs)
ise.get_sgacls()
{'success': True, 'response': [('Block_All', '7c9b4a80-8fa1-11ea-b8e4-ca18718347e2'), ('Deny IP', '92919850-8c01-11e6-996c-525400b48521'), ('Deny_ICMP', 'c21dfa60-59a2-11ea-a6b9-26b516ce162b'), ('Deny_IP_Log', '0e6d3830-0684-11ea-ace5-42a6b55c5ca6'), ('Permit IP', '92951ac0-8c01-11e6-996c-525400b48521'), ('Permit_FTP', '761b9e50-7e01-11ea-bb75-261e6ff61f42'), ('Permit_IP_Log', '0e6aee40-0684-11ea-ace5-42a6b55c5ca6'), ('Permit_MQTT', '1470fa00-5a85-11ea-a6b9-26b516ce162b')], 'error': '', 'total': 8}
Get Specific SGACL
ise.get_sgacl("Permit IP")
ise.get_sgacl("92951ac0-8c01-11e6-996c-525400b48521")
{'success': True, 'response': {'id': '92951ac0-8c01-11e6-996c-525400b48521', 'name': 'Permit IP', 'description': 'Permit IP SGACL', 'generationId': '0', 'aclcontent': 'permit ip', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/92951ac0-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}
Add a SGACL
ise.add_sgacl("Python_ACL", "Access List for Python Access", "IP_AGNOSTIC", ["permit tcp dst eq 80"], return_object=True)
{'success': True, 'response': {'id': '7a820000-97bb-11ea-9614-caf56bcd6712', 'name': 'Python_ACL', 'description': 'Access List for Python Access', 'generationId': '0', 'aclcontent': 'permit tcp dst eq 80', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/7a820000-97bb-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Update a SGACL
ise.update_sgacl("7a820000-97bb-11ea-9614-caf56bcd6712", "Python_Access_List", "Python Access List", "IPV4", ["permit tcp src eq 80"], return_object=True)
{'success': True, 'response': {'id': '7a820000-97bb-11ea-9614-caf56bcd6712', 'name': 'Python_Access_List', 'description': 'Python Access List', 'generationId': '1', 'ipVersion': 'IPV4', 'aclcontent': 'permit tcp src eq 80', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/7a820000-97bb-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Delete a SGT
ise.delete_sgacl("7a820000-97bb-11ea-9614-caf56bcd6712")
{'success': True, 'response': '7a820000-97bb-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}
Get all TrustSec Egress Matrix Cells (Policies)
ise.get_egressmatrixcells()
{'success': True, 'response': [('ANY-ANY', '92c1a900-8c01-11e6-996c-525400b48521'), ('Contractors-Servers', '5251ca60-8fa1-11ea-b8e4-ca18718347e2'), ('Contractors-IoT_Devices', 'de7859b0-8fa0-11ea-b8e4-ca18718347e2'), ('Employees-Servers', '5fb81e71-8fa1-11ea-b8e4-ca18718347e2'), ('Employees-Employees', 'd2d88280-59a2-11ea-a6b9-26b516ce162b'), ('Employees-IoT_Devices', 'e18ac9d1-8fa0-11ea-b8e4-ca18718347e2'), ('Employees-TrustSec_Devices', 'ee035030-59a2-11ea-a6b9-26b516ce162b'), ('Guest-IoT_Devices', 'e4d49da1-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-IoT_Devices', 'b0eccdf0-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-IoT_Servers', 'b7e6d880-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Contractors', 'c82308e0-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Employees', 'cb276f40-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Guest', 'ce1e4110-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-TrustSec_Devices', 'd1e33851-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Unknown', 'd68d3860-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Servers-IoT_Devices', 'bc784780-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Servers-IoT_Servers', 'c069f410-8fa0-11ea-b8e4-ca18718347e2'), ('TrustSec_Devices-IoT_Devices', 'e94bcde1-8fa0-11ea-b8e4-ca18718347e2'), ('Unknown-IoT_Devices', 'f3e9da31-8fa0-11ea-b8e4-ca18718347e2')], 'error': '', 'total': 19}
Get Specific Egress Matrix Cell
ise.get_egressmatrixcell("Default egress rule")
ise.get_egressmatrixcell(None, src_sgt="92bb1950-8c01-11e6-996c-525400b48521", dst_sgt="92bb1950-8c01-11e6-996c-525400b48521")
{'success': True, 'response': {'id': '92c1a900-8c01-11e6-996c-525400b48521', 'name': 'ANY-ANY', 'description': 'Default egress rule', 'sourceSgtId': '92bb1950-8c01-11e6-996c-525400b48521', 'destinationSgtId': '92bb1950-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'PERMIT_IP', 'sgacls': ['92951ac0-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/92c1a900-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}
Add a Egress Matrix Cell
ise.add_egressmatrixcell(source_sgt="Unknown", destination_sgt="TrustSec_Devices", default_rule="PERMIT_IP", return_object=True)
{'success': True, 'response': {'id': '6f76b621-97bf-11ea-9614-caf56bcd6712', 'name': 'Unknown-TrustSec_Devices', 'sourceSgtId': '92adf9f0-8c01-11e6-996c-525400b48521', 'destinationSgtId': '947832a0-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'PERMIT_IP', 'sgacls': ['92951ac0-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/6f76b621-97bf-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Update a Egress Matrix Cell
ise.update_egressmatrixcell("6f76b621-97bf-11ea-9614-caf56bcd6712", source_sgt="Unknown", destination_sgt="TrustSec_Devices", default_rule="NONE", acls=["Deny IP"], description="Description", return_object=True)
{'success': True, 'response': {'id': '6f76b621-97bf-11ea-9614-caf56bcd6712', 'name': 'Unknown-TrustSec_Devices', 'description': 'Description', 'sourceSgtId': '92adf9f0-8c01-11e6-996c-525400b48521', 'destinationSgtId': '947832a0-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'DENY_IP', 'sgacls': ['92919850-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/6f76b621-97bf-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}
Delete a Egress Matrix Cell
ise.delete_egressmatrixcell("6f76b621-97bf-11ea-9614-caf56bcd6712")
{'success': True, 'response': '6f76b621-97bf-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ISE-0.1.2.tar.gz
.
File metadata
- Download URL: ISE-0.1.2.tar.gz
- Upload date:
- Size: 15.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.4.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7a36d43b379a96e992199ee74151e11b8eff52aa4941b4e9d38e0d4bd5c4de0f |
|
MD5 | 101be36f5ad51ad5587075102630d0f6 |
|
BLAKE2b-256 | ee570bdf6ccfedc58ec9c3ad792b5eae9d87a16943eabc9b2766b3b7a4e4a056 |
File details
Details for the file ISE-0.1.2-py3-none-any.whl
.
File metadata
- Download URL: ISE-0.1.2-py3-none-any.whl
- Upload date:
- Size: 19.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.4.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | cafd3cc83f6178838764de79e59995ad1bebe67e6fba47ae4926f8f2c31a8e74 |
|
MD5 | 2cecbd5390ca56380b89b853bdaff1d9 |
|
BLAKE2b-256 | 68d1e258bf166edb907f5bedb19a825ee4ad7d4e3f70166c7338af90c657d010 |