Skip to main content

Python wrapper for Cisco ISE ERS API

Project description

Known Vulnerabilities Maintainability Publish PyPI and TestPyPI

ISE

Python module to manage Cisco ISE via the REST API.

History

All initial work is done by https://github.com/bobthebutcher and https://github.com/mpenning.
I forked from them and updated so it worked with ISE 2.2.x and changed all functions to json calls.

  • Merged back from the work that https://github.com/karrots has done efter I paused the updates.
  • Converted to pipenv packages instead of requirements.txt
  • Updated to ISE 2.4.x
  • Merged back from the work that https://github.com/msom has done with some good device fixes.
    • One big thing is that module is now renamed from ise.cream to just ise.
  • First publish to PyPi with the help of https://github.com/JonasKs.
  • Add support for ISE CSRF and some TrustSec objects (SGT, SGACL, Egress Policy Matrix) https://github.com/joshand.

Status

Tested and used in our environment at work. But as usual it's up to you to test this out in a test environment so everything works as intended.

Is you have any suggestions or find a bug, create a issue and I'll try to fix it :)

Testing

Testing has been completed on the following ISE versions:

  • v2.4.0.357 and with python 3.7.3
  • v2.4.0.357 (Patch 11), Python 3.7.7 (joshand)
  • v2.7.0.356 (Patch 1), Python 3.7.7 (joshand)

Until a mock of ERS-API is done, a simple test is in test/test_ers.py
To run tests:

  • make a copy of config-DEFAULT.py to config.py
  • edit uri with settings to your test ise
  • run python test-ers.py

Enable REST API

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/api_ref_guide/api_ref_book/ise_api_ref_ers1.html#pgfId-1079790 Need to add an ISE Administrator with the "ERS-Admin" or "ERS-Operator" group assignment is required to use the API.

Installation

From PyPi

pip install ISE

From Repository

mkdir path/to/ise
cd path/to/ise
git clone https://github.com/falkowich/ise.git
Add to path
import sys
sys.path.append('/path/to/ise/')

Usage

from ise import ERS
ise = ERS(ise_node='192.168.0.10', ers_user='ers', ers_pass='supersecret', verify=False, disable_warnings=True)

If ISE is configured to require CSRF for ERS requests for Enhanced Security, you can add the "use_csrf" tag:

from ise import ERS
ise = ERS(ise_node='192.168.0.10', ers_user='ers', ers_pass='supersecret', verify=False, disable_warnings=True, use_csrf=True)

Methods return a result dictionary

{
    'success': True/False,
    'response': 'Response from request',
    'error': 'Error if any',
}

Get a list of identity groups

ise.get_identity_groups()['response']

[('NetworkAdmin',
  '5f0b74f0-14e9-11e5-a7a6-00505683258b',
  'Group for Network Admins with CLI access to network equipment'),
 ('OWN_ACCOUNTS (default)',
  'cecdab40-8d30-11e5-82ce-005056834dc2',
  'Default OWN_ACCOUNTS (default) User Group'),
 ('GuestType_Contractor (default)',
  'c9b6b890-8d30-11e5-82ce-005056834dc2',
  'Identity group mirroring the guest type '),
 ...]

Get details about an identity group

ise.get_identity_group(group='Employee')['response']

{'description': 'Default Employee User Group',
 'id': 'f80e5ce0-f42e-11e2-bd54-005056bf2f0a',
 'link': {'href': 'https://10.8.2.61:9060/ers/config/identitygroup/f80e5ce0-f42e-11e2-bd54-005056bf2f0a',
          'rel': 'self',
          'type': 'application/xml'},
 'name': 'Employee',
 'parent': 'NAC Group:NAC:IdentityGroups:User Identity Groups'}

Get details about an endpoint

ise.get_endpoint_group(group='Resurs')['response']

 {'description': '',
 'id': 'bf6bdcf0-14ed-11e5-a7a6-00505683258b',
 'link': {'href': 'https://10.8.2.61:9060/ers/config/endpointgroup/bf6bdcf0-14ed-11e5-a7a6-00505683258b',
          'rel': 'self',
          'type': 'application/xml'},
 'name': 'Resurs',
 'systemDefined': False}

Get endpoint identity groups

ise.get_endpoint_groups()['response']

  [('Cisco-IP-Phone',
    '265079a0-6d8e-11e5-978e-005056bf2f0a',
    'Identity Group for Profile: Cisco-IP-Phone'),
   ('Resurs', '32c8eb40-6d8e-11e5-978e-005056bf2f0a', ''),
   ...]

Add endpoint

ise.add_endpoint(name='test02', mac='AA:BB:CC:00:11:24', group_id='bf6bdcf0-14ed-11e5-a7a6-00505683258b', description='test02')
{'response': 'test02 Added Successfully', 'success': True, 'error': ''}

Delete endpoint

ise.delete_endpoint(mac='AA:BB:CC:00:11:27')
{'error': '', 'response': 'AA:BB:CC:00:11:27 Deleted Successfully', 'success': True}

Get a list of internal users

ise.get_users()['response']

[('test01', '85fd1eb0-c6fa-11e5-b6b6-000c297b78b4'),
 ('test02', '54fd1eb0-c5fb-54e5-b6b6-00204597b28b1'),
 ...]

Get details about an internal user

ise.get_user(user_id='test02')['response']

{'changePassword': False,
 'customAttributes': {},
 'enablePassword': '*******',
 'enabled': True,
 'expiryDateEnabled': False,
 'id': '54fd1eb0-c5fb-54e5-b6b6-00204597b28b1',
 'identityGroups': '5f0b74f0-14e9-11e5-a7a6-00505683258b',
 'link': {'href': 'https://10.8.2.61:9060/ers/config/internaluser/a837bd55-f2b7-41e3-b0ff-c5ddf9af398c',
          'rel': 'self',
          'type': 'application/xml'},
 'name': 'test02',
 'password': '*******',
 'passwordIDStore': 'Internal Users'}

Add an internal user

ise.add_user(user_id='test11', password='TeStInG11', user_group_oid='5f0b74f0-14e9-11e5-a7a6-00505683258b')

{'error': '', 'response': 'test11 Added Successfully', 'success': True}

Delete an internal user

ise.delete_user(user_id='test11')

{'error': '', 'response': 'test11 Deleted Successfully', 'success': True}

Get a list of devices

ise.get_devices()['response']

[('TestDevice01', '6680f410-5277-11e5-9a52-05505683258b'),
 ('TestDevice02', '64d9b32-5c56-11e5-9a52-00502683258b'),
 ...]

Get details about a device

ise.get_device(device='TestDevice02')['response']

{'NetworkDeviceGroupList': ['Stage#Stage',
                            'Device Type#All Device Types#Linux',
                            'Location#All Locations'],
 'NetworkDeviceIPList': [{'ipaddress': '10.8.1.55', 'mask': 32}],
 'authenticationSettings': {'enableKeyWrap': False,
                            'keyInputFormat': 'ASCII',
                            'networkProtocol': 'RADIUS',
                            'radiusSharedSecret': '******'},
 'coaPort': 0,
 'id': '74d9b830-5c76-11e5-9a52-00505683258b',
 'link': {'href': 'https://10.8.2.61:9060/ers/config/networkdevice/74d9b830-5c76-11e5-9a52-00505683258b',
          'rel': 'self',
          'type': 'application/xml'},
 'modelName': 'Linux',
 'name': 'TestDevice02',
 'profileName': 'Cisco'}

Get a list of device groups

ise.get_device_groups()['response']

[('Device Type#All Device Types', '526240e0-f42e-11e2-bd54-005056bf2f0a'),
 ('Device Type#All Device Types#Switch', 'e25bd190-14e6-11e5-a7a6-00505683258b'),
 ('Device Type#All Device Types#Wism', 'e6b085b0-14e6-11e5-a7a6-00505683258b'),
 ('IPSEC#Is IPSEC Device', '0d3f19b0-30c1-11e7-88b5-005056834dc2'),
 ('IPSEC#Is IPSEC Device#No', '0dac0c50-30c1-11e7-88b5-005056834dc2'),
 ('IPSEC#Is IPSEC Device#Yes', '0d74f6c0-30c1-11e7-88b5-005056834dc2'),
 ('Location#All Locations', '522b7970-f42e-11e2-bd54-005056bf2f0a'),
 ...]

Add a device

ise.add_device(name='testdevice03',
               ip_address='192.168.10.10',
               radius_key='foo',
               snmp_ro='bar',
               dev_group='Stage#Stage#Closed',
               dev_location='Location#All Locations#Site21',
               dev_type='Device Type#All Device Types#Switch')

{'error': '', 'response': 'testdevice03 Added Successfully', 'success': True}

Delete a device

ise.delete_device(device='testdevice03')

{'error': '', 'response': 'testdevice03 Deleted Successfully', 'success': True}

Get all Security Groups (SGTs)

ise.get_sgts()

{'success': True, 'response': [('Contractors', '4f9c8050-8f9f-11ea-b8e4-ca18718347e2'), ('Employees', 'a34ae530-59a2-11ea-a6b9-26b516ce162b'), ('Guest', '440dd8b0-7da7-11ea-bb75-261e6ff61f42'), ('IoT_Devices', '55bd68f0-8f9f-11ea-b8e4-ca18718347e2'), ('IoT_Servers', '36369eb0-8fa0-11ea-b8e4-ca18718347e2'), ('Servers', '385cbd90-8fa1-11ea-b8e4-ca18718347e2'), ('TrustSec_Devices', '947832a0-8c01-11e6-996c-525400b48521'), ('Unknown', '92adf9f0-8c01-11e6-996c-525400b48521')], 'error': '', 'total': 8}

Get Specific SGT

ise.get_sgt("Unknown")
ise.get_sgt(0)
ise.get_sgt("92adf9f0-8c01-11e6-996c-525400b48521")

{'success': True, 'response': {'id': '92adf9f0-8c01-11e6-996c-525400b48521', 'name': 'Unknown', 'description': 'Unknown Security Group', 'value': 0, 'generationId': '1', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/92adf9f0-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}

Add a SGT

ise.add_sgt("Python_Users", "Group used for all Python Users", 56789, return_object=True)

{'success': True, 'response': {'id': 'd4696690-97ba-11ea-9614-caf56bcd6712', 'name': 'Python_Users', 'description': 'Group used for all Python Users', 'value': 56789, 'generationId': '0', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/d4696690-97ba-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Update a SGT

ise.update_sgt("d4696690-97ba-11ea-9614-caf56bcd6712", "Python_Tests", "Testing for Python Users", 45678, return_object=True)

{'success': True, 'response': {'id': 'd4696690-97ba-11ea-9614-caf56bcd6712', 'name': 'Python_Tests', 'description': 'Testing for Python Users', 'value': 45678, 'generationId': '0', 'propogateToApic': False, 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgt/d4696690-97ba-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Delete a SGT

ise.delete_sgt("d4696690-97ba-11ea-9614-caf56bcd6712")

{'success': True, 'response': 'd4696690-97ba-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}

Get all Security Groups ACLs (SGACLs)

ise.get_sgacls()

{'success': True, 'response': [('Block_All', '7c9b4a80-8fa1-11ea-b8e4-ca18718347e2'), ('Deny IP', '92919850-8c01-11e6-996c-525400b48521'), ('Deny_ICMP', 'c21dfa60-59a2-11ea-a6b9-26b516ce162b'), ('Deny_IP_Log', '0e6d3830-0684-11ea-ace5-42a6b55c5ca6'), ('Permit IP', '92951ac0-8c01-11e6-996c-525400b48521'), ('Permit_FTP', '761b9e50-7e01-11ea-bb75-261e6ff61f42'), ('Permit_IP_Log', '0e6aee40-0684-11ea-ace5-42a6b55c5ca6'), ('Permit_MQTT', '1470fa00-5a85-11ea-a6b9-26b516ce162b')], 'error': '', 'total': 8}

Get Specific SGACL

ise.get_sgacl("Permit IP")
ise.get_sgacl("92951ac0-8c01-11e6-996c-525400b48521")

{'success': True, 'response': {'id': '92951ac0-8c01-11e6-996c-525400b48521', 'name': 'Permit IP', 'description': 'Permit IP SGACL', 'generationId': '0', 'aclcontent': 'permit ip', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/92951ac0-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}

Add a SGACL

ise.add_sgacl("Python_ACL", "Access List for Python Access", "IP_AGNOSTIC", ["permit tcp dst eq 80"], return_object=True)

{'success': True, 'response': {'id': '7a820000-97bb-11ea-9614-caf56bcd6712', 'name': 'Python_ACL', 'description': 'Access List for Python Access', 'generationId': '0', 'aclcontent': 'permit tcp dst eq 80', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/7a820000-97bb-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Update a SGACL

ise.update_sgacl("7a820000-97bb-11ea-9614-caf56bcd6712", "Python_Access_List", "Python Access List", "IPV4", ["permit tcp src eq 80"], return_object=True)

{'success': True, 'response': {'id': '7a820000-97bb-11ea-9614-caf56bcd6712', 'name': 'Python_Access_List', 'description': 'Python Access List', 'generationId': '1', 'ipVersion': 'IPV4', 'aclcontent': 'permit tcp src eq 80', 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/sgacl/7a820000-97bb-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Delete a SGT

ise.delete_sgacl("7a820000-97bb-11ea-9614-caf56bcd6712")

{'success': True, 'response': '7a820000-97bb-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}

Get all TrustSec Egress Matrix Cells (Policies)

ise.get_egressmatrixcells()

{'success': True, 'response': [('ANY-ANY', '92c1a900-8c01-11e6-996c-525400b48521'), ('Contractors-Servers', '5251ca60-8fa1-11ea-b8e4-ca18718347e2'), ('Contractors-IoT_Devices', 'de7859b0-8fa0-11ea-b8e4-ca18718347e2'), ('Employees-Servers', '5fb81e71-8fa1-11ea-b8e4-ca18718347e2'), ('Employees-Employees', 'd2d88280-59a2-11ea-a6b9-26b516ce162b'), ('Employees-IoT_Devices', 'e18ac9d1-8fa0-11ea-b8e4-ca18718347e2'), ('Employees-TrustSec_Devices', 'ee035030-59a2-11ea-a6b9-26b516ce162b'), ('Guest-IoT_Devices', 'e4d49da1-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-IoT_Devices', 'b0eccdf0-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-IoT_Servers', 'b7e6d880-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Contractors', 'c82308e0-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Employees', 'cb276f40-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Guest', 'ce1e4110-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-TrustSec_Devices', 'd1e33851-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Devices-Unknown', 'd68d3860-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Servers-IoT_Devices', 'bc784780-8fa0-11ea-b8e4-ca18718347e2'), ('IoT_Servers-IoT_Servers', 'c069f410-8fa0-11ea-b8e4-ca18718347e2'), ('TrustSec_Devices-IoT_Devices', 'e94bcde1-8fa0-11ea-b8e4-ca18718347e2'), ('Unknown-IoT_Devices', 'f3e9da31-8fa0-11ea-b8e4-ca18718347e2')], 'error': '', 'total': 19}

Get Specific Egress Matrix Cell

ise.get_egressmatrixcell("Default egress rule")
ise.get_egressmatrixcell(None, src_sgt="92bb1950-8c01-11e6-996c-525400b48521", dst_sgt="92bb1950-8c01-11e6-996c-525400b48521")

{'success': True, 'response': {'id': '92c1a900-8c01-11e6-996c-525400b48521', 'name': 'ANY-ANY', 'description': 'Default egress rule', 'sourceSgtId': '92bb1950-8c01-11e6-996c-525400b48521', 'destinationSgtId': '92bb1950-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'PERMIT_IP', 'sgacls': ['92951ac0-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/92c1a900-8c01-11e6-996c-525400b48521', 'type': 'application/json'}}, 'error': ''}

Add a Egress Matrix Cell

ise.add_egressmatrixcell(source_sgt="Unknown", destination_sgt="TrustSec_Devices", default_rule="PERMIT_IP", return_object=True)

{'success': True, 'response': {'id': '6f76b621-97bf-11ea-9614-caf56bcd6712', 'name': 'Unknown-TrustSec_Devices', 'sourceSgtId': '92adf9f0-8c01-11e6-996c-525400b48521', 'destinationSgtId': '947832a0-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'PERMIT_IP', 'sgacls': ['92951ac0-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/6f76b621-97bf-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Update a Egress Matrix Cell

ise.update_egressmatrixcell("6f76b621-97bf-11ea-9614-caf56bcd6712", source_sgt="Unknown", destination_sgt="TrustSec_Devices", default_rule="NONE", acls=["Deny IP"], description="Description", return_object=True)

{'success': True, 'response': {'id': '6f76b621-97bf-11ea-9614-caf56bcd6712', 'name': 'Unknown-TrustSec_Devices', 'description': 'Description', 'sourceSgtId': '92adf9f0-8c01-11e6-996c-525400b48521', 'destinationSgtId': '947832a0-8c01-11e6-996c-525400b48521', 'matrixCellStatus': 'ENABLED', 'defaultRule': 'DENY_IP', 'sgacls': ['92919850-8c01-11e6-996c-525400b48521'], 'link': {'rel': 'self', 'href': 'https://10.102.172.125:9060/ers/config/egressmatrixcell/6f76b621-97bf-11ea-9614-caf56bcd6712', 'type': 'application/json'}}, 'error': ''}

Delete a Egress Matrix Cell

ise.delete_egressmatrixcell("6f76b621-97bf-11ea-9614-caf56bcd6712")

{'success': True, 'response': '6f76b621-97bf-11ea-9614-caf56bcd6712 Deleted Successfully', 'error': ''}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ISE-0.1.2.tar.gz (15.1 kB view details)

Uploaded Source

Built Distribution

ISE-0.1.2-py3-none-any.whl (19.6 kB view details)

Uploaded Python 3

File details

Details for the file ISE-0.1.2.tar.gz.

File metadata

  • Download URL: ISE-0.1.2.tar.gz
  • Upload date:
  • Size: 15.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.4.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.7

File hashes

Hashes for ISE-0.1.2.tar.gz
Algorithm Hash digest
SHA256 7a36d43b379a96e992199ee74151e11b8eff52aa4941b4e9d38e0d4bd5c4de0f
MD5 101be36f5ad51ad5587075102630d0f6
BLAKE2b-256 ee570bdf6ccfedc58ec9c3ad792b5eae9d87a16943eabc9b2766b3b7a4e4a056

See more details on using hashes here.

File details

Details for the file ISE-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: ISE-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 19.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.4.0 requests-toolbelt/0.9.1 tqdm/4.46.0 CPython/3.7.7

File hashes

Hashes for ISE-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 cafd3cc83f6178838764de79e59995ad1bebe67e6fba47ae4926f8f2c31a8e74
MD5 2cecbd5390ca56380b89b853bdaff1d9
BLAKE2b-256 68d1e258bf166edb907f5bedb19a825ee4ad7d4e3f70166c7338af90c657d010

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page