Python and Cisco ISE – Collect Endpoints

I like the Cisco ISE GUI interface since 2.4, it’s pretty easy, maybe too many tabs and menus, but once you get the idea – you are good to go.

I had a task of ISE migration – from one to another. We had set up 2 ISE deployments in parallel. The idea to keep everything working on ISE#1 while we are deploying and testing new ISE#2.

DOT1X devices will just be authenticated and authorized on the ISE#2 cluster – no problems here. But how about MAB? 

What if there are a lot of MAB devices in different groups. What if it’s a very active deployment and engineers adding and removing devices all the time. You exported all MAC addresses, imported them into the ISE#2, but in a day or two, this list was changed.

I have created a script, that runs against ISE#1 and ISE#2 deployments and compares Endpoints Groups.

Note: names in both deployments should match. I am pretty sure that could be rewritten to compare in different groups, but I didn’t have this task.

Idea

  • API to ISE#1, check groups, collect endpoints from those groups and keep them in the file – ise_groups_old.json
  • API to ISE#2, check groups, collect endpoints from those groups and keep them in the file – ise_groups_new.json
  • Compare ise_groups_old.json and ise_groups_new.json

Implementation

Enable ISE ERS API and create ERS Admin account:

Groups in ISE#1:

Groups in ISE#2:

I removed some MAC addresses from ISE#2 GROUP_A, _B and _C and added DD:DD:DD… into the GROUP_A which does not exist in ISE#1.

The result looks like:

The process of how it works:

GitHub repo is here

A little breakdown:

config_collector.py – main script

  • ise_groups – list of all groups that need to be checked on ISE#1 and ISE#2 (should be identical)
  • ise_servers – dictionary with ISE servers info:
    • ise_url – list of ISE#1 and ISE#2 urls
    • header – dictionary with header info for each server
    • destination – filenames to collect results

get_group_id(ise_groups, ise_url, header) – function to get groups IDs based on the Group’s names in ISE#1 and ISE#2. Returns dictionary with {group_name: group_id}

get_mac_addresses(ise_groups_url, ise_url, header) – function to get MAC addresses based on group IDs in ISE#1 and ISE#2. Returns dictionary with {group_name: list[MAC addresses]}

compare_groups() – function just to compare two files and print results.

With Cisco ISE ERS API a lot of things could be simplified, some routine tasks. The script also could be extended with other features like checking MAC addresses in the groups, just keep groups and list of MAC addresses for other purposes.

Good doc with examples of Cisco ISE API.

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *