WebApp: Cisco ISE-Python-Flask

My previous post “Python and ISE Monitor Mode” was about how to collect access-session information from the switch and use it for endpoint verification. Specifically for MAB-only devices – add in the proper Endpoint Group in the Cisco ISE.

The result of the script was the file with “failed” devices:

{'001f.9e25.1f8c': {'interface': ' GigabitEthernet0/29',
                    'ip_address': '10.10.10.10',
                    'mac_address': '001f.9e25.1f8c',
                    'method': 'mab',
                    'status': 'Authz Success',
                    'user_name': '00-1F-9E-25-1F-8C',
                    'vendor': 'Cisco Systems, Inc'},
 'b000.b4ba.24a0': {'interface': ' GigabitEthernet0/27',
                    'ip_address': '10.10.10.11',
                    'mac_address': 'b000.b4ba.24a0',
                    'method': 'mab',
                    'status': 'Authz Success',
                    'user_name': 'B0-00-B4-BA-24-A0',
                    'vendor': 'Cisco Systems, Inc'}}

With this info, we had to log in to the ISE and add these MAC addresses – not very efficient.

WebApp – finally!:)

I’ve created a script Web Application using Flask to gather information from the switch and put MAC address into the ISE endpoint group.

Brief summary

The application is using the script from my previous post to gather information from the switch. Additionally to that, I added the ability to change the EdnpotinGroup in the ISE using API.

How it works

GitHub: here

There are 2 options: collect sessions information from the switch and work with just some MAC address.

To collect access-sessions information from the switch – just enter the IP address of the switch on the main page. As a result – a table with sessions:

And the link to the content of JSON file:

For each MAC address, we can change the Group with Add to ISE link. It shows the current group for this MAC addresses and the list of all ISE groups in the drop-down menu:

If updated:

Also, we can use just the MAC address without a running script on the switch. Enter the MAC address that needs to be updated in ISE:

Breakdown

local.py – credentials to get into the switch and ISE API information

switch_credentials = {
    'username': 'admin',
    'password': 'admin',
    'secret': 'admin'
}

ise_credentials = {
    'username': 'admin',
    'password': 'admin',
    'base_url': 'https://10.10.10.10:9060/ers/config/'
}

check_access_sessions.py – script to gather access-session information

ise_api.py – main file for Cisco ISE API functions:

  • get_group_id() – Collect all group IDs from Cisco ISE, so user can select it from the drop-down menu
  • get_endpoint_group_id(mac: str) -> str: – Get endpoint ID from MAC address. It will be used to update group for this MAC address
  • update_endpoint_group(mac: str, ise_group_id: str) – Update endpoint group in ISE for MAC address

application.py – Flask application file to handle HTML and all requests.

result.json– store results. I also added the link to this file in the HTML to review or copy/paste.

Cisco ISE API documentation

Share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *