04/22/2021 | News release | Distributed by Public on 04/22/2021 22:12
Welcome to part 2 of the journey to Vanilla ISE, a simplified ISE GUI for endpoint technicians. In part 1 we covered the background and requirements for the UI. In this part 2, we will explore the relevant documentation to find the relevant API calls we will use.
Documentation Exploration
Once I had an idea for the functionality I needed to incorporate with the program, I started breaking it down to individual functions and individual API calls.
We'll be using several different calls to two different ISE APIs in order to obtain relevant information:
ISE's REST API is called External RESTful Services (ERS), and the documentation is available on ISE itself (https://
ISE's ERS API is not enabled by default, you should enable it prior to running the code. here's a link to the required steps.
ISE's ERS API will allow us to modify ISE's configuration, associate an endpoint to an endpoint group, remove an endpoint from an endpoint group, retrieve a list of Network Access Devices (NADs), etc'.
ERS API endpoints used in Vanilla ISE:
However, the ISE ERS API does not provide monitoring data, which I'll be using when checking the status of an endpoint. ISE has a separate set of monitoring APIs that can be used for troubleshooting, with proper documentation on DevNet as well.
Unlike the ERS API, ISE's monitoring APIs return data in XML format and not JSON. Nothing to worry about, it simply requires different parsing methods.
Monitoring API endpoints used in Vanilla ISE:
Exploring the APIs using Postman
Postman is my tool of choice to make initial calls to APIs and examine their results. As I explored the API queries required for information gathering, I used postman to try these queries out and verify the information I was looking for is there.
I started with fetching the list of NADs configured on ISE:
… and quickly noticed I am getting the NAD's hostname back, but not the IP address. In order to retrieve the IP address of the NAD, I needed to use another call for each NAD to get their details.
In a similar manner, fetching the list of endpoints required additional calls to get more detailed information about some of the endpoints (their endpoint group assignment for example).
It wasn't all about GETting information, I used postman to try POST and PUT as well in order to check my syntax and functionality. Here's an example of changing the endpoint group association of an endpoint to a variable: {{ise_endpoint_group_id}}
One by one, I created a set of functions that will be used by the program:
1. To retrieve all NADs configured on ISE, and return a dictionary with the NADs hostname (as configured on ISE) and IP address, use
get_all_NADs
Example output:
{'CSR1Kv.ebc.iseslab.cisco.com': '10.7.250.222', 'Cat9K-1.lab.cisco.com': '10.255.7.15', 'Cat9K-2.lab.cisco.com': '10.255.7.14', 'Metro-3850': '10.7.250.200'}
2. To return the ISE group id a given group name, use
get_ise_group_id
3. To assign an endpoint to a given ISE endpoint group (the voucher group, if the endpoint does not exit - it will create it), use
update_ise_endpoint_group
4. To revert the assignment made in the previous function, use
remove_ise_endpoint_group
5. To return the authentication status of a given endpoint, use
check_ise_auth_status
Coming next in Part 3, we will continue with devices' output parsing with pyATS and the 'voucher' implementation. In the mean time, please Register for the May 5th Share IT Solutions Huddle where I will be presenting 'Vanilla ISE: A simplified Cisco ISE UI for your endpoint technicians.'
We'd love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!
Twitter @CiscoDevNet | Facebook | LinkedIn
Visit the new Developer Video Channel
Share: