Python Scripts for Cisco Identity Services Engine (ISE)

Overview

Python Scripts for Cisco Identity Services Engine (ISE)

A set of Python scripts to configure a freshly installed Cisco Identity Services Engine (ISE) for simple operation; in my case, a basic Cisco Software-Defined Access environment.

Note: This repo is my second shot at automating ISE, and is mostly the same as my Ansible project in terms of functionality. I even used the same YAML settings files so you can use either method without any modification.

Features

These scripts will configure the following in ISE:

  • local user groups (01_add_groups.py)
  • local user identities (02_add_users.py)
  • a simple TACACS profile and command set for privilege 15 access (03_create_tacacs_profiles.py)
  • TACACS policies in the default policy set (05_create_tacacs_authz_policies.py)
  • Scalable Group Tags (SGT) to allow our authentication rules to work (06_create_sgts.py)
  • network access authorization rules to places users in the appropriate VLANs (wired and wireless) (08_create_authorization_profiles.py)
  • network access policies to authorize users and assign SGTs (09_create_authorization_policies.py)
  • a complete wired guest workflow with redirection, portal, and SGT(10_create_guest_authz_profiles.py & 11_create_guest_authz_policies.py)
  • Cisco access point profiling (using the wired guest flow) and authorization profiles (12_access_point_profiling.py)

The ISE resources that are configured with these scripts are enough to support a basic Cisco SD-Access network including:

  • TACACS authentication for network devices
  • dot1x authentication and authorization for multiple users
  • wired guest access
  • multiple Scalable Group Tags (SGTs)
  • Cisco access point profiling and authorization

Background

I administer a lab environment that is used to demonstrate Cisco Software-Defined Access for customers. When new versions of Cisco ISE or DNA Center are released, I do a fresh installation of both so that I can test the new versions with the lab workflow. This involves installing each piece of software and then configuring them both to the point where I can start going through the lab guide.

After watching a demo of the collections in this repo that use Terraform and Ansible to spin-up and configure ISE in AWS, I was inspired to setup something similar to assist in my configuration process when testing new versions.

I started with almost zero API experience beyond installing Postman on my workstation in the past and never using it. Prior to this project I had run exactly one Ansible playbook in my life, and that was six years ago. Needless to say, I was (and still am) completely green with this stuff, so it was a complete learning experience for me, especially not having a background in code or data structures.

Once I got the Ansible collection done, I decided to teach myself Python the hard way by converting everything into Python scripts. It was a challenge because I had zero Python experience, but I got it done in a couple of days with the help of Google.

As a bonus: You will notice some snark in the script comments as well, which stemmed from some frustrations that I ran into while learning. Some, but not all, of these comments were copied from the companion Ansible playbooks, because the frustrations were mostly the same.

Requirements

Server

Note: Some of these scripts may work with ISE 3.0, but 3.1 is required for the policy stuff.

Workstation

Quick Start

If you just want to see these in action, you can run them against a Cisco DevNet ISE 3.1 APIs, Ansible, and Automation sandbox instance without any customization:

Cisco ISE SDK:

sudo pip install ciscoisesdk

  • Reserve a sandbox in DevNet and connect to it per their instructions

  • In ISE, enable ERS and Open API settings in: Administration | Settings | API Settings | API Service Settings

ISE API Settings

  • Run the scripts one at a time like this:

$ python 01_add_groups.py

$ python 02_add_users.py

$ python 03_create_tacacs_profiles.py

  • You can verify the changes in the ISE GUI after each script if you're curious

Usage Notes

Although my use-case for these scripts involves a fresh deployment of ISE to support a Cisco SD-Access topology, they can absolutely be modified and used in a brownfield ISE environment without SDA.

I'm going to try to make the project self-documenting via comments as best I can, but here's a rough guide to get started:

credentials.yaml - Contains the ISE deployment information such as hostname, username, and password

groupsandusers.yaml - Contains the internal identity groups and users that will be configured by the scripts

policy.yaml - Contains the policy/profile information that will be configured by the scripts

Other ISE Settings

One day I will post a summary of some of the ISE settings that I change to make my life a little easier following an install. These settings will be pretty specific to a lab environment and not suggested for production.

TODO

  • better documentation
  • better optimization of the scripts
  • result feedback from the scripts
  • error checking and handling
  • clean up the scripts to match the Python style guide (Hi, Jose!)
  • add more optional fields to make this useful in the real world
  • redo this whole mess in Python before I retire (NOTE: I DID IT)

Acknowledgements

Google.

I also want to give a shoutout to the developers of the Cisco ISE SDK. It made things much much easier for me.

Questions?

Please open an issue if you have any questions or suggestions.

I developed these scripts for my own use, so I do want to keep them as clean as I can, but if you think they can be improved or optimized, feel free to submit a PR.

You might also like...
A light-weight open-source project CLI utility for showing services running on ports in a host

Portable Port Scanner (ppscanner) Portable Port Scanner (ppscanner) is a light-weight open-source CLI utility that leverages on nmap to make quick and

Anonymously Reverse shell over Tor Network using Hidden Services without portfortwarding
Anonymously Reverse shell over Tor Network using Hidden Services without portfortwarding

Anonymously Reverse shell over Tor Network using Hidden Services without portfortwarding Tor ağı ile Dark Web servislerini kullanarak anonim biçimde p

Easy-to-setup bot, ChatOps project for handling telegram chat logging over docker-compose services, being runned as one of them.

Easy-to-setup bot, ChatOps project for handling telegram chat logging over docker-compose services, being runned as one of them.

JF⚡can - Super fast port scanning & service discovery using Masscan and Nmap. Scan large networks with Masscan and use Nmap's scripting abilities to discover information about services. Generate report.
JF⚡can - Super fast port scanning & service discovery using Masscan and Nmap. Scan large networks with Masscan and use Nmap's scripting abilities to discover information about services. Generate report.

Description Killing features Perform a large-scale scans using Nmap! Allows you to use Masscan to scan targets and execute Nmap on detected ports with

A repository dedicated to IoT(internet of things ) and python scripts
A repository dedicated to IoT(internet of things ) and python scripts

📑 Introduction Week of Learning is a weekly program in which you will get all the necessary knowledge about Circuit-Building, Arduino and Micro-Contr

These scripts send notifications to a Webex space when a new IP is banned by Expressway, and allow to request more info or change the ban status
These scripts send notifications to a Webex space when a new IP is banned by Expressway, and allow to request more info or change the ban status

Spam Call and Toll Fraud Mitigation Cisco Expressway release X14 is able to mitigate spam calls and toll fraud attempts by jailing the spam IP address

Connection package to a raspberry or any other machine using ssh, it simplifies the deployment scripts and monitoring.
Connection package to a raspberry or any other machine using ssh, it simplifies the deployment scripts and monitoring.

Connection package to a raspberry or any other machine using ssh, it simplifies the deployment scripts and monitoring.

Repo used to maintain all notes and scripts developed during my DevNet Expert studies

DevNet Expert Studies Exam Date: TBD (Waiting for registration to open) This repository will be used to track my progress and maintain all notes/scrip

DataShare - Simple library for data sharing between scripts and public functions calling

DataShare - Simple library for data sharing between scripts and public functions calling. Installation. Install code, Delete LICENSE, README, readme.t

Owner
Roddie Hasan
Roddie Hasan
Netwalk is a Python library to discover, parse, analyze and change Cisco switched networks

Netwalk is a Python library born out of a large remadiation project aimed at making network device discovery and management as fast and painless as possible.

null 38 Nov 7, 2022
Implementing Cisco Support APIs into NetBox

NetBox Cisco Support API Plugin NetBox plugin using Cisco Support APIs to gather EoX and Contract coverage information for Cisco devices. Compatibilit

Timo Reimann 23 Dec 21, 2022
Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa

MAC-Converter Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa Stores the results to a file in the same dir

Stew Alexander 0 Dec 24, 2022
Converts Cisco formatted MAC Addresses to PC formatted MAC Addresses

Cisco-MAC-to-PC-MAC Converts a file with a list of Cisco formatted MAC Addresses to PC formatted MAC Addresses... Ex: abcd.efgh.ijkl to AB:CD:EF:GH:I

Stew Alexander 0 Jan 4, 2022
This program ingests a Cisco "sh ip arp" as a text file and produces the list of vendors seen in the file

IP-ARP-Vendor_lookup This program ingests a Cisco "sh ip arp" as a text file and produces the list of vendors seen in the file Why? Answers the questi

Stew Alexander 1 Dec 24, 2022
This is simple script that changes the config register of a cisco router over serial so that you can reset the password

Cisco-router-config-bypass-tool- This is simple script that changes the config register of a cisco router over serial so that you can bypass the confi

James 1 Jan 2, 2022
A python shell / chat bot for XMPP and cloud services

XMPP_Shell_Bot A python shell / chat bot for XMPP and cloud services, designed for penetration testers to bypass network filters. To better understand

Abdulkareem Aldeek 1 Jan 9, 2022
List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.

Anders Pitman 7.3k Jan 3, 2023
A simple hosts picker for Microsoft Services

A simple Python scrip for you to select the fastest IP for Microsoft services.

Konnyaku 394 Dec 17, 2022
A simple, configurable application and set of services to monitor multiple raspberry pi's on a network.

rpi-info-monitor A simple, configurable application and set of services to monitor multiple raspberry pi's on a network. It can be used in a terminal

Kevin Kirchhoff 11 May 22, 2022