Wednesday, December 20, 2017

Cisco ISE: REST API with Python - Get Internal Users

I am currently building python scripts to automate Cisco ISE configuration.

Going through ISE documentation, I am exploring some errors in the python examples which won't work for ISE 2.3. I will be posting the corrections while I am exploring them. 

The first one was in "get-all-internal-users.py" example. 

ISE 2.3 doesn't support TLS 1.0 by default. Instead it supports TLS 1.2. 

The default script:

#!/usr/bin/env python

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.........

This won't work due to SSL version mismatch

The correct version is:

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
#                                                                         #
# The script should be modified to use SSL TLS v1.2 instead of TLS v1.0   #
# This is required for ISE 2.3                                            #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.......


Monday, December 18, 2017

Have you tried to use PyCrypto in Python 3.x?

I had a requirement to use PyCrypto and was running Python 3.6.2. In summary it won't work. If you want to continue with Python 3.6.2, you need to use PyCryptodome.

Otherwise, downgrade to Python 3.5.2 with the follow requirements:

1. Before installation of pycrypto (pip install pycrypto) make sure that you install Microsoft Visual C++ Build Tools (2015)

2. After installation of pycrypto Navigate to Python installation folder (in my case its C:\Program Files (x86)\Python35-32\)

3. Find and edit the script C:\Program Files (x86)\Python35-32\Lib\site-packages\Crypto\Random\OSRNG\nt.py

4. Replace the line (import winrandom) with (from . import winrandom)

Python Script to Read XML Files

Typical use of this when you have M2M interaction and you receive data in XML format where the receiver should react accordingly.

Here is a sample XML file:
************************



Python Code
************************

def get_client_settings (element):
 
    # This function gets client details from XML file
 
    ip_attrib = element.get('ip')
    username_attrib = element.get('username')
    password_attrib = element.get('password')
    email_attrib = element.get ('mail')
         
    for alert in element.findall('alert'):
        if alert.get('type').lower() == 'memory':
            mem_alert = float(alert.get('limit').replace('%',''))
        if alert.get('type').lower() == 'cpu':
            cpu_alert = float(alert.get('limit').replace('%',''))
           
    return (ip_attrib, username_attrib, password_attrib, email_attrib, mem_alert, cpu_alert)

for element in root_element.findall('client'):

    print ('\nGetting user details')
    ip, username, password, email, mem_limit, cpu_limit = get_client_settings (element)

Wednesday, December 6, 2017

ISE Authorization Methods - Basic


  • ISE authorization rules processing order
    • Takes place only after successful authentication
    • Match condition (identity store type, profiling, etc)
    • Assign authorization profile
    • By default scans sequentially but can be changed to Multiple Matched Rules applied
      • Typical use case when you create rule per role (e.g. AD_DACL, NETWORK_DACL, SERVERS_DACL, etc)
      • In this case, network engineer can get AD_DACL and NETWORK_DACL
      • Another option is to configure one DACL for network users, another DACL for server users, etc
  • Its independent from authentication type (MAB, Dot1x or CWA)
  • Authorization options
    • VLAN Assignment
      • You can assign Data VLAN and/or allow Voice VLAN access
      • Data VLAN
        • It will override the locally configured VLAN on the switch port
        • VLAN is provided to NAD using VSA Tunnel-Private-Group-ID
        • If no dVLAN is configured, static switchport vlan will be used
      • Voice VLAN
        • It will grant IP Phones access to connect to the network using the configured voice vlan (no new vlan assignment)
        • You need to enable 'Voice Domain Permission' under the authorization policy
          • ISE will include the VSA 'cisco-av-pair: device-traffic-class=voice' in ACCESS-ACCEPT to indicate that this is the voice vlan
    • ACL
      • dACL
        • This is Cisco proprietary because it uses Cisco-specific Radius attributes
        • ACL is configured in ISE and pushed to the switch
      • Filter-ID ACL
        • This is IETF standard
        • The ACL is configured on the switch
        • ISE will provide the switch with ACL name to be applied to the port
      • Per-User ACL
        • This is Cisco proprietary
        • ACL can be configured on ISE and pushed to the switch
        • ACL can be configured on the switch and ISE will provide the name to the switch
    • IP Address
      • ISE can provide IP address to endpoints part of the authorization process using VSA Framed-IP
      • Similarly, ISE can provide session time to NAD using Session-Timeout
  • Navigate to Administration > System > Deployment > General Settings > Policy Service > Enable Session Services for ISE to handle access-requests and perform authentication/authorization

How ISE Profiling Works?


  • ISE Profiling is the service used to identify the type of endpoints connected to the network
  • ISE Profiling service should be enabled to probe for endpoint attributes
    • The attributes requested are depending on the type of probes enabled (for example dhcp probe will request for dhcp-class-identifier, http probe will request for user-agent, etc)
  • Attributes gathered from probes are matched against profiling policies
    • Profiling policy is made of set of rules
    • Each rule matches a condition and assign certainty factor (CF)
      • Certainty Factor (CF) is a weight defines how relevant this condition to decide the final endpoint profile
  • The SUM of matched CFs should be greater than or equal to minimum CF configured in the Profiling Policy to profile the endpoint
    • In case the endpoint matches more than one profiling policy, the highest CF_SUM decides the final endpoint profile
  • Once Profiling Policy is matched , it can trigger exception or execute NMAP scan
    • This kicks in ONLY after matching the profiling policy
  • Profiling policies can be nested using Parent/Child structure
    • Child Profiling Policy won't be matched unless Parent Policy is matched
    • Nested Policies are used to granular profiling
    • Endpoint will be profiled based on the deepest profile matched in the structure
    • Common practice to trigger NMAP scan on Parent Policy to get more attributes for Child policy matching
  • Each Profiling Policy can be configured to create Endpoint Identity Group and assign matched endpoints to it.
  • You can group Profiles in Logical profiles
    • Logical Profiles are containers where you add different profiled devices to provide them one treatment (for example same authorization policies)
  • Authorization policies can call Logical Profiles or Endpoint Identity Groups to grant access
  • Profiling isn't supported for VPN endpoints due to lack of endpoint MAC address information from VPN Gateway

Change of Authorization


  • Radius Change of Authorization (CoA) Access-Request was introduced in order for ISE to issue new authorization policy to the endpoint based CoA triggers
    • Endpoint authenticated
    • Initial Authorization Policy pushed to the switch (endpoint not yet profiled)
    • Profiling data received and endpoint profile selected
    • ISE triggers CoA for endpoint to reauthenticate (this is subject to configured CoA Type)
    • Final Authorization Policy pushed to the switch based the endpoint profile (during reauthentication process)
  • The following scenarios trigger CoA
    • Endpoint profiling for 1st time
    • Endpoint statically assigned to device identity group
    • Endpoint removed from ISE database
    • Endpoint dynamically change identity group membership
    • Manual CoA  from Context Visibility > Endpoints > Change Authorization

Enable ISE SSH Access

If you missed enabling SSH access during the initial setup of ISE, you can enable it using console by pasting the command  service sshd enable

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...