Wednesday, December 20, 2017

Cisco ISE: REST API with Python - Get Internal Users

I am currently building python scripts to automate Cisco ISE configuration.

Going through ISE documentation, I am exploring some errors in the python examples which won't work for ISE 2.3. I will be posting the corrections while I am exploring them. 

The first one was in "get-all-internal-users.py" example. 

ISE 2.3 doesn't support TLS 1.0 by default. Instead it supports TLS 1.2. 

The default script:

#!/usr/bin/env python

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.........

This won't work due to SSL version mismatch

The correct version is:

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
#                                                                         #
# The script should be modified to use SSL TLS v1.2 instead of TLS v1.0   #
# This is required for ISE 2.3                                            #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.......


No comments:

Post a Comment

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...