Wednesday, December 20, 2017

Cisco ISE: REST API with Python - Get Internal Users

I am currently building python scripts to automate Cisco ISE configuration.

Going through ISE documentation, I am exploring some errors in the python examples which won't work for ISE 2.3. I will be posting the corrections while I am exploring them. 

The first one was in "get-all-internal-users.py" example. 

ISE 2.3 doesn't support TLS 1.0 by default. Instead it supports TLS 1.2. 

The default script:

#!/usr/bin/env python

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.........

This won't work due to SSL version mismatch

The correct version is:

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: get-all-internal-users.py    #
#                                                                         #
# The script should be modified to use SSL TLS v1.2 instead of TLS v1.0   #
# This is required for ISE 2.3                                            #
###########################################################################

import http.client
import base64
import ssl
import sys

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"


conn = http.client.HTTPSConnection("{}:9060".format(host), context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))

creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))
.......


at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...

  • PxGrid Part # 3 - Troubleshooting FMC-ISE Identity Sync
    From FMC CLI, verify ISE integration status using the command   root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health $status = {      'ADI&#...
  • SIP Call Transfer
    In SIP IOS call transfer is achieved using REFER method. Similar to H450.2, a REFER message will be sent from transferor to transferee t...
  • CUCM SIP Early Offer
    By default CUCM uses SIP Delayed Offer. In order to enable Early Offer, use one of the following methods: MTP is required ...