ISE REST API - Part 2 — Networking fun

This is the continuation from my previous post. In this post, we're going to create some basic objects from the REST API and just push them out through POSTMAN.

The first thing I'm going to do is start to create some of my objects with the REST API. The first thing I'll create is the network device group. I'm going to use the following template:

<ns4:networkdevicegroup description="Description of the Group" id="A-Unique-Numeric-Identifier" name="Device Type#All Device Types#Name-Of-The-Group" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device-Type</type>
</ns4:networkdevicegroup>

In order to create the Device Type of Switch, I'm going to use the following:

Method: POST
URI: https://10.1.100.76:9060/ers/config/networkdevicegroup
Content-Type: application/vnd.com.cisco.ise.network.networkdevicegroup.1.0+xml; charset=utf-8

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Campus Switches" id="000000011" name="Device Type#All Device Types#Switches" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

It should look like this in POSTMAN:

And you should see the Device Group created under Administration>Network Resources>Network Device Groups

So let's going ahead and create some more:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Branch Routers" id="000000012" name="Device Type#All Device Types#Routers" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Prime Infrastructure" id="000000013" name="Device Type#All Device Types#Prime" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Web Security Appliance" id="000000014" name="Device Type#All Device Types#WSA" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Corporate Firewalls" id="000000015" name="Device Type#All Device Types#Firewalls" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Wireless Controllers" id="000000016" name="Device Type#All Device Types#Wireless Controllers" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Device Type</type>
</ns4:networkdevicegroup>

Now I have all my Device Types created. If I want to create my location groups, I just use the following:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevicegroup description="Security Demo Lab" id="000000017" name="Location#All Locations#Security Lab" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="network.ers.ise.cisco.com">
<type>Location</type>
</ns4:networkdevicegroup>

The next thing we are going to do is import the network access devices. The first way to to create one individually at a time:

Method: POST
URI: https://10.1.100.76:9060/ers/config/networkdevice
Content-Type: application/vnd.com.cisco.ise.network.networkdevice.1.1+xml; charset=utf-8

If you want to configure your devices with RADIUS, TACACS, SNMP Settings, and Advanced TrustSec:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:networkdevice description="Description of the Device" id="Unique-Alpha-Numeric-Identifier" name="Device-Name"
xmlns:ers="ers.ise.cisco.com"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns4="network.ers.ise.cisco.com">
<authenticationSettings>
<enableKeyWrap>{false|true}</enableKeyWrap>
<keyEncryptionKey>shared-key</keyEncryptionKey> <-Only applicable if Key wrap is True
<keyInputFormat>ASCII</keyInputFormat> <-Only applicable if Key wrap is True
<messageAuthenticatorCodeKey>Code-Key</messageAuthenticatorCodeKey> <-Only applicable if Key wrap is True
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>RADIUS-Shared-Secret</radiusSharedSecret>
</authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>IP-Address-of-Device</ipaddress>
<mask>Numeric-Mask</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>Location#All Locations#Location</NetworkDeviceGroup>
<NetworkDeviceGroup>Device Type#All Device Types#Device-Type-Name</NetworkDeviceGroup>
</NetworkDeviceGroupList>
<profileName>Cisco</profileName> <- You can also put AlcatelWired, ArubaWireless, BrocadeWired, HPWired, HPWired_SNMP_CoA, HPWireless, MotorolaWireless, or RuckusWireless

----------------------------------------------------------------------------------------------------------
End here if you just want just RADIUS and end it with </ns4:networkdevice>

<snmpsettings>
<linkTrapQuery>{true | false}</linkTrapQuery>
<macTrapQuery>{true | false}</macTrapQuery>
<originatingPolicyServicesNode>Auto</originatingPolicyServicesNode> <- Auto is default but you can specify the ISE node
<pollingInterval>3600</pollingInterval> <-Time. Default is 28,000
<roCommunity>SNMP-String</roCommunity>
<version>TWO_C</version> <- Can also be ONE or THREE. This is the SNMP version
</snmpsettings>
-----------------------------------------------------------------------------------------------------------
End here if you want SNMP Settings and end it with </ns4:networkdevice>

<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>Shared-Secret-for-TACACS</sharedSecret>
</tacacsSettings>
-------------------------------------------------------------------------------------------------------------
End here if you want TACACS Settngs and end it with </ns4:networkdevice>

<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>Device-ID-Typical-The-Name</sgaDeviceId>
<sgaDevicePassword>Device-ID-Password</sgaDevicePassword>
</deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>Enable-Password-For-Device</enableModePassword> <- Only required if includeWhenDeployingSGTUpdates is true
<execModePassword>EXEC-Mode-Password</execModePassword> <- Only required if includeWhenDeployingSGTUpdates is true
<execModeUsername>EXEC-Mode-Username</execModeUsername> <- Only required if includeWhenDeployingSGTUpdates is true
<includeWhenDeployingSGTUpdates>{true | false}</includeWhenDeployingSGTUpdates>
</deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</downlaodPeerAuthorizationPolicyEveryXSeconds>
<downloadSGACLListsEveryXSeconds>86400</downloadSGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>{true | false}</otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>{true | false}</sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</sendConfigurationToDeviceUsing>
</sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>

------------------------------------------------------------------------------------------------------------------The above section is TrustSec settings.

So if I wanted to deploy a single network device, it would look something like this:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns4:networkdevice id="00000000022" name="Sw1"
xmlns:ers="ers.ise.cisco.com"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns4="network.ers.ise.cisco.com">
<link rel="self" href="https://10.1.100.21:9060/ers/config/networkdevice/00000000022" type="application/xml"/>
<authenticationSettings>
<enableKeyWrap>false</enableKeyWrap>
<keyInputFormat>ASCII</keyInputFormat>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>networknode</radiusSharedSecret>
</authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>10.1.100.15</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>Device Type#All Device Types#Switches</NetworkDeviceGroup>
<NetworkDeviceGroup>Location#All Locations#Security Lab</NetworkDeviceGroup>
</NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</originatingPolicyServicesNode>
<pollingInterval>10000</pollingInterval>
<roCommunity>networknode</roCommunity>
<version>TWO_C</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>OFF</connectModeOptions>
<previousSharedSecret>networknode</previousSharedSecret>
<previousSharedSecretExpiry>0</previousSharedSecretExpiry>
<sharedSecret>networknode</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>Sw1</sgaDeviceId>
<sgaDevicePassword>networknode</sgaDevicePassword>
</deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<includeWhenDeployingSGTUpdates>false</includeWhenDeployingSGTUpdates>
</deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</downlaodPeerAuthorizationPolicyEveryXSeconds>
<downloadSGACLListsEveryXSeconds>86400</downloadSGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>DISABLE_ALL</sendConfigurationToDeviceUsing>
</sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>

It would look like this in POSTMAN:

And create my device over in ISE:

While the above might be good for one off configurations, there is an option to bulk create network access devices with the following:

Method: PUT
URI: https://10.1.100.76:9060/ers/config/networkdevice/bulk/submit
Accept: application/vnd.com.cisco.ise.network.networkdevicebulkrequest.1.1+xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns8:networkDeviceBulkRequest operationType="create" resourceMediaType="vnd.com.cisco.ise.network.networkdevice.1.1+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
<ns8:resourcesList>
<ns8:networkdevice description="Network Device 1" id="id_1" name="networkDevice1">
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>Location#All Locations</NetworkDeviceGroup>
<NetworkDeviceGroup>Device Type#All Device Types</NetworkDeviceGroup>
</NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice1</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</includeWhenDeployingSGTUpdates>
</deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</downlaodPeerAuthorizationPolicyEveryXSeconds>
<downloadSGACLListsEveryXSeconds>86400</downloadSGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</sendConfigurationToDeviceUsing>
</sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
<ns8:networkdevice description="Network Device 2" id="id_2" name="networkDevice2">
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>Location#All Locations</NetworkDeviceGroup>
<NetworkDeviceGroup>Device Type#All Device Types</NetworkDeviceGroup>
</NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice2</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</includeWhenDeployingSGTUpdates>
</deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</downlaodPeerAuthorizationPolicyEveryXSeconds>
<downloadSGACLListsEveryXSeconds>86400</downloadSGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</sendConfigurationToDeviceUsing>
</sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
</ns8:resourcesList>
</ns8:networkDeviceBulkRequest>

Some of the other things you can do with the REST API:

Create, Delete, Search, and Modify Security Groups
Create, Delete, Search, and Modify SGACLs
Map IP to SGT
Create, Delete, Search, and Modify Egress Matrix Cells
Create, Delete, Search, and Modify SXP VPNs
Create, Delete, Search, and Modify SXP Local Bindings
Create, Delete, Search, and Modify SXP Connections
Create, Delete, Search, and Modify Network Devices and Network Device Groups
Create, Delete, Search, and Modify Profiler Profile
Create, Delete, Search, and Modify Internal Users
Create, Delete, Search, and Modify Identity Groups
Create, Delete, Search, and Modify Guest Users
Create, Delete, Search, and Modify Endpoints and Endpoint Identity Groups
Create, Delete, Search, and Modify ANC Policy
Quarantine and Unquarantine Endpoints

To view some of the configurations and see instructions on how to use the API, navigate to https://<IP-of-ISE>:9060/ers/sdk in your browser