Solved: ISE - ERS - Get EndPoint By MAC Address

DustinBAE · ‎08-15-2017

The specific problem at hand: I'm trying to use ISE's ERS system with PostMan to pull the details of a specific end-point.

The overall goal: Use ERS to pull a list of successful RADIUS authentications where a specific policy is applied. Then, pull the end point data including the called-station-id, and do a lookup of endpoint and called-station-id data on other local tables to help identify the location and other data that ISE has not been able to discover.

The issue with what I'm trying to do:

I send a REST query to the ERS server and I include a filter on the request, but the filter is ignored and I get a list of all end points.

Query: https://<ise-url>:9060/ers/config/endpoint

Header:

Authorization: BASIC <basic auth stuff>

ACCEPT: application/vnd.com.cisco.ise.identity.endpoint.1.2

filter: mac.EQ.XX:XX:XX:XX:XX:XX

I replace the XX:XX:XX:XX:XX:XX with the MAC data I'm trying to lookup.

The response I get is an XML listing of every endpoint in the system, not a search/lookup of the MAC specified in the filter. If I put the /<endpoint-id> on the end of the query I get results specific to the endpoint I want; but to programmatically know the endpoint-id I need to find it by MAC first.

Any help or pointers? I've been reading through the API included on the ISE server itself (https://<ise-url>:9060/ers/sdk/) and it says:

Get-All

Request:

Method:	GET
URI:	https://<ise-url>:9060/ers/config/endpoint
HTTP 'Content-Type' Header:	application/xml \| application/json
HTTP 'Accept' Header:	application/xml \| application/json
HTTP 'ERS-Media-Type' Header (Not Mandatory)	identity.endpoint.1.2

Request Content:

N/A

Supported Filter and Sorting Fileds:

Filter: [portalUser, staticProfileAssignment, profileId, profile, groupId, staticGroupAssignment, mac]

Sorting: [name, description]

I've also tried with these headers with the same results:

ACCEPT: application/xml

Content-Type: application/xml

ERS-Media-Type: identity.endpoint.1.2

filter: mac.EQ.XX:XX:XX:XX:XX:XX

But I cannot get the filter nor the sort to work. Any help is appreciated!

Thank you,

Dustin

Mark DeLong · ‎12-30-2018

Dustin,

I know this is an old post but it seems to me that your mistake (with the ERS API) is trying to add your filter in the headers instead of in the URI. Here's an example of doing this filter in curl:

curl -k -H 'Accept: application/vnd.com.cisco.ise.identity.endpointgroup.1.0+xml' --user admin:C1sco12345  'https://ers-username:ers-password@ise-pan.domain.com:9060/ers/config/endpoint?filter=mac.EQ.11:22:33:44:55:66'

So the end of your URL should be something similar to this in the request and your headers shouldn't have any additions to them from the normal ones:

/ers/config/endpoint?filter=mac.EQ.11:22:33:44:55:66'

Here's where I found this curl example: https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId--721274487

I used this filter format in my python script with no problem so it appears this filter method works fine.

All that said, I wish the SDK was more clear about where these filters were added too. At first I thought to put it into the headers until I found this curl example. Maybe a more savvy coder would find this obvious but I'm a network guy by training rather than a coder. Hope that helps!

Thanks,

Mark

View solution in original post

rob.drye · ‎08-22-2017

You have to quote the MAC address. If it's part of a string, don't forget to escape the quote characters.

filter: mac.EQ."xx:xx:xx:xx:xx:xx"

"mac.EQ.\"xx:xx:xx:xx:xx:xx\""

DustinBAE · ‎08-22-2017

I tried again with your suggestion, however the quotes don't seem to help. I'm still getting the entire list of endpoints.

I know I used a good mac because I copy/pasted from the list of endpoints in the ISE GUI.

Attached is what I'm trying and the result.

rob.drye · ‎08-23-2017

Our script (developed by Chris Wood) uses a different call:

result = requests.get(pi_url + "data/ClientDetails?.full=true&macAddress=\"%s\"" % mac_address, headers={'Connection':'close'}, verify=False)

In practice this ends up as https://ise.domain.com:9060/data/ClientDetails?.full=true&macAddress="xx:xx:xx:xx:xx:xx

Escaping the quotes is a necessary part of the script, but not of the URL.

rob.drye · ‎08-23-2017

There should be a quote after the MAC address. Stripped by the post.

DustinBAE · ‎08-23-2017

What is interesting is, when I query against data/ClientDetails I get a 404 error. I tried a couple different variations of spelling (plural vs. singular) and I still get the 404. Also I cannot find that API structure in the documentation.

rob.drye · ‎08-23-2017

What version are your running?

DustinBAE · ‎08-23-2017

2.2.0.470 with patches 1,2

rob.drye · ‎08-23-2017

Here's a working call. The user has to be authenticated as a valid member of the MnT Admin group.

https://(ise URL)/admin/API/mnt/AuthStatus/MACAddress/1c:df:0f:1f:fc:17/0/100/All

Forget the quotes. Those are required by Prime Infrastructure. Here's the returned XML:

<authStatusOutputList><authStatusList key="1C:DF:0F:1F:FC:17"><authStatusElements><passed xsi:type="xs:boolean">true</passed><failed xsi:type="xs:boolean">false</failed><user_name>1C:DF:0F:1F:FC:17</user_name><nas_ip_address>130.189.124.12</nas_ip_address><nas_port_type>Wireless - IEEE 802.11</nas_port_type><calling_station_id>1C:DF:0F:1F:FC:17</calling_station_id><identity_group>Cisco-IP-Phone</identity_group><network_device_name>WI1E21</network_device_name><acs_server>DHISE1P1</acs_server><authentication_method>mab</authentication_method><authentication_protocol>Lookup</authentication_protocol><acs_timestamp>2017-08-23T15:31:36.510Z</acs_timestamp><execution_steps>11001,11017,11117,11027,15049,15008,15048,15048,15048,15048,15048,15004,15041,15006,15013,24209,24211,22037,15036,15004,15016,11022,11002</execution_steps><response>{UserName=1C:DF:0F:1F:FC:17; User-Name=1C-DF-0F-1F-FC-17; State=ReauthSession:82bd783eudMSDFiBYUSGiYcm3xaGPITeWX_fZx1epiGAa8MuPgg; Class=CACS:82bd783eudMSDFiBYUSGiYcm3xaGPITeWX_fZx1epiGAa8MuPgg:DHISE1P1/290393927/9600839; cisco-av-pair=device-traffic-class=voice; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-51ef7db1; cisco-av-pair=profile-name=Cisco-IP-Phone; LicenseTypes=515; }</response><selected_azn_profiles>Cisco_IP_Phones</selected_azn_profiles><service_type>Call Check</service_type><message_code>5200</message_code><id>1502191547816506</id><acsview_timestamp>2017-08-23T15:31:36.511Z</acsview_timestamp><identity_store>Internal Endpoints</identity_store><response_time>10</response_time><location>All Locations#Lebanon</location><device_type>All Device Types#Wireless Controllers</device_type><other_attributes>:!:ConfigVersionId=116:!:DestinationPort=1812:!:Protocol=Radius:!:NAS-Port=4:!:Framed-MTU=1300:!:Acct-Session-Id=599d9fd8/1c:df:0f:1f:fc:17/9895286:!:Tunnel-Type=(tag=0) VLAN:!:Tunnel-Medium-Type=(tag=0) 802:!:Tunnel-Private-Group-ID=(tag=0) 995:!:Airespace-Wlan-Id=3:!:OriginalUserName=1cdf0f1ffc17:!:NetworkDeviceProfileName=Cisco:!:NetworkDeviceProfileId=51e38846-fa8b-4a75-bb3f-b10bd88c5475:!:IsThirdPartyDeviceFlow=false:!:RadiusFlowType=WirelessMAB:!:SSID=7c-95-f3-c0-01-30:DHMC Phones:!:AcsSessionID=DHISE1P1/290393927/9600839:!:UseCase=Host Lookup:!:SelectedAuthenticationIdentityStores=Internal Endpoints:!:AuthenticationStatus=AuthenticationPassed:!:IdentityPolicyMatchedRule=Defaultdf68297f-3e08-48cf-a38f-774c8d4fe5c5:!:AuthorizationPolicyMatchedRule=Profiled Cisco IP Phones:!:CPMSessionID=82bd783eudMSDFiBYUSGiYcm3xaGPITeWX_fZx1epiGAa8MuPgg:!:EndPointMACAddress=1C-DF-0F-1F-FC-17:!:ISEPolicySetName=Default:!:AllowedProtocolMatchedRule=MAB:!:IdentitySelectionMatchedRule=Default:!:DTLSSupport=Unknown:!:HostIdentityGroup=Endpoint Identity Groups:Profiled:Cisco-IP-Phone:!:Network Device Profile=Cisco:!:Location=Location#All Locations#Lebanon:!:Device Type=Device Type#All Device Types#Wireless Controllers:!:StepData="6= Normalised Radius.RadiusFlowType","7= Radius.User-Name","8= Network Access.NetworkDeviceName","9= DEVICE.Device Type","10= Radius.Called-Station-ID","11=MAB","14=Internal Endpoints","19=Profiled Cisco IP Phones"=StepData:!:RADIUS Username=1C:DF:0F:1F:FC:17:!:NAS-Identifier=WI1E21:!:Device IP Address=130.189.124.12:!:Called-Station-ID=7c-95-f3-c0-01-30:DHMC Phones:!:CiscoAVPair=</other_attributes></authStatusElements></authStatusList></authStatusOutputList>

DustinBAE · ‎08-23-2017

Thank you for the information. I'm going to read through the documentation again and find the different betweent :9060/ers/ and /admin/api branches, as my authentication to one works, but to /admin/api does not.

Mark DeLong · ‎12-30-2018