Scripts and CSV templates for converting Cisco Identity Services Engine (ISE) TrustSec components and matrix to Cisco Meraki Adaptive Policy.
These scripts assume the use of Cisco ISE and Meraki REST APIs using Python.
-
Clone this repository:
git clone https://github.com/1homas/Cisco_ISE_Meraki_TrustSec_Scripts.git cd Cisco_ISE_Meraki_TrustSec_Scripts
-
Create your Python environment:
python -m ensurepip --upgrade pip3 install --upgrade pipenv # use pipenv for a virtual development environment pipenv install --python 3.11 # use Python 3.9 or later pipenv install -r requirements.txt # install required Python packages (`pip freeze > requirements.txt`) pipenv shell
-
Export your ISE credentials into your terminal environment
export ISE_HOSTNAME=ise.securitydemo.net # ISE PAN for configuration export ISE_USERNAME=admin export ISE_PASSWORD=ISEisC00L export ISE_VERIFY=False export ISE_DEBUG=False export MERAKI_KEY='abcdef1234567890abcdef1234567890abcdef12' export MERAKI_ORG_NAME=example_org export MERAKI_NET_NAME=example_net
đĄ Add one or more spaces before the
export
commands to prevent these commands with your secrets from being saved to your shell historyYou may also edit and source these variables from a file in your
~/.secrets
directory :source ~/.secrets/ise.sh source ~/.secrets/meraki.sh
-
Verify ISE and Meraki API connectivity:
ise_api_enabled.py meraki_api_enabled.py
-
Run an script:
ise_version.py ise_trustsec_export.py meraki_trustsec_export.py
Enable the ISE ERS and OpenAPIs.
ise_api_enabled.py
:
â
ISE Open APIs Enabled
â
ISE ERS APIs Enabled
Returns the ISE version
Example output:
> ise_version.py
build: '383'
maintenance: '0'
major: '3'
minor: '3'
patch: '0'
version: 3.3.0.383
Exports the ISE TrustSec configurations using ISE REST APIs to your terminal as tables and to local files in the directory prefixed with ise_trustsec
by default:
ise_trustsec_matrix.xlsx
: a Microsoft Excel workbook with tabs for the matrix, SGACLs, and SGTs.ise_trustsec_matrix.csv
: a CSV export of the TrustSec matrix, compatible with the ISE CSV import/export.ise_trustsec_sgacls.csv
: a CSV export of the SGACLs. ISE does not support CSV import/export of the SGACLs however it is very nice to have a text dump of the SGACLs!ise_trustsec_sgts.csv
: a CSV export of the TrustSec SGTs, compatible with the ISE CSV import/export.
You may change the default ise_trustsec
prefix using the -f/--filename {prefix}
option.
> ise_trustsec_export.py
â SGTs:
ââââââââââââââââââââŦââââââââââââââââââââââââââââââââââŦââââââââââŦâââââââââââââââââŦââââââââââââââââââââ
â name â description â value â generationId â propogateToApic â
ââââââââââââââââââââŧââââââââââââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â TrustSec_Devices â TrustSec Devices Security Group â 2 â 82 â False â
ââââââââââââââââââââŧââââââââââââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Unknown â Unknown Security Group â 0 â 82 â False â
ââââââââââââââââââââŧââââââââââââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â ANY â ANY â 65535 â 0 â False â
ââââââââââââââââââââ´ââââââââââââââââââââââââââââââââââ´ââââââââââ´âââââââââââââââââ´ââââââââââââââââââââ
â SGACLs:
âââââââââââââââââŦâââââââââââââââââââââââââŦâââââââââââââââââŦââââââââââââââââ
â name â description â generationId â aclcontent â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Deny IP â Deny IP SGACL â 0 â deny ip â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Deny_IP_Log â Deny IP with logging â 0 â deny ip log â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Permit IP â Permit IP SGACL â 0 â permit ip â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Permit_IP_Log â Permit IP with logging â 0 â permit ip log â
âââââââââââââââââ´âââââââââââââââââââââââââ´âââââââââââââââââ´ââââââââââââââââ
â Policies:
âââââââââââŦââââââââââââââââââââââŦâââââââââââŦâââââââââââŦâââââââââââŦâââââââââââŦââââââââââââââââ
â Name â Description â Status â SrcSGT â DstSGT â SGACLs â DefaultRule â
âââââââââââŧââââââââââââââââââââââŧâââââââââââŧâââââââââââŧâââââââââââŧâââââââââââŧââââââââââââââââ¤
â ANY-ANY â Default egress rule â ENABLED â ANY â ANY â Deny IP â DENY_IP â
âââââââââââ´ââââââââââââââââââââââ´âââââââââââ´âââââââââââ´âââââââââââ´âââââââââââ´ââââââââââââââââ
â Matrix:
ââââââââââââââââââââŦââââââââââŦââââââââââââââââââââââââââââââââââŦâââââââââââââââââââââŦââââââââââââ
â SGT â Value â Description â TrustSec_Devices â Unknown â
ââââââââââââââââââââŧââââââââââŧââââââââââââââââââââââââââââââââââŧâââââââââââââââââââââŧââââââââââââ¤
â TrustSec_Devices â 2 â TrustSec Devices Security Group â â â
ââââââââââââââââââââŧââââââââââŧââââââââââââââââââââââââââââââââââŧâââââââââââââââââââââŧââââââââââââ¤
â Unknown â 0 â Unknown Security Group â â â
ââââââââââââââââââââ´ââââââââââ´ââââââââââââââââââââââââââââââââââ´âââââââââââââââââââââ´ââââââââââââ
Deletes all SGTs, SGACLs, and Egress Matrix Cells from the ISE deployment.
You will see errors when it tries to delete reserved SGTs (Unknown
, TrustSec_Devices
) and SGACLs (Deny IP
, Deny_IP_Log
,Permit IP
, Permit_IP_Log
).
> ise_trustsec_clear.py
âĢ 204 da9ad00d-0b9f-42b9-bbac-80979a04edf8
âĢ 204 7b311821-b0f6-4c61-93af-94a47b6f688d
âĢ 204 aba5dbe0-eee2-4aa4-b539-b02684721b04
âĢ 204 4fa15703-0c02-428c-8a2d-8f5d0020be6e
âĢ 204 98323647-073f-4e3f-bb89-2f8d0fdf1c20
âĢ 204 3ea6d69c-c023-45bd-9fe7-3d2034b7663f
âĢ 204 c9f61c26-7313-407d-ae16-539a7c44854d
âĢ 204 f6448013-2682-4e7b-b42e-0598d5ff6d06
âĢ 204 6bcef4ef-589c-4fa0-9f36-494aa0d996f7
âĢ 204 8bbeebbc-6a12-40af-b49a-77aa8b93c434
âĢ 204 2e2183c7-a1ed-4395-8016-84757347044f
âĢ 204 35b586a2-bf38-4af4-bc3b-d753e789e5b3
âĢ 204 45fcd70a-3139-4775-8e93-4f4abd7af958
âĢ 204 a5fe8a07-2c7e-478e-a69a-eb36b14c6ff9
â 500 Security group TrustSec_Devices is currently in use. References to this security group must be removed before it can be deleted.
â 400 Deletion of security group Unknown is forbidden and has been blocked!
â 500 Deletion of security group ACL Deny IP is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Deny_IP_Log is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Permit IP is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Permit_IP_Log is forbidden and has been blocked (read only object).
â 400 can not delete default egress policy matrix rule .
Load a TrustSec matrix from an Excel workbook into ISE using REST APIs. The default Excel workbook name is ise_trustsec_matrix.xlsx
which is the default from ise_trustsec_export.py
. The default ISE TrustSec matrix is provided in ise_trustsec_matrix_default.xlsx
.
Load the default ISE TrustSec matrix from ise_trustsec_matrix_default.xlsx
:
> excel_trustsec_matrix_to_ise.py ise_trustsec_matrix_default.xlsx
âĢ 204 0eb228da-7a4b-414c-a738-9d5df68ecb66
âĢ 204 e12aa794-f212-42b6-a1b6-dea31dd299aa
âĢ 204 3b765a1b-32ec-457a-8a10-89e8c36fb738
âĢ 204 65a78800-6172-4113-8474-7e89a7785f2f
âĢ 204 422c32e3-a576-4a42-b82c-eabfb638f1b0
âĢ 204 53935ce8-55c7-4632-927b-bcd046e0e23c
âĢ 204 7abdd089-60bc-42c6-a434-742c7233e7f2
âĢ 204 2a2e2b43-814e-499b-b5d1-9d2266cb8eb3
âĢ 204 a8007749-2d95-4f77-9a4e-62e09628f413
âĢ 204 a5b0aa3a-3da4-4288-82b2-5ee6c1913afb
âĢ 204 a044f345-73bd-4f66-aab3-e3b5d9f151fd
âĢ 204 3d97773f-d1f7-42cc-aa0d-cc82ae34fb77
âĢ 204 f89b0543-16d0-405c-9c0e-0d043b148e4c
âĢ 204 337811b5-554b-485b-a87a-3c2770e9d7ab
â 500 Security group TrustSec_Devices is currently in use. References to this security group must be removed before it can be deleted.
â 400 Deletion of security group Unknown is forbidden and has been blocked!
â 500 Deletion of security group ACL Deny IP is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Deny_IP_Log is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Permit IP is forbidden and has been blocked (read only object).
â 500 Deletion of security group ACL Permit_IP_Log is forbidden and has been blocked (read only object).
â 400 can not delete default egress policy matrix rule .
đ 201 Auditors
đ 201 BYOD
đ 201 Contractors
đ 201 Developers
đ 201 Development_Servers
đ 201 Employees
đ 201 Guests
đ 201 Network_Services
đ 201 PCI_Servers
đ 201 Point_of_Sale_Systems
đ 201 Production_Servers
đ 201 Production_Users
đ 201 Quarantined_Systems
đ 201 Test_Servers
â SGTs:
âââââââââââââââââââââââââŦââââââââââŦâââââââââââââââââââââââââââââââââââââŦâââââââââââââââââŦââââââââââââââââââââ
â name â value â description â generationId â propogateToApic â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Auditors â 9 â Auditor Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â BYOD â 15 â BYOD Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Contractors â 5 â Contractor Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Developers â 8 â Developer Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Development_Servers â 12 â Development Servers Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Employees â 4 â Employee Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Guests â 6 â Guest Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Network_Services â 3 â Network Services Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â PCI_Servers â 14 â PCI Servers Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Point_of_Sale_Systems â 10 â Point of Sale Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Production_Servers â 11 â Production Servers Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Production_Users â 7 â Production User Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Quarantined_Systems â 255 â Quarantine Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Test_Servers â 13 â Test Servers Security Group â 0 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â TrustSec_Devices â 2 â TrustSec Devices Security Group â 82 â False â
âââââââââââââââââââââââââŧââââââââââŧâââââââââââââââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââââââ¤
â Unknown â 0 â Unknown Security Group â 82 â False â
âââââââââââââââââââââââââ´ââââââââââ´âââââââââââââââââââââââââââââââââââââ´âââââââââââââââââ´ââââââââââââââââââââ
â SGACLs:
âââââââââââââââââŦâââââââââââââââââââââââââŦâââââââââââââââââŦââââââââââââââââ
â name â description â generationId â aclcontent â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Deny IP â Deny IP SGACL â 0 â deny ip â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Deny_IP_Log â Deny IP with logging â 0 â deny ip log â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Permit IP â Permit IP SGACL â 0 â permit ip â
âââââââââââââââââŧâââââââââââââââââââââââââŧâââââââââââââââââŧââââââââââââââââ¤
â Permit_IP_Log â Permit IP with logging â 0 â permit ip log â
âââââââââââââââââ´âââââââââââââââââââââââââ´âââââââââââââââââ´ââââââââââââââââ```
> meraki_api_enabled.py
â Organizations (1)
ââââââââââŦââââââââââââââââââââŦââââââââââââââââââ
â name â api â management â
ââââââââââŧââââââââââââââââââââŧââââââââââââââââââ¤
â 1homas â {'enabled': True} â {'details': []} â
ââââââââââ´ââââââââââââââââââââ´ââââââââââââââââââ
â Networks (3)
âââââââââââââââââŦâââââââââŦââââââââââââââââââââââââââââ
â name â tags â isBoundToConfigTemplate â
âââââââââââââââââŧâââââââââŧââââââââââââââââââââââââââââ¤
â Lab-MX68 â [] â False â
âââââââââââââââââŧâââââââââŧââââââââââââââââââââââââââââ¤
â hobo-employee â [] â False â
âââââââââââââââââŧâââââââââŧââââââââââââââââââââââââââââ¤
â hobo-thomas â [] â False â
âââââââââââââââââ´âââââââââ´ââââââââââââââââââââââââââââ
â Devices (2)
âââââââââââââââŦâââââââââââââŦââââââââââââââââââ
â name â model â firmware â
âââââââââââââââŧâââââââââââââŧââââââââââââââââââ¤
â lab-mr46-1 â MR46 â wireless-29-5-1 â
âââââââââââââââŧâââââââââââââŧââââââââââââââââââ¤
â lab-ms390-1 â MS390-48UX â cs-15-21-1 â
âââââââââââââââ´âââââââââââââ´ââââââââââââââââââ
This repository is licensed under the MIT License.