A set of Python scripts to configure a freshly installed Cisco Identity Services Engine (ISE) for simple operation; in my case, a basic Cisco Software-Defined Access environment.
Note: This repo is my second shot at automating ISE, and is mostly the same as my Ansible project in terms of functionality. I even used the same YAML settings files so you can use either method without any modification.
These scripts will configure the following in ISE:
- local user groups (
01_add_groups.py) - local user identities (
02_add_users.py) - a simple TACACS profile and command set for privilege 15 access (
03_create_tacacs_profiles.py) - TACACS policies in the default policy set (
05_create_tacacs_authz_policies.py) - Scalable Group Tags (SGT) to allow our authentication rules to work (
06_create_sgts.py) - network access authorization rules to places users in the appropriate VLANs (wired and wireless) (
08_create_authorization_profiles.py) - network access policies to authorize users and assign SGTs (
09_create_authorization_policies.py) - a complete wired guest workflow with redirection, portal, and SGT(
10_create_guest_authz_profiles.py&11_create_guest_authz_policies.py) - Cisco access point profiling (using the wired guest flow) and authorization profiles (
12_access_point_profiling.py)
The ISE resources that are configured with these scripts are enough to support a basic Cisco SD-Access network including:
- TACACS authentication for network devices
- dot1x authentication and authorization for multiple users
- wired guest access
- multiple Scalable Group Tags (SGTs)
- Cisco access point profiling and authorization
I administer a lab environment that is used to demonstrate Cisco Software-Defined Access for customers. When new versions of Cisco ISE or DNA Center are released, I do a fresh installation of both so that I can test the new versions with the lab workflow. This involves installing each piece of software and then configuring them both to the point where I can start going through the lab guide.
After watching a demo of the collections in this repo that use Terraform and Ansible to spin-up and configure ISE in AWS, I was inspired to setup something similar to assist in my configuration process when testing new versions.
I started with almost zero API experience beyond installing Postman on my workstation in the past and never using it. Prior to this project I had run exactly one Ansible playbook in my life, and that was six years ago. Needless to say, I was (and still am) completely green with this stuff, so it was a complete learning experience for me, especially not having a background in code or data structures.
Once I got the Ansible collection done, I decided to teach myself Python the hard way by converting everything into Python scripts. It was a challenge because I had zero Python experience, but I got it done in a couple of days with the help of Google.
As a bonus: You will notice some snark in the script comments as well, which stemmed from some frustrations that I ran into while learning. Some, but not all, of these comments were copied from the companion Ansible playbooks, because the frustrations were mostly the same.
- Cisco Identity Services Engine (ISE) 3.1 or higher
Note: Some of these scripts may work with ISE 3.0, but 3.1 is required for the policy stuff.
- Python 3.6+
- Cisco ISE SDK v1.0.0+
If you just want to see these in action, you can run them against a Cisco DevNet ISE 3.1 APIs, Ansible, and Automation sandbox instance without any customization:
- On your local workstation install requirements above:
Cisco ISE SDK:
sudo pip install ciscoisesdk
-
Reserve a sandbox in DevNet and connect to it per their instructions
-
In ISE, enable ERS and Open API settings in: Administration | Settings | API Settings | API Service Settings
- Run the scripts one at a time like this:
$ python 01_add_groups.py
$ python 02_add_users.py
$ python 03_create_tacacs_profiles.py
- You can verify the changes in the ISE GUI after each script if you're curious
Although my use-case for these scripts involves a fresh deployment of ISE to support a Cisco SD-Access topology, they can absolutely be modified and used in a brownfield ISE environment without SDA.
I'm going to try to make the project self-documenting via comments as best I can, but here's a rough guide to get started:
credentials.yaml - Contains the ISE deployment information such as hostname, username, and password
groupsandusers.yaml - Contains the internal identity groups and users that will be configured by the scripts
policy.yaml - Contains the policy/profile information that will be configured by the scripts
- I developed these scripts using Cisco DevNet's ISE 3.1 APIs, Ansible, and Automation sandbox, so they should be useable there without any modification (See Quick Start section)
One day I will post a summary of some of the ISE settings that I change to make my life a little easier following an install. These settings will be pretty specific to a lab environment and not suggested for production.
- better documentation
- better optimization of the scripts
- result feedback from the scripts
- error checking and handling
- clean up the scripts to match the Python style guide (Hi, Jose!)
- add more optional fields to make this useful in the real world
- redo this whole mess in Python before I retire (NOTE: I DID IT)
Google.
I also want to give a shoutout to the developers of the Cisco ISE SDK. It made things much much easier for me.
Please open an issue if you have any questions or suggestions.
I developed these scripts for my own use, so I do want to keep them as clean as I can, but if you think they can be improved or optimized, feel free to submit a PR.