Cisco ISE (Identity Services Engine) is THE policy engine for your network. It provides many (many) different services that are all required to meet today's user expectations while protecting the organization from threats:
- TACACS+/RADIUS for central management of networking equipment.
- Network Admission Control (NAC) identifying endpoints as they connect to the network (both wired and wireless).
- Group-based Policy using Cisco TrustSec.
- VPN policy with Cisco ASA/FTD.
- Guest lifecycle management.
- Device profiling.
- And more...
While Cisco ISE's richness of features and capabilities is highly appreciated by networking and security experts, endpoint technicians and helpdesk representatives prefer a simpler, limited GUI for their day-to-day tasks.
A specific capability asked by endpoint teams is the concept of a "voucher": a time-limited access token, given to a specific endpoint in order to grant immediate network access (while bypassing security checks) for a distressed user, allowing the technicians to remediate gaps in the endpoint's posture later.
Using Cisco ISE's open APIs, primarily ERS (External RESTful Services), we have created "Vanilla ISE": a simple UI for endpoint technicians and helpdesk representatives.
- List the network access devices configured on ISE.
More information about pyATS is available at: https://developer.cisco.com/pyats/
There are several options for running vanilla ISE:
- Running the code on a computer/server with Python.
- Running the code on a Docker container. Requires to install Docker.
- Running the code on a Cisco device using Guestshell (Cisco Guestshell is a virtualized Linux-based environment, designed to run custom Linux applications, including Python for automated control and management of Cisco devices). See details below.
The ISE REST APIs (AKA External RESTful Services or ERS) are disabled by default for security. You must enable it:
- Login to your ISE PAN using the admin or other SuperAdmin user.
- Navigate to Administration > System > Settings and select ERS Settings from the left panel.
- Enable the ERS APIs by selecting Enable ERS for Read/Write
- Do not enable CSRF unless you know how to use the tokens.
- Select Save to save your changes.
Note: its good practice to disable CSRF to make sure you are able to authenticate successfully.
Reference to official documentation
ISE_IP= <ISE hostname/IP>
ISE_USER= <ISE username>
ISE_PASSWORD= <ISE password>
SWITCH_USER= <username for network devices>
SWITCH_PASS= <password for network devices>
SWITCH_ENABLE= <enable password for network devices>
docker build -t vanilla-ise .
docker run -d --env-file <path to env file> -v <path to data dir>:/Vanilla-ISE/data obrigg/vanilla-ise
running the Docker in interactive mode:
docker run -ti --env-file <path to env file> -v <path to data dir>:/Vanilla-ISE/data obrigg/vanilla-ise
Copyright (c) 2020 Cisco and/or its affiliates.
This software is licensed to you under the terms of the Cisco Sample Code License, Version 1.1 (the "License"). You may obtain a copy of the License at
https://developer.cisco.com/docs/licenses
All use of the material herein must be in accordance with the terms of the License. All rights not expressly granted by the License are reserved. Unless required by applicable law or agreed to separately in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.