Cisco ISE (Identity Services Engine) is THE policy engine for your network. It provides many (many) different services that are all required to meet today's user expectations while protecting the organization from threats:
- TACACS+/RADIUS for central management of networking equipment.
- Network Admission Control (NAC) identifying endpoints as they connect to the network (both wired and wireless).
- Group-based Policy using Cisco TrustSec.
- VPN policy with Cisco ASA/FTD.
- Guest lifecycle management.
- Device profiling.
- And more...
In order to support scale of millions and millions of endpoints, Cisco ISE's profiling mechanism profiles and endpoint once and caches the endpoint's MAC address for the next time it authenticates. Some organizations would prefer endpoints will be proviled every single time they connect to the network.
Using Cisco ISE's open APIs, primarily ERS (External RESTful Services), we have created "Cisco ISE cleaning service". The cleaning service receives updates from Cisco ISE every time a profiled device is disconnected - and deletes the endpoint from ISE's DB, resulting in re-profiling end endpoint the next time it connects to the network.
There are several options for running vanilla ISE:
- Running the code on a computer/server with Python.
- Running the code on a Docker container. Requires to install Docker.
The ISE REST APIs (AKA External RESTful Services or ERS) are disabled by default for security. You must enable it:
- Login to your ISE PAN using the admin or other SuperAdmin user.
- Navigate to Administration > System > Settings and select ERS Settings from the left panel.
- Enable the ERS APIs by selecting Enable ERS for Read/Write
- Do not enable CSRF unless you know how to use the tokens.
- Select Save to save your changes.
Note: its good practice to disable CSRF to make sure you are able to authenticate successfully.
Reference to official documentation
Not all endpoint groups should be cleaned (for example, Vanilla ISE's voucher group). In order to have granular support for the cleaning service - only endpoint groups that have "#cleanup" in their description will be cleaned.
- Login to your ISE PAN using the admin or other SuperAdmin user.
- Navigate to Administration > Identity Management > Endpoint Identity Groups.
- Select an endpoint group you would like to clean using the cleaning service.
- Add the "#cleanup" in the description field.
- Don't forget to save.
In order to receive notifications from Cisco ISE, the service needs to be configured as a Syslog destination on ISE.
- Login to your ISE PAN using the admin or other SuperAdmin user.
- Navigate to Administration > System > Logging and select Remote Logging Targets from the left panel.
- Add the cleaning service's IP address, and save.
- Navigate to Logging Categories in the left panel, and select RADIUS Accounting.
- Add the cleaning service from "available" to "Selected".
- Select Save to save your changes.
ISE_IP= <ISE hostname/IP>
ISE_USER= <ISE username>
ISE_PASSWORD= <ISE password>
docker run -d -p 514:514/udp --env-file <path to env file> obrigg/ise-cleaning-service
running the Docker in interactive mode:
docker run -ti -p 514:514/udp --env-file <path to env file> obrigg/ise-cleaning-service
Copyright (c) 2021 Cisco and/or its affiliates.
This software is licensed to you under the terms of the Cisco Sample Code License, Version 1.1 (the "License"). You may obtain a copy of the License at
https://developer.cisco.com/docs/licenses
All use of the material herein must be in accordance with the terms of the License. All rights not expressly granted by the License are reserved. Unless required by applicable law or agreed to separately in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.