This role manipulates Cisco Identity Services Engine configurations.
Endpoint and Networkdevice manipulation (add, delete, change) are supported so far.
Cisco ISE version 2.1 or 2.2 (tested also on 2.7)
External RESTful Service API must be enabled:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#37305
The variables 'cisco_ise_ers_[variable]' must be set overridden to match your credentials.
The play 'cisco_ise_endpoint' adds/changes or deletes MAC Addresses per Cisco ISE identitygroup.
All given MAC Addresses for an identitygroup will be configured on ISE. All other MAC Addresses for this group will be deleted.
The module uses bulk API requests for adding and deleting endpoints for better performance.
It should be able to handle thousands of MAC addresses.
At the current version 'staticGroupAssignment' is always set to true, and staticProfileAssignment is always set to false.
If MAC is an empty array and 'cisco_ise_endpoint_force: true' all Endpoints will be deleted!
If MAC is an empty array and 'cisco_ise_endpoint_force: false' an error is raised.
The play 'cisco_ise_networkdevice' adds/changes or deletes Networkdevices.
Networkdevices are defined in the List: 'cisco_mgmt_devices'. The variables defaults are set in 'cisco_mgmt_device_defaults'. Each of this variables can be overriden in 'cisco_mgmt_devices' per device.
cisco_ise_ers_username: api
cisco_ise_ers_password: changeme
cisco_ise_ers_ssl: true
cisco_ise_ers_port: 9060
cisco_ise_ers_validate_certs: false
# if true and no mac address given to identity group
# all endpoints will be deleted
cisco_ise_endpoint_force: true
# how long do we wait for bulk jobs to be completed
cisco_ise_endpoint_timeout: 30
#
# identitygroups are defined as ARRAYS.
# each ARRAY holds a DICT with keys: 'name' and 'mac'
# if MAC is empty array and 'cisco_ise_endpoint_force: true'
# all Endpoints will be deleted!
#
cisco_ise_identitygroups: [ {
name: "Workstation",
mac: ["00:16:3e:2b:46:35","00:16:3e:5e:ab:2e","00:16:3e:7d:26:5a"] },{
name: "Blacklist",
mac: ["00:16:3e:2b:46:38"]
} ]
# if true all devices listed in the script will be just deleted
delete_devices: false
#
# networkdevice configuration
# splitted into default and device values
# snmp_v3_security_level: can be either AUTH, NO_AUTH, PRIV
# tacacs_connection_mode: one out of ["OFF", ON_DRAFT_COMPLIANT, ON_LEGACY]
#
cisco_mgmt_device_defaults: {
snmp_enabled: true,
snmp_version: 2c,
snmp_polling_interval: "28800",
snmp_ro_community: public,
snmp_rw_community: private,
snmp_v3_username: snmpv3user,
snmp_v3_auth_protocol: MD5,
snmp_v3_auth_password: changeme,
snmp_v3_privacy_protocol: DES,
snmp_v3_privacy_password: changeme,
# AUTH, NO_AUTH, PRIV
snmp_v3_security_level: AUTH,
tacacs_enabled: false,
tacacs_shared_secret: changeme,
# "OFF", ON_DRAFT_COMPLIANT, ON_LEGACY
tacacs_connection_mode: "OFF",
radius_enabled: false,
radius_shared_secret: changeme,
radius_enable_keywrap: false,
radius_coaport: "1700",
profile_name: Cisco,
network_device_groups: ["Location#All Locations","Device Type#All Device Types"]
}
#
# this is how networkdevices are added
# MUST contain 'name' and 'ipaddress'
# CAN override any parameter from 'cisco_mgmt_device_defaults'
#
cisco_mgmt_devices: [ {
name: testdevice1,
ipaddress: 192.168.0.1 },{
name: testdevice2,
ipaddress: 192.168.0.2 }
]
The playbook must contain 'gather_facts: False' and 'connection: local'
Example 1:
- name: ISE
hosts: ise
gather_facts: False
connection: local
roles:
- cisco_ise
tags:
- ise
Example 2:
- name: UPDATING ISE
hosts: ise
gather_facts: false
connection: local
roles:
- role: maxrainer.cisco_ise
cisco_ise_play_device: true
cisco_ise_ers_username: ansible
cisco_ise_ers_password: password$123
cisco_ise_delete_devices: false
cisco_mgmt_devices:
- name: xxxxxxxx11
ipaddress: 111.168.102.129
- name: xxxxxxxx12
ipaddress: 192.168.142.128
- name: xxxxxxxx23
ipaddress: 193.166.0.0
mask: 16
MIT
Markus Rainer ([email protected])
- for "cisco_ise_networkdevice.py" Przemyslaw Konitz Travis Hountondji