cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2062
Views
7
Helpful
1
Comments
colemair
Level 1
Level 1

Background

ISE has the capability to purge Endpoint Identity Groups.  Even with complex rules to ensure that only certain devices are purged and not the entire group.  But this capability has a limitation to only be able to run once per day at a specific time.  It cannot be configured to purge at various times throughout the day.

Why would anyone need to purge these groups more than once per day?  Well, imagine the customer that has a worldwide deployment with employees sitting in countries in just about every timezone.  If this customer needs to empty a particular group each day based on their corporate policies, then the built-in purge policy in ISE can do that; however, only at one specific time.  And this time could be in the middle of the workday in certain parts of the world.

One of my customers specifically was using the new SAML capability to provide a pseudo two-factor authentication mechanism (using PingID).  They wanted the employee's device to authenticate using machine authentication and 802.1x on the wired network at all times.  But only once per day (first login of the workday), they wanted to redirect the user to a portal page where they had to enter some additional credentials, receive a text message or other out-of-band code, and enter that code to gain access.  The rest of the day, the employee can unplug the machine and plug it back in and not have to do the additional authentication step.  This was handled with the SAML piece and then placement of the endpoint into a specific group.  Then purge that group in the evening so that the process starts over the next morning.

Solution

The first part of the solution was to use four different endpoint groups that each covered a handful of timezones.  Based on where the authentication request was coming from, the device would be placed into the appropriate group after successful SAML authentication.

The next piece involved using the REST API and a script to clear these individual groups at certain times of the day.  The script would be able to run as a cron job on Linux or as a scheduled task on a Windows system.  The script was written in Perl but the concept can be applied to other languages as well.

The actual script itself is attached to this post.

Using the Script

The script must be run on a system that has some Perl interpreter already installed on it and it must also have the following modules installed:

REST::Client

MIME::Base64

LWP::UserAgent

XML::Simple

IO::File

The script is broken down into a "Main" section and five separate subroutines or functions.  The subroutines/functions are as follows:

testConnection() - Tests to ensure that connectivity to the ISE API is working.

getEndpointGroup() - The other operations require the use of the Endpoint Group ID so this function grabs that value for later use.

getEndpoints() - Grabs the entire list of endpoints from the group for deletion later.

deleteEndpoints() - Sends the bulk delete operations to the ISE API for processing.

checkBulkStatus() - Since the bulk operations work in the background, we have to check the status of them to know when the deletion happened or if there was a problem.

In the "Main" section, towards the top of the script, there are three lines that must be edited to allow the script to work in your environment.  The lines are as follows:

my $username = 'XXXXX';

my $password = 'XXXXX';

my $hostname = 'https://pan.ise.com:9060';

Replace the "XXXXX" above with the current Username and Password configured to use the ISE API.  Leave the single quotes (').  Update the hostname with the correct FQDN and REST API port for your environment.

The script is written to support the checking of the server PKI certificate to ensure it is valid.  If the server certificate on ISE is self-signed or not trusted by the client machine that will run the script, then there are other changes that need to be made.  Each of the subroutines/functions has a line in it that is commented out.  Just remove the pound sign (#) from the beginning of each of the lines.  The lines are as follows:

# $ua->ssl_opts(verify_hostname => 0);

Once the script is ready to run, the syntax is as follows:

perl purge.pl groupname

"perl" is triggering the perl interpreter to run and to read in the following statements for processing.

"purge.pl" is the name of the script.  This can be anything you want.

"groupname" would be the name of the Endpoint Identity Group in ISE that you want to clear out.  It is case-sensitive.

When the script is run, it will create a logfile in the current directory named "purgelog".  This logfile will provide details on the operation such as start time, end time, how many endpoints were deleted, any errors encountered, etc.

Comments
Antonio Torres
Cisco Employee
Cisco Employee

Here is an example of how to install the necessary modules:

  perl -MCPAN -e shell

  cpan> install REST::Client

and so on....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: