cisco-ise 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- data/LICENSE.txt +20 -0
- data/README.rdoc +276 -0
- data/lib/cisco-ise.rb +165 -0
- data/lib/cisco-ise/acct-status-api.rb +35 -0
- data/lib/cisco-ise/acct-status-element.rb +17 -0
- data/lib/cisco-ise/active-count-api.rb +27 -0
- data/lib/cisco-ise/active-list-api.rb +35 -0
- data/lib/cisco-ise/active-session.rb +10 -0
- data/lib/cisco-ise/auth-list-api.rb +36 -0
- data/lib/cisco-ise/auth-status-api.rb +40 -0
- data/lib/cisco-ise/auth-status-element.rb +15 -0
- data/lib/cisco-ise/coa.rb +54 -0
- data/lib/cisco-ise/delete-api.rb +55 -0
- data/lib/cisco-ise/disconnect-api.rb +49 -0
- data/lib/cisco-ise/end-point-ip-address-api.rb +33 -0
- data/lib/cisco-ise/failure-reason.rb +8 -0
- data/lib/cisco-ise/failure-reasons-api.rb +46 -0
- data/lib/cisco-ise/http-session.rb +99 -0
- data/lib/cisco-ise/mac-address-api.rb +33 -0
- data/lib/cisco-ise/nas-ip-address-api.rb +33 -0
- data/lib/cisco-ise/posture-count-api.rb +25 -0
- data/lib/cisco-ise/product.rb +16 -0
- data/lib/cisco-ise/profiler-count-api.rb +25 -0
- data/lib/cisco-ise/reauth-api.rb +49 -0
- data/lib/cisco-ise/session-count.rb +9 -0
- data/lib/cisco-ise/session-parameters.rb +109 -0
- data/lib/cisco-ise/user-name-api.rb +33 -0
- data/lib/cisco-ise/version-api.rb +43 -0
- data/test/helper.rb +83 -0
- data/test/test_active-session.rb +22 -0
- data/test/test_auth-status-element.rb +22 -0
- data/test/test_cisco-ise.rb +4 -0
- data/test/test_product.rb +24 -0
- metadata +86 -0
data/LICENSE.txt
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2012 Mark Sullivan
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,276 @@
|
|
1
|
+
= cisco-ise
|
2
|
+
|
3
|
+
CiscoISE is a Ruby wrapper for the Cisco Identity Services Engine (ISE) API. This implementation wraps all APIs for ISE 1.1.
|
4
|
+
|
5
|
+
== Installation
|
6
|
+
|
7
|
+
Install the library using rubygems
|
8
|
+
|
9
|
+
$ gem install cisco-ise
|
10
|
+
|
11
|
+
You can then use it in your Ruby scripts with
|
12
|
+
|
13
|
+
require 'cisco-ise'
|
14
|
+
|
15
|
+
== HTTP Session
|
16
|
+
|
17
|
+
For each MnT that you need to communicate with, you will need to create a CiscoISE::HttpSession:
|
18
|
+
|
19
|
+
ise_session = CiscoISE::HttpSession.new("device-name","myusername","mypassword")
|
20
|
+
|
21
|
+
To disable SSL support for the HTTP session:
|
22
|
+
|
23
|
+
ise_session = CiscoISE::HttpSession.new("device-name","myusername","mypassword", CiscoISE::HttpSession::SSL_DISABLED)
|
24
|
+
|
25
|
+
To enable certificate validation for the HTTP session:
|
26
|
+
|
27
|
+
ise_session = CiscoISE::HttpSession.new("device-name","myusername","mypassword", CiscoISE::HttpSession::SSL_ENABLED, CiscoISE::HttpSession::CERT_VERIFY_ENABLED)
|
28
|
+
|
29
|
+
== Session Management
|
30
|
+
|
31
|
+
The following sections refer to the Session Management APIs. Refer to http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html
|
32
|
+
|
33
|
+
=== Active Session Counter
|
34
|
+
|
35
|
+
To return the current Active Session count:
|
36
|
+
|
37
|
+
count = CiscoISE::ActiveCountApi.new(ise_session).count
|
38
|
+
=> "10"
|
39
|
+
|
40
|
+
=== Posture Session Counter
|
41
|
+
|
42
|
+
To return the current Posture Session count:
|
43
|
+
|
44
|
+
count = CiscoISE::PostureCountApi.new(ise_session).count
|
45
|
+
=> "12"
|
46
|
+
|
47
|
+
=== Profiler Session Counter
|
48
|
+
|
49
|
+
To return the current Profiler Session count:
|
50
|
+
|
51
|
+
count = CiscoISE::ProfilerCountApi.new(ise_session).count
|
52
|
+
=> "8"
|
53
|
+
|
54
|
+
=== Active Session List
|
55
|
+
|
56
|
+
|
57
|
+
Firstly create an Active List query
|
58
|
+
|
59
|
+
active = CiscoISE::ActiveListApi.new(ise_session)
|
60
|
+
|
61
|
+
Next we can iterate through each active session. Each returned object is a CiscoISE::ActiveSession.
|
62
|
+
|
63
|
+
active.each do |record|
|
64
|
+
puts record.user_name
|
65
|
+
end
|
66
|
+
|
67
|
+
=== Authenticated Session List
|
68
|
+
|
69
|
+
|
70
|
+
Firstly create an Authenticated Session List query. The default query lists all currently active authenticated sessions.
|
71
|
+
|
72
|
+
active = CiscoISE::AuthListApi.new(ise_session)
|
73
|
+
|
74
|
+
Next we can iterate through each authenticated session. Each returned object is a CiscoISE::ActiveSession.
|
75
|
+
|
76
|
+
active.each do |record|
|
77
|
+
puts record.user_name
|
78
|
+
end
|
79
|
+
|
80
|
+
To limit the authenticated session list to authentications starting BEFORE a specific time:
|
81
|
+
|
82
|
+
active = CiscoISE::AuthListApi.new(ise_session, '2010-12-14 15:33:15')
|
83
|
+
|
84
|
+
To limit the authenticated session list to authentications starting AFTER a specific time:
|
85
|
+
|
86
|
+
active = CiscoISE::AuthListApi.new(ise_session, '', '2010-12-14 15:33:15')
|
87
|
+
|
88
|
+
To limit the authenticated session list to authentications starting BETWEEN a specific time range:
|
89
|
+
|
90
|
+
active = CiscoISE::AuthListApi.new(ise_session, '2010-12-13 15:33:15', '2010-12-14 15:33:15')
|
91
|
+
|
92
|
+
=== MAC Address Search
|
93
|
+
|
94
|
+
Firstly create a MAC Address query.
|
95
|
+
|
96
|
+
session = CiscoISE::MacAddressApi.new(ise_session,'00:17:89:01:23:45')
|
97
|
+
|
98
|
+
Next we can iterate through each session object. Each returned object is a CiscoISE::SessionParameters.
|
99
|
+
|
100
|
+
session.each do |record|
|
101
|
+
puts record.user_name + ":" + record.nas_ip_address
|
102
|
+
end
|
103
|
+
|
104
|
+
=== User Name Search
|
105
|
+
|
106
|
+
Firstly create a User Name query.
|
107
|
+
|
108
|
+
session = CiscoISE::UserNameApi.new(ise_session,'the-users-name')
|
109
|
+
|
110
|
+
Next we can iterate through each session object. Each returned object is a CiscoISE::SessionParameters.
|
111
|
+
|
112
|
+
session.each do |record|
|
113
|
+
puts record.user_name + ":" + record.nas_ip_address
|
114
|
+
end
|
115
|
+
|
116
|
+
=== NAS IP Address Search
|
117
|
+
|
118
|
+
Firstly create a NAS IP Address query.
|
119
|
+
|
120
|
+
session = CiscoISE::NasIpAddressApi.new(ise_session,'1.1.1.1')
|
121
|
+
|
122
|
+
Next we can iterate through each session object. Each returned object is a CiscoISE::SessionParameters.
|
123
|
+
|
124
|
+
session.each do |record|
|
125
|
+
puts record.user_name + ":" + record.nas_ip_address
|
126
|
+
end
|
127
|
+
|
128
|
+
=== Endpoint IP Address Search
|
129
|
+
|
130
|
+
Firstly create an Endpoint IP Address query.
|
131
|
+
|
132
|
+
session = CiscoISE::EndPointIpAddressApi.new(ise_session,'10.10.10.10')
|
133
|
+
|
134
|
+
Next we can iterate through each session object. Each returned object is a CiscoISE::SessionParameters.
|
135
|
+
|
136
|
+
session.each do |record|
|
137
|
+
puts record.user_name + ":" + record.nas_ip_address
|
138
|
+
end
|
139
|
+
|
140
|
+
=== Removing stale sessions API call
|
141
|
+
|
142
|
+
Please note that this feature is documented as "manually delete inactive sessions". Do not use this on live session. To disconnect/delete a live session please use the CoA api.
|
143
|
+
|
144
|
+
Firstly create a new Delete session.
|
145
|
+
|
146
|
+
delete = CiscoISE::DeleteApi.new(ise_session)
|
147
|
+
|
148
|
+
There are three different methods that can be used to delete sessions. To delete all sessions:
|
149
|
+
|
150
|
+
delete.all
|
151
|
+
|
152
|
+
To delete a session based on a MAC Address:
|
153
|
+
|
154
|
+
delete.mac_address('00:17:89:01:23:45')
|
155
|
+
|
156
|
+
To delete a session based on a session ID:
|
157
|
+
|
158
|
+
delete.session_id('1234567890987654321')
|
159
|
+
|
160
|
+
== Troubleshooting API's
|
161
|
+
|
162
|
+
The following sections refer to the Troubleshooting APIs. Refer to http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch3.html
|
163
|
+
|
164
|
+
=== Node Version and Type (aka Version) API Call
|
165
|
+
|
166
|
+
To return a product object that contains details on the MnT:
|
167
|
+
|
168
|
+
product = CiscoISE::VersionApi.new(ise_session).product
|
169
|
+
|
170
|
+
puts product.name
|
171
|
+
puts product.type_of_node
|
172
|
+
puts product.version
|
173
|
+
puts product.type_of_node_as_code
|
174
|
+
|
175
|
+
=== Failure Reasons API Call
|
176
|
+
|
177
|
+
To return a list of Failure Reasons:
|
178
|
+
|
179
|
+
failure = CiscoISE::FailureReasonsApi.new(ise_session)
|
180
|
+
|
181
|
+
To retrieve a specific code:
|
182
|
+
|
183
|
+
code = failure.find_code('86023')
|
184
|
+
puts code.failure_id + ':' + code.cause
|
185
|
+
|
186
|
+
To iterate through each failure code:
|
187
|
+
|
188
|
+
failure.each do |code|
|
189
|
+
puts code.id + code.cause
|
190
|
+
end
|
191
|
+
|
192
|
+
=== Authentication Status API Call
|
193
|
+
|
194
|
+
To return a list of CiscoISE::AuthStatusElements for a given MAC Address. By default this query returns records that occurred
|
195
|
+
in the last 10 days (864000 seconds) and limits the records to 200.
|
196
|
+
|
197
|
+
auth = CiscoISE::AuthStatusApi.new(ise_session, '00:17:89:01:23:45')
|
198
|
+
|
199
|
+
To limit the results to events in the last hour (60 seconds x 60 minutes = 3600 seconds) and limit the records to 100:
|
200
|
+
|
201
|
+
auth = CiscoISE::AuthStatusApi.new(ise_session, '00:17:89:01:23:45',3600,100)
|
202
|
+
|
203
|
+
To iterate through each element:
|
204
|
+
|
205
|
+
auth.each do |element|
|
206
|
+
puts "doing something with " + element.username
|
207
|
+
end
|
208
|
+
|
209
|
+
=== Account Status API Call
|
210
|
+
|
211
|
+
To return a list of CiscoISE::AcctStatusElements for a given MAC Address
|
212
|
+
|
213
|
+
acct = CiscoISE::AcctStatusApi.new(ise_session, '00:17:89:01:23:45', 20000)
|
214
|
+
|
215
|
+
To limit search results to sessions that occurred within the last 60 minutes (60 seconds * 60 minutes = 3600 seconds):
|
216
|
+
|
217
|
+
acct = CiscoISE::AcctStatusApi.new(ise_session, '00:17:89:01:23:45', 3600)
|
218
|
+
|
219
|
+
To iterate through each element:
|
220
|
+
acct.each do |element|
|
221
|
+
puts element.calling_station_id + ':' + element.paks_in
|
222
|
+
end
|
223
|
+
|
224
|
+
== Change of Authorization (CoA) API's
|
225
|
+
|
226
|
+
The following sections refer to the CoA APIs. Refer to http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch4.html
|
227
|
+
|
228
|
+
=== Session Reauthentication (aka Reauth) API Call
|
229
|
+
|
230
|
+
Before forcing a reauth, you need to locate an ActiveSession. Once you have the ActiveSession, you can then pass this object to the reauth API.
|
231
|
+
|
232
|
+
auth = CiscoISE::AuthListApi.new(ise_session)
|
233
|
+
|
234
|
+
active.each do |record|
|
235
|
+
if record.user_name == 'someuser'
|
236
|
+
success = CiscoISE::ReauthApi.new(ise_session).rerun(record).success?
|
237
|
+
end
|
238
|
+
|
239
|
+
There are three different reauth methods. Each can be accessed in the following way:
|
240
|
+
|
241
|
+
CiscoISE::ReauthApi.new(ise_session).default(record)
|
242
|
+
CiscoISE::ReauthApi.new(ise_session).last(record)
|
243
|
+
CiscoISE::ReauthApi.new(ise_session).rerun(record)
|
244
|
+
|
245
|
+
=== Session Discconnect API Call
|
246
|
+
|
247
|
+
Before issuing a discconnect, you need to locate an ActiveSession. Once you have the ActiveSession, you can then pass this object to the diconnect API.
|
248
|
+
|
249
|
+
auth = CiscoISE::AuthListApi.new(ise_session)
|
250
|
+
|
251
|
+
active.each do |record|
|
252
|
+
if record.user_name == 'someuser'
|
253
|
+
success = CiscoISE::DisconnectApi.new(ise_session).bounce(record).success?
|
254
|
+
end
|
255
|
+
|
256
|
+
There are three different disconnect methods. Each can be accessed in the following way:
|
257
|
+
|
258
|
+
CiscoISE::ReauthApi.new(ise_session).default(record)
|
259
|
+
CiscoISE::ReauthApi.new(ise_session).bounce(record)
|
260
|
+
CiscoISE::ReauthApi.new(ise_session).shutdown(record)
|
261
|
+
|
262
|
+
== Contributing to cisco-ise
|
263
|
+
|
264
|
+
* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet.
|
265
|
+
* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it.
|
266
|
+
* Fork the project.
|
267
|
+
* Start a feature/bugfix branch.
|
268
|
+
* Commit and push until you are happy with your contribution.
|
269
|
+
* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
|
270
|
+
* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
|
271
|
+
|
272
|
+
== Copyright
|
273
|
+
|
274
|
+
Copyright (c) 2012 Mark Sullivan. See LICENSE.txt for
|
275
|
+
further details.
|
276
|
+
|
data/lib/cisco-ise.rb
ADDED
@@ -0,0 +1,165 @@
|
|
1
|
+
#
|
2
|
+
# =CiscoISE
|
3
|
+
#
|
4
|
+
# A Ruby wrapper around the Cisco ISE 1.1 API
|
5
|
+
#
|
6
|
+
# Package:: CiscoISE
|
7
|
+
# Author:: Mark Sullivan (mark@sullivans.id.au)
|
8
|
+
# License:: MIT
|
9
|
+
#
|
10
|
+
#--
|
11
|
+
#
|
12
|
+
#++
|
13
|
+
|
14
|
+
module CiscoISE
|
15
|
+
|
16
|
+
NAME = "CiscoISE"
|
17
|
+
GEM = "cisco-ise"
|
18
|
+
AUTHORS = ["Mark Sullivan <mark@sullivans.id.au>"]
|
19
|
+
|
20
|
+
#
|
21
|
+
# Common class inherited by all API classes that return a list of results.
|
22
|
+
#
|
23
|
+
class CommonList
|
24
|
+
|
25
|
+
#
|
26
|
+
# Response from HttpSession stored in XML
|
27
|
+
#
|
28
|
+
attr_reader :xml
|
29
|
+
|
30
|
+
#
|
31
|
+
# Initialize the object by calling the api and recording the response
|
32
|
+
#
|
33
|
+
def initialize(session, api)
|
34
|
+
@xml = session.call_api(api)
|
35
|
+
end
|
36
|
+
|
37
|
+
#
|
38
|
+
# Each method used to iterate through each XML list. Each list item is identified by xpath.
|
39
|
+
# For each list item, the nominated class is called which in turn parses the XML children and yields the object.
|
40
|
+
#
|
41
|
+
def each(xpath, class_to_call)
|
42
|
+
@xml.elements.each(xpath) do |element|
|
43
|
+
yield class_to_call.new(element)
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
#
|
48
|
+
# locate a specific element and parse the XML children and return the nominated object
|
49
|
+
#
|
50
|
+
def find(xpath, class_to_call)
|
51
|
+
class_to_call.new(@xml.elements[xpath])
|
52
|
+
end
|
53
|
+
|
54
|
+
end
|
55
|
+
|
56
|
+
#
|
57
|
+
# Common class inherited by all API classes that return a session-count based XML object
|
58
|
+
#
|
59
|
+
class CommonCount < CommonList
|
60
|
+
|
61
|
+
#
|
62
|
+
# Overrides the each iterator with the session count xpath. In reality this should not be required
|
63
|
+
# as there should always be only one result.
|
64
|
+
#
|
65
|
+
def each
|
66
|
+
super("/sessionCount",CiscoISE::SessionCount)
|
67
|
+
end
|
68
|
+
|
69
|
+
#
|
70
|
+
# Convenience method to directly extract and return the count value
|
71
|
+
#
|
72
|
+
def count
|
73
|
+
find("/sessionCount",CiscoISE::SessionCount).count
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
77
|
+
#
|
78
|
+
# Common class inherited by all API classes that return a session-parameters based XML object
|
79
|
+
#
|
80
|
+
class CommonSession < CommonList
|
81
|
+
#
|
82
|
+
# Overrides the each iterator with the session parameters xpath.
|
83
|
+
#
|
84
|
+
def each
|
85
|
+
super('/sessionParameters',CiscoISE::SessionParameters)
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
#
|
90
|
+
# Common class inherited by all data storage classes used to parse the XML attributes and elements
|
91
|
+
#
|
92
|
+
class CommonElement
|
93
|
+
|
94
|
+
#
|
95
|
+
# Response from HttpSession stored in XML
|
96
|
+
#
|
97
|
+
attr_reader :xml
|
98
|
+
|
99
|
+
#
|
100
|
+
# Store the XML document and parse
|
101
|
+
#
|
102
|
+
def initialize(xml)
|
103
|
+
@xml = xml
|
104
|
+
return if xml.nil?
|
105
|
+
parse_xml
|
106
|
+
end
|
107
|
+
|
108
|
+
private
|
109
|
+
|
110
|
+
#
|
111
|
+
# Parse both the attributes and child elements
|
112
|
+
#
|
113
|
+
def parse_xml
|
114
|
+
parse_attributes
|
115
|
+
parse_elements
|
116
|
+
end # parse_xml
|
117
|
+
|
118
|
+
#
|
119
|
+
# Some of the ISE data is stored as an attribute in the root element. Extract the attribute name and value and
|
120
|
+
# store as a instance variable, if an accessor was defined for the variable
|
121
|
+
#
|
122
|
+
def parse_attributes
|
123
|
+
@xml.attributes.each do |key, value|
|
124
|
+
self.send(key + '=', value) if self.respond_to? key
|
125
|
+
end
|
126
|
+
end
|
127
|
+
|
128
|
+
#
|
129
|
+
# Extract the element name and value and store as a instance variable, if an accessor was defined for the variable
|
130
|
+
#
|
131
|
+
def parse_elements
|
132
|
+
@xml.each do |element|
|
133
|
+
self.send(element.name + '=', element.text) if self.respond_to? element.name
|
134
|
+
end
|
135
|
+
end
|
136
|
+
end
|
137
|
+
|
138
|
+
class Version
|
139
|
+
MAJOR = 0
|
140
|
+
MINOR = 0
|
141
|
+
PATCH = 1
|
142
|
+
BUILD = 'rc1'
|
143
|
+
|
144
|
+
STRING = [MAJOR, MINOR, PATCH].compact.join('.')
|
145
|
+
end
|
146
|
+
end
|
147
|
+
|
148
|
+
require 'cisco-ise/failure-reasons-api'
|
149
|
+
require 'cisco-ise/active-list-api'
|
150
|
+
require 'cisco-ise/coa'
|
151
|
+
require 'cisco-ise/disconnect-api'
|
152
|
+
require 'cisco-ise/reauth-api'
|
153
|
+
require 'cisco-ise/http-session'
|
154
|
+
require 'cisco-ise/version-api'
|
155
|
+
require 'cisco-ise/auth-status-api'
|
156
|
+
require 'cisco-ise/active-count-api'
|
157
|
+
require 'cisco-ise/posture-count-api'
|
158
|
+
require 'cisco-ise/profiler-count-api'
|
159
|
+
require 'cisco-ise/mac-address-api'
|
160
|
+
require 'cisco-ise/user-name-api'
|
161
|
+
require 'cisco-ise/nas-ip-address-api'
|
162
|
+
require 'cisco-ise/end-point-ip-address-api'
|
163
|
+
require 'cisco-ise/auth-list-api'
|
164
|
+
require 'cisco-ise/acct-status-api'
|
165
|
+
require 'cisco-ise/delete-api'
|