netbox-cisco-ise 0.1.0__py3-none-any.whl

netbox_cisco_ise/__init__.py

@@ -0,0 +1,57 @@
+"""
+NetBox Cisco ISE Plugin
+
+Display Cisco Identity Services Engine (ISE) endpoint and NAD information in Device detail pages.
+Shows endpoint identity, profiling data, active session status, and network access device details.
+"""
+
+from netbox.plugins import PluginConfig
+
+__version__ = "0.1.0"
+
+
+class CiscoISEConfig(PluginConfig):
+    """Plugin configuration for NetBox Cisco ISE integration."""
+
+    name = "netbox_cisco_ise"
+    verbose_name = "Cisco ISE"
+    description = "Display Cisco ISE endpoint and NAD information in device pages"
+    version = __version__
+    author = "sieteunoseis"
+    author_email = "jeremy.worden@gmail.com"
+    base_url = "cisco-ise"
+    min_version = "4.0.0"
+    max_version = "4.99"
+
+    # Required settings - plugin won't load without these
+    required_settings = []
+
+    # Default configuration values
+    default_settings = {
+        # ISE Connection Settings
+        "ise_url": "",  # e.g., "https://ise.example.com"
+        "ise_username": "",  # ERS Admin username
+        "ise_password": "",  # ERS Admin password
+        "timeout": 30,  # API timeout in seconds
+        "cache_timeout": 60,  # Cache results for 60 seconds
+        "verify_ssl": False,  # Skip SSL verification for self-signed certs
+        # Device mappings - determines which devices show ISE tab and lookup method
+        # Format: list of dicts with manufacturer (regex), device_type (regex, optional), lookup method
+        #
+        # lookup types:
+        #   "endpoint" - MAC address lookup (for wireless clients, phones, badges)
+        #   "nad" - Network Access Device lookup (for switches, routers, WLCs)
+        #
+        # Example:
+        # "device_mappings": [
+        #     {"manufacturer": "cisco", "lookup": "nad"},  # Cisco network devices as NADs
+        #     {"manufacturer": "vocera", "lookup": "endpoint"},  # Vocera badges by MAC
+        #     {"manufacturer": "cisco", "device_type": ".*phone.*", "lookup": "endpoint"},  # Cisco phones by MAC
+        # ]
+        "device_mappings": [
+            {"manufacturer": r"cisco", "lookup": "nad"},  # Default: Cisco devices as NADs
+        ],
+    }
+
+
+config = CiscoISEConfig

netbox_cisco_ise/ise_client.py

@@ -0,0 +1,457 @@
+"""
+Cisco ISE API Client
+
+Handles authentication and API calls to Cisco Identity Services Engine (ISE).
+Supports both ERS API (configuration data) and Monitoring API (session data).
+
+ISE API Overview:
+- ERS API (port 9060 or 443): Configuration data - endpoints, NADs, groups, profiles
+- Monitoring API (port 443): Real-time session data
+
+Authentication: Basic Auth (username:password) for all API calls
+"""
+
+import logging
+from typing import Any, Dict, List, Optional
+
+import requests
+from django.conf import settings
+from django.core.cache import cache
+
+logger = logging.getLogger(__name__)
+
+
+class ISEClient:
+    """Client for interacting with Cisco ISE ERS and Monitoring APIs."""
+
+    def __init__(
+        self,
+        url: str,
+        username: str,
+        password: str,
+        timeout: int = 30,
+        verify_ssl: bool = False,
+    ):
+        """
+        Initialize the ISE client.
+
+        Args:
+            url: Base URL for ISE (e.g., https://ise.example.com)
+            username: ERS Admin username
+            password: ERS Admin password
+            timeout: API request timeout in seconds
+            verify_ssl: Whether to verify SSL certificates
+        """
+        self.base_url = url.rstrip("/")
+        self.auth = (username, password)
+        self.timeout = timeout
+        self.verify_ssl = verify_ssl
+
+        # Standard ERS API headers
+        self.ers_headers = {
+            "Accept": "application/json",
+            "Content-Type": "application/json",
+        }
+
+    def _make_ers_request(
+        self,
+        endpoint: str,
+        method: str = "GET",
+        params: Optional[Dict] = None,
+        data: Optional[Dict] = None,
+    ) -> Dict[str, Any]:
+        """
+        Make authenticated ERS API request.
+
+        Args:
+            endpoint: API endpoint path (e.g., /endpoint, /networkdevice)
+            method: HTTP method (GET, POST, PUT, DELETE)
+            params: Query parameters
+            data: Request body data
+
+        Returns:
+            dict with response data or error
+        """
+        try:
+            url = f"{self.base_url}/ers/config{endpoint}"
+            response = requests.request(
+                method=method,
+                url=url,
+                auth=self.auth,
+                headers=self.ers_headers,
+                params=params,
+                json=data,
+                verify=self.verify_ssl,
+                timeout=self.timeout,
+            )
+            response.raise_for_status()
+            return response.json() if response.content else {}
+        except requests.exceptions.HTTPError as e:
+            status_code = e.response.status_code if e.response else "Unknown"
+            error_text = e.response.text[:200] if e.response else str(e)
+            logger.error(f"ISE ERS HTTP error: {status_code} - {error_text}")
+            return {"error": f"HTTP {status_code}: {error_text}"}
+        except requests.exceptions.RequestException as e:
+            logger.error(f"ISE ERS request error: {e}")
+            return {"error": str(e)}
+
+    def _make_monitoring_request(self, endpoint: str) -> Dict[str, Any]:
+        """
+        Make authenticated Monitoring API request.
+
+        Args:
+            endpoint: API endpoint path (e.g., /Session/MACAddress/{mac})
+
+        Returns:
+            dict with response data or error
+        """
+        try:
+            url = f"{self.base_url}/admin/API/mnt{endpoint}"
+            response = requests.get(
+                url,
+                auth=self.auth,
+                headers=self.ers_headers,
+                verify=self.verify_ssl,
+                timeout=self.timeout,
+            )
+            response.raise_for_status()
+            return response.json() if response.content else {}
+        except requests.exceptions.HTTPError as e:
+            status_code = e.response.status_code if e.response else "Unknown"
+            # 404 is expected when no active session exists
+            if status_code == 404:
+                return {"error": "No active session found", "not_found": True}
+            logger.error(f"ISE Monitoring HTTP error: {status_code}")
+            return {"error": f"HTTP {status_code}"}
+        except requests.exceptions.RequestException as e:
+            logger.error(f"ISE Monitoring request error: {e}")
+            return {"error": str(e)}
+
+    # =========================================================================
+    # Endpoint APIs (ERS)
+    # =========================================================================
+
+    def get_endpoint_by_mac(self, mac_address: str) -> Dict[str, Any]:
+        """
+        Get endpoint details by MAC address.
+
+        Args:
+            mac_address: MAC address in any common format
+
+        Returns:
+            dict with endpoint details or error
+        """
+        mac = self._normalize_mac(mac_address)
+
+        # Check cache
+        cache_key = f"ise_endpoint_{mac}"
+        cached = cache.get(cache_key)
+        if cached:
+            cached["cached"] = True
+            return cached
+
+        # Query ISE ERS API with filter
+        result = self._make_ers_request("/endpoint", params={"filter": f"mac.EQ.{mac}"})
+
+        if "error" in result:
+            return result
+
+        # Parse response - ISE returns SearchResult with resources
+        search_result = result.get("SearchResult", {})
+        resources = search_result.get("resources", [])
+
+        if not resources:
+            return {"error": f"Endpoint not found for MAC: {mac}", "not_found": True}
+
+        # Get full endpoint details
+        endpoint_id = resources[0].get("id")
+        endpoint_result = self._make_ers_request(f"/endpoint/{endpoint_id}")
+
+        if "error" in endpoint_result:
+            return endpoint_result
+
+        endpoint = endpoint_result.get("ERSEndPoint", {})
+
+        endpoint_info = {
+            "id": endpoint.get("id"),
+            "mac_address": endpoint.get("mac"),
+            "profile_name": endpoint.get("profileName"),
+            "profile_id": endpoint.get("profileId"),
+            "group_name": endpoint.get("groupName"),
+            "group_id": endpoint.get("groupId"),
+            "static_group_assignment": endpoint.get("staticGroupAssignment", False),
+            "static_profile_assignment": endpoint.get("staticProfileAssignment", False),
+            "portal_user": endpoint.get("portalUser"),
+            "identity_store": endpoint.get("identityStore"),
+            "identity_store_id": endpoint.get("identityStoreId"),
+            "custom_attributes": endpoint.get("customAttributes", {}),
+            "description": endpoint.get("description"),
+            "cached": False,
+        }
+
+        # Cache result
+        cache_timeout = self._get_cache_timeout()
+        cache.set(cache_key, endpoint_info, cache_timeout)
+
+        return endpoint_info
+
+    def get_active_session_by_mac(self, mac_address: str) -> Dict[str, Any]:
+        """
+        Get active session for endpoint by MAC address.
+
+        Args:
+            mac_address: MAC address in any common format
+
+        Returns:
+            dict with session details or error/not connected status
+        """
+        mac = self._normalize_mac(mac_address)
+
+        cache_key = f"ise_session_{mac}"
+        cached = cache.get(cache_key)
+        if cached:
+            cached["cached"] = True
+            return cached
+
+        result = self._make_monitoring_request(f"/Session/MACAddress/{mac}")
+
+        if "error" in result:
+            if result.get("not_found"):
+                return {"connected": False, "error": "No active session found"}
+            return result
+
+        # Handle different response structures
+        session = result.get("activeSession") or result.get("session", {})
+
+        if not session:
+            return {"connected": False, "error": "No active session found"}
+
+        session_info = {
+            "connected": True,
+            "session_id": session.get("session_id") or session.get("acs_session_id"),
+            "user_name": session.get("user_name"),
+            "calling_station_id": session.get("calling_station_id"),
+            "nas_ip_address": session.get("nas_ip_address"),
+            "nas_port_id": session.get("nas_port_id"),
+            "nas_port_type": session.get("nas_port_type"),
+            "framed_ip_address": session.get("framed_ip_address"),
+            "framed_ipv6_address": session.get("framed_ipv6_address"),
+            "audit_session_id": session.get("audit_session_id"),
+            "acct_session_id": session.get("acct_session_id"),
+            "acct_session_time": session.get("acct_session_time"),
+            "authorization_profile": session.get("selected_authorization_profile"),
+            "posture_status": session.get("posture_status"),
+            "security_group": session.get("security_group"),
+            "vlan": session.get("vlan"),
+            "ssid": session.get("ssid"),
+            "auth_method": session.get("authentication_method"),
+            "network_device_name": session.get("network_device_name"),
+            "acs_server": session.get("acs_server"),
+            "cached": False,
+        }
+
+        cache_timeout = self._get_cache_timeout()
+        cache.set(cache_key, session_info, cache_timeout)
+
+        return session_info
+
+    # =========================================================================
+    # Network Device (NAD) APIs (ERS)
+    # =========================================================================
+
+    def get_network_device_by_ip(self, ip_address: str) -> Dict[str, Any]:
+        """
+        Get NAD details by IP address.
+
+        Args:
+            ip_address: Management IP address
+
+        Returns:
+            dict with NAD details or error
+        """
+        cache_key = f"ise_nad_ip_{ip_address}"
+        cached = cache.get(cache_key)
+        if cached:
+            cached["cached"] = True
+            return cached
+
+        result = self._make_ers_request("/networkdevice", params={"filter": f"ipaddress.EQ.{ip_address}"})
+
+        return self._process_nad_result(result, cache_key)
+
+    def get_network_device_by_name(self, name: str) -> Dict[str, Any]:
+        """
+        Get NAD details by device name.
+
+        Args:
+            name: Device name (supports partial match)
+
+        Returns:
+            dict with NAD details or error
+        """
+        cache_key = f"ise_nad_name_{name}"
+        cached = cache.get(cache_key)
+        if cached:
+            cached["cached"] = True
+            return cached
+
+        result = self._make_ers_request("/networkdevice", params={"filter": f"name.CONTAINS.{name}"})
+
+        return self._process_nad_result(result, cache_key)
+
+    def _process_nad_result(self, result: Dict, cache_key: str) -> Dict[str, Any]:
+        """Process NAD search result and fetch full details."""
+        if "error" in result:
+            return result
+
+        search_result = result.get("SearchResult", {})
+        resources = search_result.get("resources", [])
+
+        if not resources:
+            return {"error": "Network device not found in ISE", "not_found": True, "is_nad": False}
+
+        # Get full NAD details
+        nad_id = resources[0].get("id")
+        nad_result = self._make_ers_request(f"/networkdevice/{nad_id}")
+
+        if "error" in nad_result:
+            return nad_result
+
+        nad = nad_result.get("NetworkDevice", {})
+
+        # Parse network device groups
+        groups = nad.get("NetworkDeviceGroupList", [])
+        parsed_groups = self._parse_device_groups(groups)
+
+        # Parse IP addresses
+        ip_list = nad.get("NetworkDeviceIPList", [])
+        ip_addresses = [ip.get("ipaddress") for ip in ip_list if ip.get("ipaddress")]
+
+        # Parse authentication settings
+        auth_settings = nad.get("authenticationSettings", {})
+        tacacs_settings = nad.get("tacacsSettings", {})
+        snmp_settings = nad.get("snmpsettings", {})
+        trustsec_settings = nad.get("trustsecsettings", {})
+
+        nad_info = {
+            "is_nad": True,
+            "id": nad.get("id"),
+            "name": nad.get("name"),
+            "description": nad.get("description"),
+            "profile_name": nad.get("profileName"),
+            "model_name": nad.get("modelName"),
+            "software_version": nad.get("softwareVersion"),
+            "ip_addresses": ip_addresses,
+            "groups": parsed_groups,
+            "authentication_settings": {
+                "radius_enabled": bool(auth_settings.get("radiusSharedSecret")),
+                "enable_key_wrap": auth_settings.get("enableKeyWrap", False),
+                "dtls_required": auth_settings.get("dtlsRequired", False),
+            },
+            "tacacs_settings": {
+                "enabled": bool(tacacs_settings.get("sharedSecret")),
+                "connect_mode_options": tacacs_settings.get("connectModeOptions"),
+            },
+            "snmp_settings": {
+                "version": snmp_settings.get("snmpVersion"),
+                "ro_community": bool(snmp_settings.get("roCommunity")),
+                "polling_interval": snmp_settings.get("pollingInterval"),
+            },
+            "trustsec_enabled": bool(trustsec_settings.get("deviceAuthenticationSettings", {}).get("sgaDeviceId")),
+            "coA_port": nad.get("coaPort"),
+            "cached": False,
+        }
+
+        cache_timeout = self._get_cache_timeout()
+        cache.set(cache_key, nad_info, cache_timeout)
+
+        return nad_info
+
+    def _parse_device_groups(self, groups: List[str]) -> Dict[str, str]:
+        """
+        Parse ISE device group strings into categorized dict.
+
+        ISE group format: "Category#All Category#Value" or "Location#All Locations#Building-A"
+
+        Args:
+            groups: List of group strings from ISE
+
+        Returns:
+            dict mapping category to value
+        """
+        parsed = {}
+        for group in groups:
+            parts = group.split("#")
+            if len(parts) >= 2:
+                category = parts[0]
+                value = parts[-1]  # Last part is the actual value
+                parsed[category] = value
+        return parsed
+
+    # =========================================================================
+    # Utility Methods
+    # =========================================================================
+
+    def _normalize_mac(self, mac: str) -> str:
+        """
+        Normalize MAC address to XX:XX:XX:XX:XX:XX format (ISE standard).
+
+        Args:
+            mac: MAC address in any common format
+
+        Returns:
+            MAC address in XX:XX:XX:XX:XX:XX uppercase format
+        """
+        mac_clean = mac.replace(":", "").replace("-", "").replace(".", "").lower()
+        if len(mac_clean) == 12:
+            return ":".join(mac_clean[i : i + 2] for i in range(0, 12, 2)).upper()
+        return mac.upper()
+
+    def _get_cache_timeout(self) -> int:
+        """Get cache timeout from plugin config."""
+        config = settings.PLUGINS_CONFIG.get("netbox_cisco_ise", {})
+        return config.get("cache_timeout", 60)
+
+    def test_connection(self) -> Dict[str, Any]:
+        """
+        Test connection to ISE by fetching network device count.
+
+        Returns:
+            dict with success status and message
+        """
+        result = self._make_ers_request("/networkdevice", params={"size": 1})
+
+        if "error" in result:
+            return {"success": False, "error": result["error"]}
+
+        total = result.get("SearchResult", {}).get("total", 0)
+        return {
+            "success": True,
+            "message": f"Connected successfully. {total} network device(s) in ISE.",
+            "nad_count": total,
+        }
+
+
+def get_client() -> Optional[ISEClient]:
+    """
+    Get configured ISE client instance from plugin settings.
+
+    Returns:
+        ISEClient instance or None if not configured
+    """
+    config = settings.PLUGINS_CONFIG.get("netbox_cisco_ise", {})
+
+    url = config.get("ise_url", "")
+    username = config.get("ise_username", "")
+    password = config.get("ise_password", "")
+
+    if not url or not username or not password:
+        return None
+
+    return ISEClient(
+        url=url,
+        username=username,
+        password=password,
+        timeout=config.get("timeout", 30),
+        verify_ssl=config.get("verify_ssl", False),
+    )

netbox_cisco_ise/navigation.py

@@ -0,0 +1,22 @@
+"""
+Navigation menu items for NetBox Cisco ISE Plugin
+"""
+
+from netbox.plugins import PluginMenu, PluginMenuItem
+
+menu = PluginMenu(
+    label="Cisco ISE",
+    groups=(
+        (
+            "Settings",
+            (
+                PluginMenuItem(
+                    link="plugins:netbox_cisco_ise:settings",
+                    link_text="Configuration",
+                    permissions=["dcim.view_device"],
+                ),
+            ),
+        ),
+    ),
+    icon_class="mdi mdi-shield-account",
+)

netbox_cisco_ise/urls.py

@@ -0,0 +1,12 @@
+"""
+URL routing for NetBox Cisco ISE Plugin
+"""
+
+from django.urls import path
+
+from .views import ISESettingsView, TestConnectionView
+
+urlpatterns = [
+    path("settings/", ISESettingsView.as_view(), name="settings"),
+    path("test-connection/", TestConnectionView.as_view(), name="test_connection"),
+]

netbox_cisco_ise/views.py

@@ -0,0 +1,251 @@
+"""
+Views for NetBox Cisco ISE Plugin
+
+Registers custom tabs on Device detail views to show ISE endpoint/NAD info.
+Provides settings configuration UI.
+"""
+
+import re
+
+from dcim.models import Device
+from django.conf import settings
+from django.http import JsonResponse
+from django.shortcuts import render
+from django.views import View
+from netbox.views import generic
+from utilities.views import ViewTab, register_model_view
+
+from .ise_client import get_client
+
+
+def is_valid_mac(value):
+    """Check if a value looks like a MAC address."""
+    if not value:
+        return False
+    cleaned = re.sub(r"[:\-\.]", "", value.lower())
+    return bool(re.match(r"^[0-9a-f]{12}$", cleaned))
+
+
+def get_device_mac(device):
+    """Get the first valid MAC address from device interfaces."""
+    for iface in device.interfaces.all():
+        if iface.mac_address and is_valid_mac(str(iface.mac_address)):
+            return str(iface.mac_address)
+    return None
+
+
+def get_device_lookup_method(device):
+    """
+    Determine the lookup method for a device based on configured mappings.
+
+    Returns:
+        tuple: (lookup_method, has_required_data)
+        - lookup_method: "endpoint", "nad", or None if no mapping matches
+        - has_required_data: True if device has the data needed for lookup
+    """
+    config = settings.PLUGINS_CONFIG.get("netbox_cisco_ise", {})
+    mappings = config.get("device_mappings", [])
+
+    if not device.device_type:
+        return None, False
+
+    # Get device info for matching
+    manufacturer = device.device_type.manufacturer
+    manufacturer_slug = manufacturer.slug.lower() if manufacturer and manufacturer.slug else ""
+    manufacturer_name = manufacturer.name.lower() if manufacturer and manufacturer.name else ""
+    device_type_slug = device.device_type.slug.lower() if device.device_type.slug else ""
+    device_type_model = device.device_type.model.lower() if device.device_type.model else ""
+
+    # Check each mapping
+    for mapping in mappings:
+        manufacturer_pattern = mapping.get("manufacturer", "").lower()
+        device_type_pattern = mapping.get("device_type", "").lower()
+        lookup = mapping.get("lookup", "nad")
+
+        # Check manufacturer match (against both slug and name)
+        manufacturer_match = False
+        if manufacturer_pattern:
+            try:
+                if re.search(manufacturer_pattern, manufacturer_slug, re.IGNORECASE) or re.search(
+                    manufacturer_pattern, manufacturer_name, re.IGNORECASE
+                ):
+                    manufacturer_match = True
+            except re.error:
+                if manufacturer_pattern in manufacturer_slug or manufacturer_pattern in manufacturer_name:
+                    manufacturer_match = True
+
+        if not manufacturer_match:
+            continue
+
+        # Check device_type match if specified
+        if device_type_pattern:
+            device_type_match = False
+            try:
+                if re.search(device_type_pattern, device_type_slug, re.IGNORECASE) or re.search(
+                    device_type_pattern, device_type_model, re.IGNORECASE
+                ):
+                    device_type_match = True
+            except re.error:
+                if device_type_pattern in device_type_slug or device_type_pattern in device_type_model:
+                    device_type_match = True
+
+            if not device_type_match:
+                continue
+
+        # Mapping matches! Return lookup type and check if device has required data
+        if lookup == "endpoint":
+            # Endpoint lookup - requires MAC address
+            mac = get_device_mac(device)
+            return "endpoint", mac is not None
+        else:
+            # NAD lookup - requires hostname or IP
+            has_hostname = bool(device.name)
+            has_ip = device.primary_ip4 is not None or device.primary_ip6 is not None
+            return "nad", (has_hostname or has_ip)
+
+    return None, False
+
+
+def should_show_ise_tab(device):
+    """
+    Determine if the ISE tab should be visible for this device.
+
+    Shows tab if device matches any configured device_mapping and has
+    the required data for the lookup method.
+    """
+    lookup_method, has_data = get_device_lookup_method(device)
+    return lookup_method is not None and has_data
+
+
+@register_model_view(Device, name="cisco_ise", path="cisco-ise")
+class DeviceISEView(generic.ObjectView):
+    """Display Cisco ISE endpoint/NAD details for a Device."""
+
+    queryset = Device.objects.all()
+    template_name = "netbox_cisco_ise/endpoint_tab.html"
+
+    tab = ViewTab(
+        label="Cisco ISE",
+        weight=9001,
+        permission="dcim.view_device",
+        hide_if_empty=False,
+        visible=should_show_ise_tab,
+    )
+
+    def get(self, request, pk):
+        """Handle GET request for the ISE tab."""
+        device = Device.objects.get(pk=pk)
+
+        client = get_client()
+        config = settings.PLUGINS_CONFIG.get("netbox_cisco_ise", {})
+
+        ise_data = {}
+        session_data = {}
+        error = None
+
+        if not client:
+            error = "Cisco ISE not configured. Configure the plugin in NetBox settings."
+        else:
+            lookup_method, has_data = get_device_lookup_method(device)
+
+            if lookup_method == "endpoint":
+                # Endpoint lookup by MAC address
+                mac_address = get_device_mac(device)
+                if mac_address:
+                    ise_data = client.get_endpoint_by_mac(mac_address)
+                    if "error" not in ise_data:
+                        # Also get session data for connected endpoints
+                        session_data = client.get_active_session_by_mac(mac_address)
+                        if "error" in session_data and session_data.get("connected") is False:
+                            # Not connected is fine, just no active session
+                            pass
+                    else:
+                        error = ise_data.get("error")
+                        ise_data = {}
+                else:
+                    error = "No MAC address found on device interfaces."
+
+            elif lookup_method == "nad":
+                # NAD lookup - try IP first, then hostname
+                management_ip = None
+                if device.primary_ip4:
+                    management_ip = str(device.primary_ip4.address.ip)
+                elif device.primary_ip6:
+                    management_ip = str(device.primary_ip6.address.ip)
+
+                if management_ip:
+                    ise_data = client.get_network_device_by_ip(management_ip)
+
+                # If IP lookup failed or no IP, try hostname
+                if ("error" in ise_data or not ise_data) and device.name:
+                    ise_data = client.get_network_device_by_name(device.name)
+
+                if "error" in ise_data:
+                    error = ise_data.get("error")
+                    ise_data = {}
+            else:
+                error = "Device doesn't match any configured device_mappings."
+
+        # Get ISE URL for external links
+        ise_url = config.get("ise_url", "").rstrip("/")
+
+        # Choose template based on lookup type
+        if ise_data.get("is_nad"):
+            template = "netbox_cisco_ise/nad_tab.html"
+        else:
+            template = self.template_name
+
+        return render(
+            request,
+            template,
+            {
+                "object": device,
+                "tab": self.tab,
+                "ise_data": ise_data,
+                "session_data": session_data,
+                "error": error,
+                "ise_url": ise_url,
+            },
+        )
+
+
+class ISESettingsView(View):
+    """View for displaying ISE plugin settings."""
+
+    template_name = "netbox_cisco_ise/settings.html"
+
+    def get(self, request):
+        """Display current configuration."""
+        config = settings.PLUGINS_CONFIG.get("netbox_cisco_ise", {})
+
+        # Mask password for display
+        display_config = config.copy()
+        if display_config.get("ise_password"):
+            display_config["ise_password"] = "********"
+
+        return render(
+            request,
+            self.template_name,
+            {
+                "config": display_config,
+            },
+        )
+
+
+class TestConnectionView(View):
+    """Test connection to ISE API."""
+
+    def post(self, request):
+        """Test ISE connection and return result."""
+        client = get_client()
+        if not client:
+            return JsonResponse(
+                {"success": False, "error": "ISE not configured"},
+                status=400,
+            )
+
+        result = client.test_connection()
+        if not result.get("success"):
+            return JsonResponse(result, status=400)
+
+        return JsonResponse(result)

netbox_cisco_ise-0.1.0.dist-info/METADATA

@@ -0,0 +1,279 @@
+Metadata-Version: 2.4
+Name: netbox-cisco-ise
+Version: 0.1.0
+Summary: NetBox plugin for Cisco ISE integration - endpoint tracking, NAD management, and session visibility
+Author-email: sieteunoseis <jeremy.worden@gmail.com>
+License: Apache-2.0
+Project-URL: Homepage, https://github.com/sieteunoseis/netbox-cisco-ise
+Project-URL: Repository, https://github.com/sieteunoseis/netbox-cisco-ise
+Project-URL: Issues, https://github.com/sieteunoseis/netbox-cisco-ise/issues
+Project-URL: Documentation, https://github.com/sieteunoseis/netbox-cisco-ise/wiki
+Keywords: netbox,cisco,ise,identity-services-engine,radius,tacacs,nac,endpoint,plugin
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: Django
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.28.0
+Provides-Extra: dev
+Requires-Dist: black; extra == "dev"
+Requires-Dist: flake8; extra == "dev"
+Requires-Dist: isort; extra == "dev"
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-django; extra == "dev"
+Requires-Dist: responses; extra == "dev"
+Dynamic: license-file
+
+# NetBox Cisco ISE Plugin
+
+<img src="docs/icon.png" alt="NetBox Cisco ISE Plugin" width="100" align="right">
+
+A NetBox plugin that integrates Cisco Identity Services Engine (ISE) with NetBox, displaying endpoint details, network device (NAD) information, and active session data.
+
+![NetBox Version](https://img.shields.io/badge/NetBox-4.0+-blue)
+![Python Version](https://img.shields.io/badge/Python-3.10+-green)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![CI](https://github.com/sieteunoseis/netbox-cisco-ise/actions/workflows/ci.yml/badge.svg)](https://github.com/sieteunoseis/netbox-cisco-ise/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/netbox-cisco-ise)](https://pypi.org/project/netbox-cisco-ise/)
+
+## Features
+
+### Endpoint Integration
+- **Endpoint Details Tab**: Adds a "Cisco ISE" tab to Device detail pages for endpoints
+- **MAC Address Lookup**: Automatic lookup using device interface MAC addresses
+- **Endpoint Profile**: Shows profiled device type and identity group
+- **Session Status**: Displays active/inactive connection status
+
+### Network Access Device (NAD) Integration
+- **NAD Details Tab**: Shows ISE registration status for network devices
+- **Authentication Settings**: Displays RADIUS, TACACS+, and SNMP configuration
+- **TrustSec Status**: Shows device TrustSec enrollment
+- **Device Groups**: Lists assigned network device groups
+
+### Active Session Data
+- **Real-time Session**: Shows active 802.1X/MAB session details
+- **Connection Info**: NAS IP, port ID, VLAN assignment
+- **Authorization**: Selected authorization profile and SGT
+- **Posture Status**: Endpoint compliance posture state
+
+### General Features
+- **Configurable Device Mappings**: Control which devices show the tab and lookup method
+- **API Caching**: Reduces load on ISE with configurable cache timeout
+- **Settings Page**: View configuration and test ISE connection
+
+## Requirements
+
+- NetBox 4.0 or higher
+- Cisco ISE 2.x or higher with ERS API enabled
+- Python 3.10+
+
+## Installation
+
+### From PyPI (when published)
+
+```bash
+pip install netbox-cisco-ise
+```
+
+### From Source
+
+```bash
+git clone https://github.com/sieteunoseis/netbox-cisco-ise.git
+cd netbox-cisco-ise
+pip install -e .
+```
+
+### Docker Installation
+
+Add to your NetBox Docker requirements file:
+
+```bash
+# requirements-extra.txt
+netbox-cisco-ise
+```
+
+Or for development:
+
+```bash
+# In docker-compose.override.yml, mount the plugin:
+volumes:
+  - /path/to/netbox-cisco-ise:/opt/netbox/netbox/netbox_cisco_ise
+```
+
+## Configuration
+
+Add the plugin to your NetBox configuration:
+
+```python
+# configuration.py
+
+PLUGINS = [
+    'netbox_cisco_ise',
+]
+
+PLUGINS_CONFIG = {
+    'netbox_cisco_ise': {
+        # Required: ISE URL (ERS API)
+        'ise_url': 'https://ise.example.com',
+
+        # Required: ERS Admin credentials
+        'ise_username': 'ersadmin',
+        'ise_password': 'your-password',
+
+        # Optional settings
+        'timeout': 30,           # API timeout in seconds (default: 30)
+        'cache_timeout': 60,     # Cache duration in seconds (default: 60)
+        'verify_ssl': False,     # Verify SSL certificates (default: False)
+
+        # Device mappings (REQUIRED) - Controls which devices show the Cisco ISE tab
+        # Each mapping specifies:
+        #   - manufacturer: Regex pattern to match device manufacturer (slug or name)
+        #   - device_type: Optional regex pattern to match device type (slug or model)
+        #   - lookup: How to find the device in ISE:
+        #       "nad" - Network Access Device lookup by IP/hostname (for switches, routers, WLCs)
+        #       "endpoint" - Endpoint lookup by MAC address (for wireless clients, badges)
+        'device_mappings': [
+            # All Cisco devices - lookup as NADs
+            {'manufacturer': 'cisco', 'lookup': 'nad'},
+
+            # Vocera badges - lookup by MAC address as endpoints
+            {'manufacturer': 'vocera', 'lookup': 'endpoint'},
+
+            # Example: Specific device type only
+            # {'manufacturer': 'aruba', 'device_type': 'badge', 'lookup': 'endpoint'},
+        ],
+    }
+}
+```
+
+### ISE ERS API Setup
+
+1. Enable ERS API in ISE: **Administration > System > Settings > ERS Settings**
+2. Create an ERS Admin user or use existing admin credentials
+3. Ensure the user has "ERS Admin" or "ERS Operator" privileges
+
+### Required ISE Permissions
+
+| Permission | Used For |
+|------------|----------|
+| ERS Read | Endpoint and NAD queries |
+| Monitoring API | Active session lookups |
+
+## Usage
+
+Once installed and configured:
+
+1. Navigate to any Device in NetBox that matches your device_mappings
+2. Click the **Cisco ISE** tab
+3. View real-time endpoint or NAD details from ISE
+
+### Lookup Methods
+
+| Lookup | Data Source | Used For |
+|--------|-------------|----------|
+| `nad` | IP address or hostname | Switches, routers, WLCs, APs |
+| `endpoint` | Interface MAC address | Wireless clients, badges, phones |
+
+### What's Displayed
+
+#### For Endpoints (lookup: endpoint)
+
+| Field | Description |
+|-------|-------------|
+| MAC Address | Endpoint MAC from ISE |
+| Profile | Profiled endpoint type |
+| Identity Group | Assigned identity group |
+| Session Status | Connected/Disconnected |
+| NAS IP | Authenticator IP address |
+| Port | Switch port or AP name |
+| VLAN | Assigned VLAN |
+| Authorization | Applied authorization profile |
+
+#### For NADs (lookup: nad)
+
+| Field | Description |
+|-------|-------------|
+| Name | Device name in ISE |
+| IP Addresses | Registered management IPs |
+| Profile | NAD profile name |
+| Device Groups | Location, type, IPSEC groups |
+| RADIUS | Shared secret configured |
+| TACACS+ | TACACS+ settings |
+| TrustSec | SGT enrollment status |
+
+## Troubleshooting
+
+### Endpoint not found
+
+- Verify the device has an interface with a MAC address
+- Check that the MAC format matches ISE (XX:XX:XX:XX:XX:XX)
+- Confirm the endpoint exists in ISE endpoint database
+
+### NAD not found
+
+- Verify the device has a primary IP or hostname in NetBox
+- Check that the device is registered as a NAD in ISE
+- Try both IP and hostname lookups
+
+### Connection errors
+
+- Verify `ise_url` is accessible from NetBox
+- Confirm ERS API is enabled on ISE
+- For self-signed certificates, set `verify_ssl: False`
+
+### Authentication errors
+
+- Verify the ERS Admin credentials
+- Check user has ERS Admin or ERS Operator role
+
+## Development
+
+### Setup
+
+```bash
+git clone https://github.com/sieteunoseis/netbox-cisco-ise.git
+cd netbox-cisco-ise
+pip install -e ".[dev]"
+```
+
+### Code Style
+
+```bash
+black netbox_cisco_ise/
+isort netbox_cisco_ise/
+flake8 netbox_cisco_ise/
+```
+
+## API Reference
+
+This plugin uses two ISE APIs:
+
+- **ERS API** (`/ers/config/*`): Configuration data - endpoints, NADs, profiles
+- **Monitoring API** (`/admin/API/mnt/*`): Real-time session data
+
+## Changelog
+
+See [CHANGELOG.md](CHANGELOG.md) for release history.
+
+## License
+
+Apache License 2.0 - See [LICENSE](LICENSE) for details.
+
+## Contributing
+
+Contributions are welcome! Please:
+
+1. Fork the repository
+2. Create a feature branch
+3. Submit a pull request
+
+## Related Projects
+
+- [netbox-catalyst-center](https://github.com/sieteunoseis/netbox-catalyst-center) - Catalyst Center integration for NetBox
+- [netbox-graylog](https://github.com/sieteunoseis/netbox-graylog) - Display Graylog logs in NetBox

netbox_cisco_ise-0.1.0.dist-info/RECORD

@@ -0,0 +1,10 @@
+netbox_cisco_ise/__init__.py,sha256=i2HcznblQ7qWGki5GzdHVwVTT7jHoS5xoL9YI3aeqZw,2156
+netbox_cisco_ise/ise_client.py,sha256=zUMakBU6lmSi-digrMxr6JKAbqyvBAPWz4l1eD8iDa8,16228
+netbox_cisco_ise/navigation.py,sha256=mMN4EyzZl6ehoqflLeYy7logt39wpCN2TEsPfqn1VtI,507
+netbox_cisco_ise/urls.py,sha256=3tJHJyEQXYZ2WXw4zq1kds7xpgyHl1-HwVHlgtJA84E,304
+netbox_cisco_ise/views.py,sha256=01EzP1D2asecQr3rQAqTfXKOcgj4ra0o4_T5aAlos7I,8758
+netbox_cisco_ise-0.1.0.dist-info/licenses/LICENSE,sha256=KmjHs19UP3vo7K2IWXkq3JDKG9PatSbqeLPwu3o2k7g,10761
+netbox_cisco_ise-0.1.0.dist-info/METADATA,sha256=XrCMQAnyxOKxaFBPfieuQZlrRaJjXIUzeRZdfBObgDs,8793
+netbox_cisco_ise-0.1.0.dist-info/WHEEL,sha256=qELbo2s1Yzl39ZmrAibXA2jjPLUYfnVhUNTlyF1rq0Y,92
+netbox_cisco_ise-0.1.0.dist-info/top_level.txt,sha256=LMP1ppZRzqtdaMGzz53KgacW_PEwyLSM9wwIMuBvJ00,17
+netbox_cisco_ise-0.1.0.dist-info/RECORD,,

netbox_cisco_ise-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.10.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

netbox_cisco_ise-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2025 sieteunoseis
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

netbox_cisco_ise-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+netbox_cisco_ise