这是我上一篇文章的延续。在本文中,我们将通过REST API创建一些基本对象,然后通过POSTMAN将其推出。
我要做的第一件事是开始使用REST API创建一些对象。我要创建的第一件事是网络设备组。我将使用以下模板:
<ns4:networkdevicegroup description =“小组说明“ id =”一个唯一的数字标识符“ name ="设备类型#所有设备类型#组名"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
为了创建交换机的设备类型,我将使用以下内容:
方法:开机自检
URI: //10.1.100.76:9060/ers/config/networkdevicegroup
内容类型: application / vnd.com.cisco.ise.network.networkdevicegroup.1.0 + xml;字符集= utf-8
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“校园交换机“ id =”000000011“ name =”设备类型#所有设备类型#开关"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>Device Type</type>
</ ns4:networkdevicegroup>
在POSTMAN中应该看起来像这样:
并且您应该看到在下面创建的设备组 行政>Network Resources>网络设备组
因此,让我们继续创建更多:
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“分支路由器“ id =”000000012“ name =”设备类型#所有设备类型#路由器"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“优质基础设施“ id =”000000013“ name =”设备类型#所有设备类型#主要"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“网络安全设备“ id =”000000014“ name =”设备类型#所有设备类型#世界安全联盟 "xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“企业防火墙“ id =”000000015“ name =”设备类型#所有设备类型#防火墙"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“无线控制器“ id =”000000016“ name =”设备类型#所有设备类型#无线控制器"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4:networkdevicegroup>
现在,我已经创建了所有设备类型。如果要创建位置组,请使用以下命令:
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“安全演示实验室“ id =”000000017“ name =”地点#所有地点#安全实验室"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
<type>位置</type>
</ ns4:networkdevicegroup>
我们要做的下一件事是导入网络访问设备。 一次单独创建一个的第一种方法:
方法:开机自检
URI: //10.1.100.76:9060/ers/config/networkdevice
内容类型: application / vnd.com.cisco.ise.network.networkdevice.1.1 + xml;字符集= utf-8
如果要使用RADIUS,TACACS,SNMP设置和高级TrustSec配置设备,请执行以下操作:
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevice description =“设备说明“ id =”唯一字母数字标识符“ name =”设备名称"
xmlns:ers =“ ers.ise.cisco.com”
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns4 =“ network.ers.ise.cisco.com”>
<authenticationSettings>
<enableKeyWrap>{false | 真正}</enableKeyWrap>
<keyEncryptionKey>共享密钥</keyEncryptionKey> <-仅在Key wrap为True时适用
<keyInputFormat>ASCII码码</keyInputFormat> <-仅在Key wrap为True时适用
<messageAuthenticatorCodeKey>密码键</ messageAuthenticatorCodeKey> <-仅在Key wrap为True时适用
<networkProtocol>半径</networkProtocol>
<radiusSharedSecret>半径-Shared-Secret</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>设备的IP地址</ipaddress>
<mask>数值遮罩</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点#所有地点#位置</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型#所有设备类型#Device-Type-Name</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>思科公司</profileName> <-您还可以放置AlcatelWired,ArubaWireless,BrocadeWired,HPWired,HPWired_SNMP_CoA,HPWireless,MotorolaWireless或RuckusWireless
-------------------------------------------------- -------------------------------------------------- ------
如果只需要RADIUS,请在此处结束并以 </ns4:networkdevice>
<snmpsettings>
<linkTrapQuery>{真正 | 假}</linkTrapQuery>
<macTrapQuery>{真正 | 假}</macTrapQuery>
<originatingPolicyServicesNode>汽车</ originatingPolicyServicesNode> <- 汽车 is default but you can specify the 伊势 node
<pollingInterval>3600</pollingInterval> <-时间。默认值为28,000
<roCommunity>SNMP字符串</roCommunity>
<version>TWO_C</version> <-也可以是一个或三个。这是SNMP版本
</snmpsettings>
-------------------------------------------------- -------------------------------------------------- -------
如果需要SNMP设置,请在此处结束,并以 </ns4:networkdevice>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>TACACS的共享秘密</sharedSecret>
</tacacsSettings>
-------------------------------------------------- -------------------------------------------------- ---------
如果需要TACACS设置,请在此处结束,并以 </ns4:networkdevice>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>设备ID典型名称</sgaDeviceId>
<sgaDevicePassword>设备ID密码</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>为设备启用密码</enableModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
<execModePassword>EXEC模式密码</execModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
<execModeUsername>EXEC模式用户名 </execModeUsername> <- Only required if includeWhenDeployingSGTUpdates is 真正
<includeWhenDeployingSGTUpdates>{true | 假}</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>{true | 假}</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>{true | 假}</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>
-------------------------------------------------- -------------------------------------------------- --------------以上部分是TrustSec设置。
因此,如果我想部署单个网络设备,它将看起来像这样:
<xml版本=“ 1.0”编码=“ utf-8”独立=“是”?>
<ns4:networkdevice id =“00000000022“ name =”Sw1"
xmlns:ers =“ ers.ise.cisco.com”
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns4 =“ network.ers.ise.cisco.com”>
<link rel="self" href="//10.1.100.21:9060/ers/config/networkdevice/00000000022“ 类型 =” application / xml“ />
<authenticationSettings>
<enableKeyWrap>假</enableKeyWrap>
<keyInputFormat>ASCII</keyInputFormat>
<networkProtocol>半径</networkProtocol>
<radiusSharedSecret>网络节点</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>10.1.100.15</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>设备类型#所有设备类型#开关</NetworkDeviceGroup>
<NetworkDeviceGroup>地点#所有地点#安全实验室</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>思科公司</profileName>
<snmpsettings>
<linkTrapQuery>真正</linkTrapQuery>
<macTrapQuery>真正</macTrapQuery>
<originatingPolicyServicesNode>汽车</ originatingPolicyServicesNode>
<pollingInterval>10000</pollingInterval>
<roCommunity>网络节点</roCommunity>
<version>TWO_C</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>关</connectModeOptions>
<previousSharedSecret>网络节点</ PreviousSharedSecret>
<previousSharedSecretExpiry>0</ PreviousSharedSecretExpiry>
<sharedSecret>网络节点</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>Sw1</sgaDeviceId>
<sgaDevicePassword>网络节点</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<includeWhenDeployingSGTUpdates>假</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>假</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>假</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>禁用所有</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>
在POSTMAN中看起来像这样:
并在ISE中创建我的设备:
尽管以上内容可能适合一次性配置,但可以选择使用以下内容批量创建网络访问设备:
方法:PUT
URI: //10.1.100.76:9060/ers/config/networkdevice/bulk/submit
接受: application / vnd.com.cisco.ise.network.networkdevicebulkrequest.1.1 + xml
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns8:networkDeviceBulkRequest operationType="create" resourceMediaType="vnd.com.cisco.ise.network.networkdevice.1.1+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
<ns8:resourcesList>
<ns8:networkdevice description =“网络设备1” id =“ id_1”名称=“ networkDevice1”>
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点#所有地点</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型#所有设备类型</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice1</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
<ns8:networkdevice description =“网络设备2” id =“ id_2” name =“ networkDevice2”>
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点#所有地点</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型#所有设备类型</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice2</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
</ns8:resourcesList>
</ ns8:networkDeviceBulkRequest>
您可以使用REST API进行的其他操作:
- 创建,删除,搜索和修改安全组
- 创建,删除,搜索和修改SGACL
- 将IP映射到SGT
- 创建,删除,搜索和修改出口矩阵单元
- 创建,删除,搜索和修改SXP 虚拟专用网
- 创建,删除,搜索和修改SXP本地绑定
- 创建,删除,搜索和修改SXP连接
- 创建,删除,搜索和修改网络设备和网络设备组
- 创建,删除,搜索和修改Profiler配置文件
- 创建,删除,搜索和修改内部用户
- 创建,删除,搜索和修改身份组
- 创建,删除,搜索和修改来宾用户
- 创建,删除,搜索和修改端点和端点标识组
- 创建,删除,搜索和修改ANC策略
- 隔离和非隔离端点
要查看一些配置并查看有关如何使用API的说明,请导航至http:// _<IP-of-ISE>浏览器中的:9060 / ers / sdk