伊势 REST API-第2部分

这是我上一篇文章的延续。在本文中，我们将通过REST API创建一些基本对象，然后通过POSTMAN将其推出。

我要做的第一件事是开始使用REST API创建一些对象。我要创建的第一件事是网络设备组。我将使用以下模板：

<ns4：networkdevicegroup description =“小组说明“ id =”一个唯一的数字标识符“ name ="设备类型＃所有设备类型#组名"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

为了创建交换机的设备类型，我将使用以下内容：

方法：开机自检
URI: //10.1.100.76:9060/ers/config/networkdevicegroup
内容类型： application / vnd.com.cisco.ise.network.networkdevicegroup.1.0 + xml;字符集= utf-8

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“校园交换机“ id =”000000011“ name =”设备类型＃所有设备类型#开关"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>Device Type</type>
</ ns4：networkdevicegroup>

在POSTMAN中应该看起来像这样：

并且您应该看到在下面创建的设备组 行政>Network Resources>网络设备组

因此，让我们继续创建更多：

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“分支路由器“ id =”000000012“ name =”设备类型＃所有设备类型#路由器"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“优质基础设施“ id =”000000013“ name =”设备类型＃所有设备类型#主要"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“网络安全设备“ id =”000000014“ name =”设备类型＃所有设备类型#世界安全联盟 "xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“企业防火墙“ id =”000000015“ name =”设备类型＃所有设备类型#防火墙"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“无线控制器“ id =”000000016“ name =”设备类型＃所有设备类型#无线控制器"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>设备类型</type>
</ ns4：networkdevicegroup>

现在，我已经创建了所有设备类型。如果要创建位置组，请使用以下命令：

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevicegroup description =“安全演示实验室“ id =”000000017“ name =”地点＃所有地点#安全实验室"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns：ns4 =“ network.ers.ise.cisco.com”>
<type>位置</type>
</ ns4：networkdevicegroup>

我们要做的下一件事是导入网络访问设备。一次单独创建一个的第一种方法：

方法：开机自检
URI: //10.1.100.76:9060/ers/config/networkdevice
内容类型： application / vnd.com.cisco.ise.network.networkdevice.1.1 + xml;字符集= utf-8

如果要使用RADIUS，TACACS，SNMP设置和高级TrustSec配置设备，请执行以下操作：
<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns4：networkdevice description =“设备说明“ id =”唯一字母数字标识符“ name =”设备名称"
xmlns：ers =“ ers.ise.cisco.com”
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns：ns4 =“ network.ers.ise.cisco.com”>
<authenticationSettings>
<enableKeyWrap>{false | 真正}</enableKeyWrap>
<keyEncryptionKey>共享密钥</keyEncryptionKey> <-仅在Key wrap为True时适用
<keyInputFormat>ASCII码码</keyInputFormat> <-仅在Key wrap为True时适用
<messageAuthenticatorCodeKey>密码键</ messageAuthenticatorCodeKey> <-仅在Key wrap为True时适用
<networkProtocol>半径</networkProtocol>
<radiusSharedSecret>半径-Shared-Secret</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>设备的IP地址</ipaddress>
<mask>数值遮罩</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点＃所有地点＃位置</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型＃所有设备类型＃Device-Type-Name</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>思科公司</profileName> <-您还可以放置AlcatelWired，ArubaWireless，BrocadeWired，HPWired，HPWired_SNMP_CoA，HPWireless，MotorolaWireless或RuckusWireless

-------------------------------------------------- -------------------------------------------------- ------
如果只需要RADIUS，请在此处结束并以 </ns4:networkdevice>

<snmpsettings>
<linkTrapQuery>{真正 | 假}</linkTrapQuery>
<macTrapQuery>{真正 | 假}</macTrapQuery>
<originatingPolicyServicesNode>汽车</ originatingPolicyServicesNode> <- 汽车 is default but you can specify the 伊势 node
<pollingInterval>3600</pollingInterval> <-时间。默认值为28,000
<roCommunity>SNMP字符串</roCommunity>
<version>TWO_C</version> <-也可以是一个或三个。这是SNMP版本
</snmpsettings>
-------------------------------------------------- -------------------------------------------------- -------
如果需要SNMP设置，请在此处结束，并以 </ns4:networkdevice>

<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>TACACS的共享秘密</sharedSecret>
</tacacsSettings>
-------------------------------------------------- -------------------------------------------------- ---------
如果需要TACACS设置，请在此处结束，并以 </ns4:networkdevice>

<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>设备ID典型名称</sgaDeviceId>
<sgaDevicePassword>设备ID密码</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>为设备启用密码</enableModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
<execModePassword>EXEC模式密码</execModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
<execModeUsername>EXEC模式用户名 </execModeUsername> <- Only required if includeWhenDeployingSGTUpdates is 真正
<includeWhenDeployingSGTUpdates>{true | 假}</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>{true | 假}</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>{true | 假}</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>

-------------------------------------------------- -------------------------------------------------- --------------以上部分是TrustSec设置。

因此，如果我想部署单个网络设备，它将看起来像这样：
<xml版本=“ 1.0”编码=“ utf-8”独立=“是”？>
<ns4：networkdevice id =“00000000022“ name =”Sw1"
xmlns：ers =“ ers.ise.cisco.com”
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns：ns4 =“ network.ers.ise.cisco.com”>
<link rel="self" href="//10.1.100.21:9060/ers/config/networkdevice/00000000022“ 类型 =” application / xml“ />
<authenticationSettings>
<enableKeyWrap>假</enableKeyWrap>
<keyInputFormat>ASCII</keyInputFormat>
<networkProtocol>半径</networkProtocol>
<radiusSharedSecret>网络节点</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>10.1.100.15</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>设备类型＃所有设备类型#开关</NetworkDeviceGroup>
<NetworkDeviceGroup>地点＃所有地点#安全实验室</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>思科公司</profileName>
<snmpsettings>
<linkTrapQuery>真正</linkTrapQuery>
<macTrapQuery>真正</macTrapQuery>
<originatingPolicyServicesNode>汽车</ originatingPolicyServicesNode>
<pollingInterval>10000</pollingInterval>
<roCommunity>网络节点</roCommunity>
<version>TWO_C</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>关</connectModeOptions>
<previousSharedSecret>网络节点</ PreviousSharedSecret>
<previousSharedSecretExpiry>0</ PreviousSharedSecretExpiry>
<sharedSecret>网络节点</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>Sw1</sgaDeviceId>
<sgaDevicePassword>网络节点</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<includeWhenDeployingSGTUpdates>假</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>假</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>假</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>禁用所有</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns4:networkdevice>

在POSTMAN中看起来像这样：

并在ISE中创建我的设备：

尽管以上内容可能适合一次性配置，但可以选择使用以下内容批量创建网络访问设备：

方法：PUT
URI: //10.1.100.76:9060/ers/config/networkdevice/bulk/submit
接受： application / vnd.com.cisco.ise.network.networkdevicebulkrequest.1.1 + xml

<？xml版本=“ 1.0”编码=“ UTF-8”独立=“是”？>
<ns8:networkDeviceBulkRequest operationType="create" resourceMediaType="vnd.com.cisco.ise.network.networkdevice.1.1+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com"xmlns：ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
<ns8:resourcesList>
<ns8：networkdevice description =“网络设备1” id =“ id_1”名称=“ networkDevice1”>
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点＃所有地点</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型＃所有设备类型</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice1</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
<ns8：networkdevice description =“网络设备2” id =“ id_2” name =“ networkDevice2”>
<authenticationSettings>
<enableKeyWrap>true</enableKeyWrap>
<keyEncryptionKey>1234567890123456</keyEncryptionKey>
<keyInputFormat>ASCII</keyInputFormat>
<messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
<networkProtocol>RADIUS</networkProtocol>
<radiusSharedSecret>aaa</radiusSharedSecret>
</ authenticationSettings>
<coaPort>1700</coaPort>
<NetworkDeviceIPList>
<NetworkDeviceIP>
<ipaddress>1.1.1.1</ipaddress>
<mask>32</mask>
</NetworkDeviceIP>
</NetworkDeviceIPList>
<NetworkDeviceGroupList>
<NetworkDeviceGroup>地点＃所有地点</NetworkDeviceGroup>
<NetworkDeviceGroup>设备类型＃所有设备类型</NetworkDeviceGroup>
</ NetworkDeviceGroupList>
<profileName>Cisco</profileName>
<snmpsettings>
<linkTrapQuery>true</linkTrapQuery>
<macTrapQuery>true</macTrapQuery>
<originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
<pollingInterval>3600</pollingInterval>
<roCommunity>aaa</roCommunity>
<version>ONE</version>
</snmpsettings>
<tacacsSettings>
<connectModeOptions>ON_LEGACY</connectModeOptions>
<sharedSecret>aaa</sharedSecret>
</tacacsSettings>
<trustsecsettings>
<deviceAuthenticationSettings>
<sgaDeviceId>networkDevice2</sgaDeviceId>
<sgaDevicePassword>aaa</sgaDevicePassword>
</ deviceAuthenticationSettings>
<deviceConfigurationDeployment>
<enableModePassword>aaa</enableModePassword>
<execModePassword>aaa</execModePassword>
<execModeUsername>aaa</execModeUsername>
<includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
</ deviceConfigurationDeployment>
<sgaNotificationAndUpdates>
<downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
<downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
<下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
<otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
<reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
<sendConfigurationToDevice>false</ sendConfigurationToDevice>
<sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
</ sgaNotificationAndUpdates>
</trustsecsettings>
</ns8:networkdevice>
</ns8:resourcesList>
</ ns8：networkDeviceBulkRequest>

您可以使用REST API进行的其他操作：

创建，删除，搜索和修改安全组
创建，删除，搜索和修改SGACL
将IP映射到SGT
创建，删除，搜索和修改出口矩阵单元
创建，删除，搜索和修改SXP 虚拟专用网
创建，删除，搜索和修改SXP本地绑定
创建，删除，搜索和修改SXP连接
创建，删除，搜索和修改网络设备和网络设备组
创建，删除，搜索和修改Profiler配置文件
创建，删除，搜索和修改内部用户
创建，删除，搜索和修改身份组
创建，删除，搜索和修改来宾用户
创建，删除，搜索和修改端点和端点标识组
创建，删除，搜索和修改ANC策略
隔离和非隔离端点

要查看一些配置并查看有关如何使用API的说明，请导航至http：// _<IP-of-ISE>浏览器中的：9060 / ers / sdk