伊势 REST API-第2部分

这是我上一篇文章的延续。在本文中,我们将通过REST API创建一些基本对象,然后通过POSTMAN将其推出。 

我要做的第一件事是开始使用REST API创建一些对象。我要创建的第一件事是网络设备组。我将使用以下模板:

<ns4:networkdevicegroup description =“小组说明“ id =”一个唯一的数字标识符“ name ="设备类型#所有设备类型#组名"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>

为了创建交换机的设备类型,我将使用以下内容:

方法:开机自检
URI: //10.1.100.76:9060/ers/config/networkdevicegroup
内容类型: application / vnd.com.cisco.ise.network.networkdevicegroup.1.0 + xml;字符集= utf-8


<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“校园交换机“ id =”000000011“ name =”设备类型#所有设备类型#开关"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>Device Type</type>
</ ns4:networkdevicegroup>
 

在POSTMAN中应该看起来像这样:

并且您应该看到在下面创建的设备组 行政>Network Resources>网络设备组

因此,让我们继续创建更多:
 

<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“分支路由器“ id =”000000012“ name =”设备类型#所有设备类型#路由器"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“优质基础设施“ id =”000000013“ name =”设备类型#所有设备类型#主要"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“网络安全设备“ id =”000000014“ name =”设备类型#所有设备类型#世界安全联盟 "xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“企业防火墙“ id =”000000015“ name =”设备类型#所有设备类型#防火墙"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“无线控制器“ id =”000000016“ name =”设备类型#所有设备类型#无线控制器"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>设备类型</type>
</ ns4:networkdevicegroup>
现在,我已经创建了所有设备类型。如果要创建位置组,请使用以下命令:

<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevicegroup description =“安全演示实验室“ id =”000000017“ name =”地点#所有地点#安全实验室"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <type>位置</type>
</ ns4:networkdevicegroup>

 

我们要做的下一件事是导入网络访问设备。 一次单独创建一个的第一种方法:
 

方法:开机自检
URI: //10.1.100.76:9060/ers/config/networkdevice
内容类型: application / vnd.com.cisco.ise.network.networkdevice.1.1 + xml;字符集= utf-8

如果要使用RADIUS,TACACS,SNMP设置和高级TrustSec配置设备,请执行以下操作:
<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns4:networkdevice description =“
设备说明“ id =”唯一字母数字标识符“ name =”设备名称"
xmlns:ers =“ ers.ise.cisco.com”
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <authenticationSettings>
        <enableKeyWrap>
{false | 真正}</enableKeyWrap>
        <keyEncryptionKey>
共享密钥</keyEncryptionKey> <-仅在Key wrap为True时适用
        <keyInputFormat>ASCII码码</keyInputFormat> <-仅在Key wrap为True时适用
        <messageAuthenticatorCodeKey>密码键</ messageAuthenticatorCodeKey> <-仅在Key wrap为True时适用
        <networkProtocol>半径</networkProtocol>  
        <radiusSharedSecret>
半径-Shared-Secret</radiusSharedSecret>
    </ authenticationSettings> 
    <coaPort>1700</coaPort>
    <NetworkDeviceIPList>
        <NetworkDeviceIP>
            <ipaddress>
设备的IP地址</ipaddress>
            <mask>数值遮罩</mask>
        </NetworkDeviceIP>
    </NetworkDeviceIPList>
    <NetworkDeviceGroupList>
        <NetworkDeviceGroup>地点#所有地点
#位置</NetworkDeviceGroup>
        <NetworkDeviceGroup>设备类型#所有设备类型
#Device-Type-Name</NetworkDeviceGroup>
    </ NetworkDeviceGroupList>
    <profileName>
思科公司</profileName> <-您还可以放置AlcatelWired,ArubaWireless,BrocadeWired,HPW​​ired,HPW​​ired_SNMP_CoA,HPWireless,MotorolaWireless或RuckusWireless

-------------------------------------------------- -------------------------------------------------- ------
如果只需要RADIUS,请在此处结束并以 </ns4:networkdevice>


    <snmpsettings>
        <linkTrapQuery>{
真正 | 假}</linkTrapQuery>
        <macTrapQuery>
{真正 | 假}</macTrapQuery>
        <originatingPolicyServicesNode>
汽车</ originatingPolicyServicesNode> <- 汽车 is default but you can specify the 伊势 node
        <pollingInterval>3600</pollingInterval> <-时间。默认值为28,000
        <roCommunity>SNMP字符串</roCommunity>
        <version>
TWO_C</version> <-也可以是一个或三个。这是SNMP版本
    </snmpsettings>
-------------------------------------------------- -------------------------------------------------- -------

如果需要SNMP设置,请在此处结束,并以 </ns4:networkdevice>

    <tacacsSettings>
        <connectModeOptions>
ON_LEGACY</connectModeOptions>
        <sharedSecret>
TACACS的共享秘密</sharedSecret>
    </tacacsSettings>
-------------------------------------------------- -------------------------------------------------- ---------

如果需要TACACS设置,请在此处结束,并以 </ns4:networkdevice>
    <trustsecsettings>
        <deviceAuthenticationSettings>
            <sgaDeviceId>
设备ID典型名称</sgaDeviceId>
            <sgaDevicePassword>
设备ID密码</sgaDevicePassword>
        </ deviceAuthenticationSettings>
        <deviceConfigurationDeployment>
            <enableModePassword>
为设备启用密码</enableModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
            <execModePassword>EXEC模式密码</execModePassword> <- Only required if includeWhenDeployingSGTUpdates is 真正
            <execModeUsername>EXEC模式用户名 </execModeUsername> <- Only required if includeWhenDeployingSGTUpdates is 真正
            <includeWhenDeployingSGTUpdates>{true | 假}</ includeWhenDeployingSGTUpdates>
        </ deviceConfigurationDeployment>
        <sgaNotificationAndUpdates>
      <downlaodEnvironmentDataEveryXSeconds>
86400</ downlaodEnvironmentDataEveryXSeconds>
        <downlaodPeerAuthorizationPolicyEveryXSeconds>
86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
            <下载SGACLListsEveryXSeconds>
86400</下载SGACLListsEveryXSeconds>
            <otherSGADevicesToTrustThisDevice>
{true | 假}</ otherSGADevicesToTrustThisDevice>
            <reAuthenticationEveryXSeconds>
86400</ reAuthenticationEveryXSeconds>
            <sendConfigurationToDevice>
{true | 假}</ sendConfigurationToDevice>
     <sendConfigurationToDeviceUsing>
ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
        </ sgaNotificationAndUpdates>
    </trustsecsettings>
</ns4:networkdevice>

-------------------------------------------------- -------------------------------------------------- --------------以上部分是TrustSec设置。 

 

因此,如果我想部署单个网络设备,它将看起来像这样:
<xml版本=“ 1.0”编码=“ utf-8”独立=“是”?>
<ns4:networkdevice id =“00000000022“ name =”Sw1
   xmlns:ers =“ ers.ise.cisco.com” 
    xmlns:xs="http://www.w3.org/2001/XMLSchema" 
   xmlns:ns4 =“ network.ers.ise.cisco.com”>
    <link rel="self" href="//10.1.100.21:9060/ers/config/networkdevice/00000000022“ 类型 =” application / xml“ />
    <authenticationSettings>
        <enableKeyWrap></enableKeyWrap>
        <keyInputFormat>ASCII</keyInputFormat>
        <networkProtocol>半径</networkProtocol>
        <radiusSharedSecret>网络节点</radiusSharedSecret>
    </ authenticationSettings>
    <coaPort>1700</coaPort>
    <NetworkDeviceIPList>
        <NetworkDeviceIP>
            <ipaddress>10.1.100.15</ipaddress>
            <mask>32</mask>
        </NetworkDeviceIP>
    </NetworkDeviceIPList>
    <NetworkDeviceGroupList>
        <NetworkDeviceGroup>设备类型#所有设备类型#开关</NetworkDeviceGroup>
        <NetworkDeviceGroup>地点#所有地点#安全实验室</NetworkDeviceGroup>
    </ NetworkDeviceGroupList>
    <profileName>思科公司</profileName>
    <snmpsettings>
        <linkTrapQuery>真正</linkTrapQuery>
        <macTrapQuery>真正</macTrapQuery>
        <originatingPolicyServicesNode>汽车</ originatingPolicyServicesNode>
        <pollingInterval>10000</pollingInterval>
        <roCommunity>网络节点</roCommunity>
        <version>TWO_C</version>
    </snmpsettings>
    <tacacsSettings>
        <connectModeOptions></connectModeOptions>
        <previousSharedSecret>网络节点</ PreviousSharedSecret>
        <previousSharedSecretExpiry>0</ PreviousSharedSecretExpiry>
        <sharedSecret>网络节点</sharedSecret>
    </tacacsSettings>
    <trustsecsettings>
        <deviceAuthenticationSettings>
            <sgaDeviceId>Sw1</sgaDeviceId>
            <sgaDevicePassword>网络节点</sgaDevicePassword>
        </ deviceAuthenticationSettings>
        <deviceConfigurationDeployment>
            <includeWhenDeployingSGTUpdates></ includeWhenDeployingSGTUpdates>
        </ deviceConfigurationDeployment>
        <sgaNotificationAndUpdates>
            <downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
            <downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
            <下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
            <otherSGADevicesToTrustThisDevice></ otherSGADevicesToTrustThisDevice>
            <reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
            <sendConfigurationToDevice></ sendConfigurationToDevice>
            <sendConfigurationToDeviceUsing>禁用所有</ sendConfigurationToDeviceUsing>
        </ sgaNotificationAndUpdates>
    </trustsecsettings>
</ns4:networkdevice>

在POSTMAN中看起来像这样:

并在ISE中创建我的设备:

 

尽管以上内容可能适合一次性配置,但可以选择使用以下内容批量创建网络访问设备:

方法:PUT
URI: //10.1.100.76:9060/ers/config/networkdevice/bulk/submit
接受: application / vnd.com.cisco.ise.network.networkdevicebulkrequest.1.1 + xml

<?xml版本=“ 1.0”编码=“ UTF-8”独立=“是”?>
<ns8:networkDeviceBulkRequest operationType="create" resourceMediaType="vnd.com.cisco.ise.network.networkdevice.1.1+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com"xmlns:ers =“ ers.ise.cisco.com” xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
    <ns8:resourcesList>
        <ns8:networkdevice description =“网络设备1” id =“ id_1”名称=“ networkDevice1”>
            <authenticationSettings>
                <enableKeyWrap>true</enableKeyWrap>
                <keyEncryptionKey>1234567890123456</keyEncryptionKey>
                <keyInputFormat>ASCII</keyInputFormat>
                <messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
                <networkProtocol>RADIUS</networkProtocol>
                <radiusSharedSecret>aaa</radiusSharedSecret>
            </ authenticationSettings>
            <coaPort>1700</coaPort>
            <NetworkDeviceIPList>
                <NetworkDeviceIP>
                    <ipaddress>1.1.1.1</ipaddress>
                    <mask>32</mask>
                </NetworkDeviceIP>
            </NetworkDeviceIPList>
            <NetworkDeviceGroupList>
                <NetworkDeviceGroup>地点#所有地点</NetworkDeviceGroup>
                <NetworkDeviceGroup>设备类型#所有设备类型</NetworkDeviceGroup>
            </ NetworkDeviceGroupList>
            <profileName>Cisco</profileName>
            <snmpsettings>
                <linkTrapQuery>true</linkTrapQuery>
                <macTrapQuery>true</macTrapQuery>
                <originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
                <pollingInterval>3600</pollingInterval>
                <roCommunity>aaa</roCommunity>
                <version>ONE</version>
            </snmpsettings>
            <tacacsSettings>
                <connectModeOptions>ON_LEGACY</connectModeOptions>
                <sharedSecret>aaa</sharedSecret>
            </tacacsSettings>
            <trustsecsettings>
                <deviceAuthenticationSettings>
                    <sgaDeviceId>networkDevice1</sgaDeviceId>
                    <sgaDevicePassword>aaa</sgaDevicePassword>
                </ deviceAuthenticationSettings>
                <deviceConfigurationDeployment>
                    <enableModePassword>aaa</enableModePassword>
                    <execModePassword>aaa</execModePassword>
                    <execModeUsername>aaa</execModeUsername>
                    <includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
                </ deviceConfigurationDeployment>
                <sgaNotificationAndUpdates>
                    <downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
                    <downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
                    <下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
                    <otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
                    <reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
                    <sendConfigurationToDevice>false</ sendConfigurationToDevice>
                    <sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
                </ sgaNotificationAndUpdates>
            </trustsecsettings>
        </ns8:networkdevice>
        <ns8:networkdevice description =“网络设备2” id =“ id_2” name =“ networkDevice2”>
            <authenticationSettings>
                <enableKeyWrap>true</enableKeyWrap>
                <keyEncryptionKey>1234567890123456</keyEncryptionKey>
                <keyInputFormat>ASCII</keyInputFormat>
                <messageAuthenticatorCodeKey>12345678901234567890</ messageAuthenticatorCodeKey>
                <networkProtocol>RADIUS</networkProtocol>
                <radiusSharedSecret>aaa</radiusSharedSecret>
            </ authenticationSettings>
            <coaPort>1700</coaPort>
            <NetworkDeviceIPList>
                <NetworkDeviceIP>
                    <ipaddress>1.1.1.1</ipaddress>
                    <mask>32</mask>
                </NetworkDeviceIP>
            </NetworkDeviceIPList>
            <NetworkDeviceGroupList>
                <NetworkDeviceGroup>地点#所有地点</NetworkDeviceGroup>
                <NetworkDeviceGroup>设备类型#所有设备类型</NetworkDeviceGroup>
            </ NetworkDeviceGroupList>
            <profileName>Cisco</profileName>
            <snmpsettings>
                <linkTrapQuery>true</linkTrapQuery>
                <macTrapQuery>true</macTrapQuery>
                <originatingPolicyServicesNode>Auto</ originatingPolicyServicesNode>
                <pollingInterval>3600</pollingInterval>
                <roCommunity>aaa</roCommunity>
                <version>ONE</version>
            </snmpsettings>
            <tacacsSettings>
                <connectModeOptions>ON_LEGACY</connectModeOptions>
                <sharedSecret>aaa</sharedSecret>
            </tacacsSettings>
            <trustsecsettings>
                <deviceAuthenticationSettings>
                    <sgaDeviceId>networkDevice2</sgaDeviceId>
                    <sgaDevicePassword>aaa</sgaDevicePassword>
                </ deviceAuthenticationSettings>
                <deviceConfigurationDeployment>
                    <enableModePassword>aaa</enableModePassword>
                    <execModePassword>aaa</execModePassword>
                    <execModeUsername>aaa</execModeUsername>
                    <includeWhenDeployingSGTUpdates>true</ includeWhenDeployingSGTUpdates>
                </ deviceConfigurationDeployment>
                <sgaNotificationAndUpdates>
                    <downlaodEnvironmentDataEveryXSeconds>86400</ downlaodEnvironmentDataEveryXSeconds>
                    <downlaodPeerAuthorizationPolicyEveryXSeconds>86400</ downlaodPeerAuthorizationPolicyEveryXSeconds>
                    <下载SGACLListsEveryXSeconds>86400</下载SGACLListsEveryXSeconds>
                    <otherSGADevicesToTrustThisDevice>false</ otherSGADevicesToTrustThisDevice>
                    <reAuthenticationEveryXSeconds>86400</ reAuthenticationEveryXSeconds>
                    <sendConfigurationToDevice>false</ sendConfigurationToDevice>
                    <sendConfigurationToDeviceUsing>ENABLE_USING_COA</ sendConfigurationToDeviceUsing>
                </ sgaNotificationAndUpdates>
            </trustsecsettings>
        </ns8:networkdevice>
    </ns8:resourcesList>
</ ns8:networkDeviceBulkRequest>

 

您可以使用REST API进行的其他操作:

  • 创建,删除,搜索和修改安全组
  • 创建,删除,搜索和修改SGACL
  • 将IP映射到SGT 
  • 创建,删除,搜索和修改出口矩阵单元
  • 创建,删除,搜索和修改SXP 虚拟专用网
  • 创建,删除,搜索和修改SXP本地绑定
  • 创建,删除,搜索和修改SXP连接
  • 创建,删除,搜索和修改网络设备和网络设备组
  • 创建,删除,搜索和修改Profiler配置文件
  • 创建,删除,搜索和修改内部用户
  • 创建,删除,搜索和修改身份组
  • 创建,删除,搜索和修改来宾用户
  • 创建,删除,搜索和修改端点和端点标识组
  • 创建,删除,搜索和修改ANC策略
  • 隔离和非隔离端点

要查看一些配置并查看有关如何使用API​​的说明,请导航至http:// _<IP-of-ISE>浏览器中的:9060 / ers / sdk