About the connector
Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches. The purpose is to simplify identity management across diverse devices and applications.
This document provides information about the Cisco ISE connector, which facilitates automated interactions, with a Cisco ISE server using FortiSOAR™ playbooks. Add the Cisco ISE connector as a step in FortiSOAR™ playbooks and perform automated operations, such as quarantining and un-quarantining IP addresses on Cisco ISE and retrieving a list of all active sessions from Cisco ISE.
Version information
Connector Version: 2.0.0
Authored By: Community
Certified: No
Release Notes for version 2.0.0
Following enhancements have been made to the Cisco ISE connector in version 2.0.0:
- Added a new configuration parameter "ERS port". You require to specify the ERS port number (default 9060) for ERS API operations.
- Added the following new operations and playbooks:
- Get Endpoints
- Get ANC Endpoint
- Create ANC Policy
- Get ANC Policy
- Assign ANC Policy
- Revoke ANC Policy
Installing the connector
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-cisco-ise
Prerequisites to configuring the connector
- You must have the URL of Cisco ISE server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Cisco ISE connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
IP address or FQDN of the Cisco ISE server to which you will connect and perform the automated operations. |
| Username |
Username to access the Cisco ISE to which you will connect and perform the automated operations. |
| Password |
Password to access the Cisco ISE server to which you will connect and perform the automated operations. |
| ERS Port |
External RESTful Services (ERS) is a REST API based on HTTPS over port 9060. This is required to be specified for ERS API operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| List All Active Sessions |
Retrieves a list of all active sessions from Cisco ISE. |
list_active_sessions
Investigation |
| EPS: Quarantine IP Address |
Quarantines an IP address that you have specified on Cisco ISE. |
quarantine_ip
Containment |
| EPS: Quarantine MAC Address |
Quarantines a MAC address that you have specified on Cisco ISE. |
quarantine_mac
Containment |
| EPS: Un-Quarantine IP Address |
Removes an IP address that you have specified from the quarantine list on Cisco ISE. |
unquarantine_ip
Containment |
| EPS: Un-Quarantine MAC Address |
Removes a MAC address that you have specified from the quarantine list on Cisco ISE. |
unquarantine_mac
Containment |
| End a Target MAC address Session |
Ends a session of the MAC address that you have specified on Cisco ISE. |
end_session
Miscellaneous |
| MAC Address Logout |
Logs off a session of the MAC address that you have specified on Cisco ISE. |
logoff_session
Miscellaneous |
| Get Endpoints |
Retrieves details for all ERS endpoints or a specific endpoint from Cisco ISE based on the endpoint ID or name and other input parameters you have specified. |
get_ise_endpoint
Investigation |
| Get ANC Endpoint |
Retrieves details for all Adaptive Network Control (ANC) endpoints or a specific ANC endpoint from Cisco ISE based on the ANC Endpoint ID and other input parameters you have specified. |
get_anc_endpoint
Investigation |
| Create ANC Policy |
Creates and ANC policy in Cisco ISE based on the ANC policy name and action you have specified. |
create_policy
Containment |
| Get ANC Policy |
Retrieves details for all ANC policies or a specific ANC policy from Cisco ISE based on the policy ID or name and other input parameters you have specified. |
get_anc_policy
Investigation |
| Assign ANC Policy |
Assigns a specific ANC policy to a MAC address or an IP address on Cisco ISE based on the policy or name and the MAC or IP address you have specified. |
assign_policy
Containment |
| Revoke ANC Policy |
Revokes a specific ANC policy from a MAC address or an IP address on Cisco ISE based on the policy or name and the MAC or IP address you have specified. |
revoke_policy
Remediation |
operation: List All Active Sessions
Input parameters
None.
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: EPS: Quarantine IP Address
Input parameters
| Parameter |
Description |
| Target IP Address |
IP address of the device to quarantine on Cisco ISE. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: EPS: Quarantine MAC Address
Input parameters
| Parameter |
Description |
| Target MAC Address |
MAC address of the device to quarantine on Cisco ISE. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: EPS: Un-Quarantine IP Address
Input parameters
| Parameter |
Description |
| Target IP Address |
IP address of the device to un-quarantine on Cisco ISE. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: EPS: Un-Quarantine MAC Address
Input parameters
| Parameter |
Description |
| Target MAC Address |
MAC address of the device to un-quarantine on Cisco ISE. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: End a Target MAC Address Session
Input parameters
| Parameter |
Description |
| Target MAC Address |
MAC address to end the session on Cisco ISE. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: MAC Address Logout
Input parameters
| Parameter |
Description |
| Target MAC Address |
MAC address to log out from Cisco ISE. |
| Target Server Address |
Server address from which you want to log out the target machine. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: Get Endpoints
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Get Endpoint By |
Choose the method using which you want to retrieve endpoint details from Cisco ISE. You can choose between Endpoint ID or Endpoint Name.
If you choose 'Endpoint ID', then you must specify the following parameter:
- Endpoint ID: ID of the ANC endpoint whose details you want to retrieve from Cisco ISE.
If you choose 'Endpoint Name', then you must specify the following parameter:
- Endpoint Name: Name of the ANC endpoint whose details you want to retrieve from Cisco ISE.
|
| Size |
Number of results that the operation should include per page. The search result is by default paged to 20 results per page. |
| Page |
Page number from which you want to retrieve results. Page numbering starts at page 1. |
Output
The output contains the following populated JSON schema if you do not specify any endpoint name or ID for the 'Get Endpoint By' operation:
{
"SearchResult": {
"resources": [
{
"link": {
"type": "",
"rel": "",
"href": ""
},
"id": "",
"name": ""
}
],
"total": ""
}
}
The output contains the following populated JSON schema if you have specified an endpoint name or ID for the 'Get Endpoint By' operation:
{
"ERSEndPoint": {
"identityStore": "",
"id": "",
"portalUser": "",
"description": "",
"staticGroupAssignment": "",
"staticProfileAssignment": "",
"groupId": "",
"link": {
"type": "",
"rel": "",
"href": ""
},
"profileId": "",
"mac": "",
"identityStoreId": "",
"name": ""
}
}
operation: Get ANC Endpoint
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| ANC Endpoint ID |
ID of the ANC endpoint whose details you want to retrieve from Cisco ISE.
|
| Size |
Number of results that the operation should include per page. The search result is by default paged to 20 resources per page. |
| Page |
Page number from which you want to retrieve results. Page numbering starts at page 1. |
Output
The output contains the following populated JSON schema if you do not specify any endpoint ID for the 'Get ANC Endpoint' operation:
{
"SearchResult": {
"resources": [
{
"link": {
"type": "",
"rel": "",
"href": ""
},
"id": ""
}
],
"total": ""
}
}
The output contains the following populated JSON schema if you have specified an endpoint ID for the 'Get ANC Endpoint' operation:
{
"ErsAncEndpoint": {
"link": {
"type": "",
"rel": "",
"href": ""
},
"policyName": "",
"id": "",
"macAddress": ""
}
}
operation: Create ANC Policy
Input parameters
| Parameter |
Description |
| ANC Policy Name |
Name of the policy that you want to create on Cisco ISE. |
| Action |
Type of actions to be applied to the ANC policy that you want to create on Cisco ISE. You can choose from the following options: Quarantine, Portbounce, or Shutdown. |
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: Get ANC Policy
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Get Policy By |
Choose the method using which you want to retrieve ANC Policies from Cisco ISE. You can choose between Policy ID or Policy Name.
If you choose 'Policy ID', then you must specify the following parameter:
- Policy ID: ID of the ANC policy whose details you want to retrieve from Cisco ISE.
If you choose 'Policy Name', then you must specify the following parameter:
- Policy Name: Name of the ANC policy whose details you want to retrieve from Cisco ISE.
|
| Size |
Number of results that the operation should include per page. The search result is by default paged to 20 resources per page. |
| Page |
Page number from which you want to retrieve results. Page numbering starts at page 1. |
Output
The output contains the following populated JSON schema if you do not specify any policy name or ID for the 'Get ANC Policy' operation:
{
"SearchResult": {
"resources": [
{
"link": {
"type": "",
"rel": "",
"href": ""
},
"id": "",
"name": ""
}
],
"total": ""
}
}
The output contains the following populated JSON schema if you have specified a policy name or ID for the 'Get ANC Policy' operation:
{
"ErsAncPolicy": {
"link": {
"type": "",
"rel": "",
"href": ""
},
"actions": [],
"id": "",
"name": ""
}
}
operation: Assign ANC Policy
Input parameters
| Parameter |
Description |
| ANC Policy Name |
Name of the ANC policy that you want to apply to a specific MAC or IP address on Cisco ISE. |
| Apply To |
Choose whether you want to apply the specific ANC policy to a Mac Address or an IP address.
If you choose 'IP Address', then you must specify the following parameter:
- IP Address: IP Address on which you want to apply the specified policy.
If you choose 'MAC Address', then you must specify the following parameter:
- MAC Address: MAC Address on which you want to apply the specified policy.
|
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
operation: Revoke ANC Policy
Input parameters
| Parameter |
Description |
| ANC Policy Name |
Name of the ANC policy that you want to revoke from a specific MAC or IP address on Cisco ISE. |
| Revoke From |
Choose whether you want to revoke the specific ANC policy from a Mac Address or an IP address.
If you choose 'IP Address', then you must specify the following parameter:
- IP Address: IP Address from which you want to revoke the specified policy.
If you choose 'MAC Address', then you must specify the following parameter:
- MAC Address: MAC Address from which you want to revoke the specified policy.
|
Output
The output contains the following populated JSON schema:
{
"request_status": "",
"result": {}
}
Included playbooks
The Sample - Cisco ISE - 2.0.0 playbook collection comes bundled with the Cisco ISE connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cisco ISE connector.
- Assign ANC Policy
- Create ANC Policy
- End a Target MAC Address Session
- EPS: Quarantine IP Address
- EPS: Quarantine MAC Address
- EPS: Un-Quarantine IP Address
- EPS: Un-Quarantine MAC Address
- Get ANC Endpoint
- Get ANC Policy
- Get Endpoints
- List All Active Sessions
- MAC Address Logout
- Revoke ANC Policy
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
