ANC configuration - cisco-pxgrid/pxgrid-rest-ws GitHub Wiki
Service: com.cisco.ise.config.anc
This is Adaptive Network Control configuration service. This is available in ISE 2.4
Service properties
| Name | Description | Example |
|---|---|---|
| restBaseUrl | https://ise-host1:8910/pxgrid/ise/config/anc | |
| wsPubsubService | com.cisco.ise.pubsub | |
| statusTopic | /topic/com.cisco.ise.config.anc.status |
Policy APIs
These are the set of APIs to manipulate ANC policies, which can be then applied to endpoints.
POST [restBaseUrl]/getPolicies
This is used to get policies.
An empty json structure must be sent as the request.
If no policy is found, policies will have an empty array.
Request
{
}
Reponse
{
"policies": [
array of policy object
]
}
POST [restBaseUrl]/getPolicyByName
If policy does not exist, HTTP status "204 No content" will be returned with empty body
Request
{
"name": string (required)
}
Reponse
{
policy object
}
POST [restBaseUrl]/createPolicy
There is no need to set the "id" field for the request policy object. After successful creation, the "id" field will be populated in the returned policy object
If the policy name is already used in an existing policy, HTTP status "409 Conflict" will be returned.
Request
{
policy object
}
Reponse
{
policy object
}
POST [restBaseUrl]/deletePolicyByName
This is no response body for this query. If policy is deleted, HTTP status "200" will be returned. If policy does not exist, HTTP status "204 No content" will be returned.
Request
{
"name": string (required)
}
Reponse
(empty)
Endpoint APIs
The Endpoint APIs provides the ability to assign policies to endpoints.
The terms "apply/clear" are used. They do more than just "create/delete". They look up endpoints and trigger Radius Disconnect if active.
Since Radius Disconnect involves remote calls and retries, the activity may take a while.
Thus, "apply/clear" endpoint calls are asynchronous.
When triggered, they return a status object with operation ID and status.
One can either subscribe to statusTopic for updates of operation status.
Or periodically query the operation with getOperationStatus.
Operation will always finish and set status to success or failure. If it takes too long, it will timeout and set status to failure.
getOperationStatus can query operations for up to an hour. Older operation status are purged from the system.
POST [restBaseUrl]/getEndpoints
This is used to get endpoints with policies applied
An empty json structure must be sent as the request.
If no endpoint policy is found, endpoints will have an empty array.
Request
{
}
Reponse
{
"endpoints": [
array of endpoint object
]
}
POST [restBaseUrl]/getEndpointPolicies (since ISE 2.6p7 2.7p2 3.0)
This is used to get endpoints with policies applied using both MAC address and NAS IP address.
An empty json structure must be sent as the request.
If no endpoint policy is found, endpoints will have an empty array.
Request
{
}
Reponse
{
"endpoints": [
array of endpoint object
]
}
POST [restBaseUrl]/getEndpointByMacAddress
If endpoint does not exist, HTTP status "204 No content" will be returned.
Request
{
"macAddress": string (required)
}
Reponse
{
endpoint object
}
POST [restBaseUrl]/getEndpointByNasIpAddress (since ISE 2.6p7, 2.7p2, 3.0)
Get endpoint with MAC address and NAS IP Address If endpoint does not exist, HTTP status "204 No content" will be returned.
Request
{
"macAddress": string (required),
"nasIpAddress": string (required)
}
Reponse
{
endpoint object
}
POST [restBaseUrl]/applyEndpointByIpAddress
Apply a policy to the endpoint using IP Address. If endpoint already has existing policy applied, the return status will be FAILURE with reason "mac address is already associated with this policy". If endpoint does not exist, the return status will be FAILURE with reason "Session lookup failure".
Request
{
"policyName": string (required),
"ipAddress": string (required)
}
Reponse
{
status object
}
POST [restBaseUrl]/applyEndpointByMacAddress
Apply a policy to the endpoint using MAC Address. If endpoint already has existing policy applied, the return status will be FAILURE with reason "mac address is already associated with this policy".
Request
{
"policyName": string (required),
"macAddress": string (required)
}
Reponse
{
status object
}
POST [restBaseUrl]/clearEndpointByMacAddress
Apply a policy to the endpoint using MAC Address If endpoint does not have an existing policy applied, the return status will be FAILURE with reason "mac address is not associated with a policy".
Request
{
"macAddress": string (required)
}
Reponse
{
status object
}
POST [restBaseUrl]/applyEndpointPolicy (since ISE 2.6p7, 2.7p2, 3.0)
Apply a policy to the endpoint using MAC Address, NAS IP Address and other parameters If endpoint does not have an existing policy applied, the return status will be FAILURE with reason "mac address is not associated with a policy".
Request
{
"policy": string (required),
"macAddress": string (required),
"nasIpAddress": string (required),
"sessionId": string (optional),
"nasPortId": string (optional),
"ipAddress": string (optional),
"userName": string (optional)
}
Reponse
{
status object
}
POST [restBaseUrl]/clearEndpointPolicy (since ISE 2.6p7, 2.7p2, 3.0)
Apply a policy to the endpoint using MAC Address, NAS IP Address and other parameters If endpoint does not have an existing policy applied, the return status will be FAILURE with reason "mac address is not associated with a policy".
Request
{
"macAddress": string (required),
"nasIpAddress": string (required)
}
Reponse
{
status object
}
POST [restBaseUrl]/getOperationStatus
If operation does not exist, HTTP status "204 No content" will be returned.
Request
{
"operationId": string (required)
}
Reponse
{
status object
}
WS STOMP messaging
statusTopic
{
status object
}
Objects
"operation" type
"operation" type one of the following strings:
- CREATE
- UPDATE
- DELETE
"policy" object
| Name | Type | Description | ISE version |
|---|---|---|---|
| name | string | 2.4 | |
| actions | array of action type | 2.4 |
"endpoint" object
| Name | Type | Description | ISE version |
|---|---|---|---|
| policyName | string | 2.4 | |
| macAddress | string | 2.4 |
"action" type
"action" type can be on of the following strings:
- QUARANTINE (Disconnect the target client(after which it may reconnect)
- SHUT_DOWN (For wired devices, shutdown the port of the device, preventing reconnection.)
- PORT_BOUNCE
- RE_AUTHENTICATE (Force a target client to do Re-Authentication. Since ISE 2.6p7, 2.7p2, 3.0)
"status" object
| Name | Type | Description | ISE version |
|---|---|---|---|
| operationId | string | 2.4 | |
| macAddress | string | MAC address where operation is performed | 2.4 |
| nasIpAddress | string | NAS IP address where operation is performed | 2.6p7, 2.7p2, 3.0 |
| status | string | RUNNING, SUCCESS or FAILURE | 2.4 |
| failureReason | string | The reason if it fails | 2.4 |
Samples
"policy" object
{
"id":"5caf94c4-1bf9-493c-8505-89cd0e36fbda",
"name":"p2",
"actions":["QUARANTINE"]
}
"status" object
{
"operationId":"pxgrid-001.cisco.com:2",
"status":"SUCCESS"
}
endpoints array
{
"endpoints": [{
"id": "0d1f7169-108a-44da-b407-5db1da722f6a",
"policyName": "p2",
"macAddress": "33:33:33:33:33:33"
}, {
"id": "2c46003d-a22f-4fee-8975-d93945a6552a",
"policyName": "p1",
"macAddress": "00:11:22:33:44:55"
}]
}