ISE Policy Import Export Finally ..... But NOT through the GUI

Finally ISE Import / Export is possible but not in the way I originally imagined. As the use of APIs and automation grows in viability and capability we now have the ability to execute more and more as code and automate those actions we seem to repeat on every deployment.

Consistency is Key​

For years as a subject matter expert and delivery engineer on solutions such as Cisco ISE I followed a methodology. This methodology was something that was developed over time and learning how configurations worked best across multiple deployments and customer environments. This methodology also created consistency so that no matter what, the solution would act in the way it was configured the same way, every time. One challenge was that this consistency was derived and built by me or another engineer following detailed design documentation specifying what boxes to check or references to make in the software to provide the expected result. Over multiple deployments, we would find ourselves spending at least a couple hours or sometimes days doing the same thing on the same solutions across multiple, different projects. This is a ripe opportunity for a method of exporting the known good configuration to act as a template to import into other deployments to save days of work. We rolled this ask up to the ISE business unit and eventually got ISE policy export, but where was the import button.... it wasn't there.

Entering, stage left to change the game, Ansible​

Ansible is an easy-to-read language that provides the tools to build infrastructure as code. It was released in 2012 by RedHat and has grown significantly from automating server tasks into a full-fledged automation machine across many vendors and functions and importantly to the heart of this article, automating policy on Cisco ISE.

No one likes repetitive tasks. With Ansible, IT admins can begin automating away the drudgery from their daily tasks. Automation frees admins up to focus on efforts that help deliver more value to the business by speeding time to application delivery, and building on a culture of success. Ultimately, Ansible gives teams the one thing they can never get enough of: time. Allowing smart people to focus on smart things.

Ansible for Cisco ISE​

Based on the GitHub changelog, the beta release of the Ansible ISE collection was released in mid-2021. With modules such as network_access_authentication_rules and network_access_policy_set it's safe to say that the modules needed to eliminate those repetitive tasks in code is here. Looking deeper into the examples we can see the ability to create the dictionaries, objects, conditions, and more. These tasks are the ones that were almost always the same in every deployment. Note that I said "almost", that's because names may change from environment to environment, and with Ansible being an easily read language we can now make those changes in code and not through 5 UI clicks and a save later. The example from GitHub shows creating/updating a simple Authorization Rule in ISE.

- name: Create or update an network_access_authorization_rules
 cisco.ise.network_access_authorization_rules:
 ise_hostname: ise_hostname
 ise_username: ise_username
 ise_password: ise_password
 ise_verify: ise_verify
 state: present
 rule:
 default: false
 name: Test2
 hitCounts: 00
 rank: 00
 state: disabled
 condition:
 conditionType: ConditionReference
 isNegate: false
 dictionaryName: Network Access
 attributeName: EapAuthentication
 operator: equals
 attributeValue: EAP-MSCHAPv2
 name: EAP-MSCHAPv2
 id: c456a490-0429-4fd4-91d7-efd1eb1f855a
 profile:
 - PermitAccess
 securityGroup: BYOD
 policyId: acd4b55d-dca3-4b93-a160-8a2d01669827
 register: result

With this easy-to-read and understand language we can see the possibilities as endless and no longer requiring manual action. In turn, this frees you up to use the smarts you have on the real solutions rather than the repetitive tasks.

To check out all of the modules for Cisco ISE go to the Cisco.Ise collection here

Also to check out all the Cisco Ansible modules go here

ModernCyber’s Services​

If you are looking for help with automation or deployment services using a proven methodology with consistent results let us know. We are actively working on multiple projects where infrastructure as code is used and an invaluable asset to getting success with your missions.