PXAPI Library
This library simplifies interaction with ISE pxGrid
Installation
# Install the module
pip install pxgrid-api
Usage
pxapi.py file has comments throughout describing all functions. All data is returned in the original form, converted to python dict
REST API
These are fairly straight forward. Review the comments in the code for reference.
#!/usr/bin/env python3
from pxapi import PXAPI
# Instatiate object. Root CA argument can be omitted to disable server certificate verification.
api=PXAPI('pxgridnode.example.com','client-name','client.cer','client.key','root.cer')
# Check account activation status. This will connect to pxGrid node and check if our account is in approved and enabled state
# With this default usage, the function will return immediately with either True or False on the state of the account
api.account_activate()
# Optionally, function can wait until the account is approved and retry every 60 seconds
api.account_activate(True)
# Some examples
# Retrive all sessions
print(api.get_sessions())
# Retrieve all Trustsec egress policies
print(api.trustsec_get_egress_policies())
# Retrive all NON-Compliant MDM endpoints
print(api.mdm_get_endpoints_by_type('NON-COMPLIANT'))
Password based authentication
This type of authentication avoids having to work with client side certificates and private keys.
In order to use password based authentication, it needs to be first enabled in ISE under Administration > pxGrid Services > Settings
The first step to use password authentication is to request a bootstrap account with a password generated by ISE.
# Instatiate API object with minimum information. Root CA argument can be omitted to disable server certificate verification.
api=PXAPI('pxgridnode.example.com','pwdclient1','','','root.cer')
# Next, create the account. The account will be created with the username specified as client name above.
# The password returned by ISE has to be stored on the client side.
# The account will show in Initialized state on ISE
# This API call can be executed multiple times with the same name to generate a new password until the account is activated below
account_info=api.account_create()
print(account_info)
{'nodeName': 'pwdclient1', 'password': 'doosV8AEKqL7URUE', 'userName': 'pwdclient1'}
password=accountInfo['password']
# We now need to initialize API again with the password this time
api=PXAPI('pxgridnode.example.com','pwdclient1','','','root.cer',password)
# To request this account to be approved, we need to execute accountActivate API call.
# Note that once this account is requested to be activated, you can no longer call accountCreate API above with the same client name
# Once the account is in Pending state, it has to be approved in ISE under Administration > pxGrid Services > Client Management
account_status=api.account_activate()
print(account_status)
{'accountState': 'PENDING', 'version': '2.0'}
# To confirm that the accounts is approved, we can call accountActivate again.
account_status=api.account_activate()
print(account_status)
{'accountState': 'ENABLED', 'version': '2.0'}
# From here on, you can start using the API using the stored password.
api=PXAPI('pxgridnode.example.com','pwdclient1','','','root.cer',password)
Subscribing to pxGrid topics
ISE uses web sockets as a mechanism for exchange real-time data with pxGrid clients When data is received from ISE, the api will convert it to StompFrame class and pass it a callback function
def on_message(stomp_frame):
print(f"Command: {stomp_frame.command}")
print(f"Headers: {json.dumps(stomp_frame.headers,indent=2)}")
try:
print(f"Data: {json.dumps(stomp_frame.data,indent=2)}")
except:
pass
api=PXAPI('pxgridnode.example.com','client-name','client.cer','client.key','root.cer')
api.topic_subscribe("com.cisco.ise.session","sessionTopic",on_message)