ISE monitor mode config MOP maker

Started by dlots, March 30, 2017, 12:03:22 PM

Previous topic - Next topic

dlots

Just made a program: point it at a switch and it will build the config needed to deploy ISE/802.1x to it correctly (the global config and all ports that aren't trunk ports, or routed interfaces), then builds the MOP for you.

If I can ever get my Ansible server I think I'll see if I can have it build a playbook to deploy ISE and do all the CDP/pings tests also.

deanwebb

Question: how flexible is the config? Because I use ForeScout CounterACT, but NAC means touching every switch, regardless of vendor.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

dlots

I have never used those, but I would think it could be made to work with a little effort.

config can be made to be fairly flexible with a little work

it currently does a show run | s interface

then splits each interface into a string by looking for the word interface, something like

list_of_interfaces = ["interface GigabitEthernet1/1\n description Local LAN Access\n switchport\n switchport access vlan 600\n switchport mode access\n switchport voice vlan 700",
"interface GigabitEthernet1/2\n description Local LAN Access\n switchport\n switchport access vlan 600\n switchport mode access\n switchport voice vlan 700"]


Then it just finds that data vlan and voice vlan (doesn't do well with multiple vlans currently, you would have to figure out how to find the data/voice vlans yourself, but shouldn't be to hard), and checks to see if the port has "switchport mode access" in it.  If it does the interface is added to the list "nac_this"

Then there is just another python file with some variables:
global_config
per_port_part1
per_port_part2

I chose to break up the per-port config because we use "authentication event server dead action reinitialize vlan " and it was easier to just stick that data vlan in than figure out how to do a find/replace... which I had to figure out how to do later for the hostname anyway.  If you care that's

# The following is a place holder for the actual hostname ###host_name###
def put_in_hostname(string,hostname):
print(hostname)
return string.replace("###host_name###", hostname)

Anyway the program spits out the global config, then figures out the range command (This could very easily be optional)

Only thing I think would be to difficult is figuring out the range command.

With those other stuff you just use these 2 funcitons to output the commands, then the 2ed part of the program pulls that txt file in and adds it to a text doc.


def to_doc(file_name, varable):
f=open(file_name, 'a')
f.write(varable)
f.close()


def make_mop(hostname,ip,voice_vlan,data_vlan,final_int_range):
name = ip+" mop info.txt"
to_doc(name,hostname)
to_doc(name,global_config)
to_doc(name,add_data_helper)
to_doc(name,add_voice_helper)
to_doc(name,snooping_setup)
for each in final_int_range:
to_doc(name,each)
to_doc(name,final_per_port)
to_doc(name,'end \n')
to_doc(name,'wr \n')
[\code]

If you want a copy just holler, I need more failure tolerance before it goes to github I think.

Ctrl Z

Very interesting. I'd like a copy if you don't mind. I already have some ideas to customize it already.

dlots

https://github.com/GoreNetwork/Build-ISE-install-and-mop

It's super beta, and work isn't very interested in it so I have no idea when/if it will get updates, but I am sure it has some code you can steal.

If you have questions just holler and I'll be glad to help out.