1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
# Ansible Collection - cisco.ise
## Ansible Modules for Cisco ISE
The ise-ansible project provides an Ansible collection for managing and automating your Cisco Identity Services Engine (ISE) environment. It consists of a set of modules and roles for performing tasks related to Cisco ISE.
This collection has been validated with Cisco ISE 3.1 + Patch 1.
These Ansible modules will work with any version of ISE that supports the underlying REST API resources you want to configure. Please see the [ISE API Versioning](https://developer.cisco.com/docs/identity-services-engine/v1/#!versioning) reference for which REST Resources were first supported in which Cisco ISE Version.
*Note: This collection is not compatible with versions of Ansible before v2.9.*
Other versions of this collection have support for previous Cisco ISE versions. The recommended versions are listed on the [Compatibility matrix](https://github.com/CiscoISE/ansible-ise#compatibility-matrix).
## Requirements
- Ansible >= 2.9
- [Cisco ISE SDK](https://github.com/CiscoISE/ciscoisesdk) v1.4.0 or newer
- Python >= 3.6, as the Cisco ISE SDK doesn't support Python version 2.x
- requests >= 2.25.1, for the personas modules and personas_deployment role.
## Install
Ansible must be installed ([Install guide](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html))
```
sudo pip install ansible
```
Cisco ISE SDK must be installed
```
sudo pip install ciscoisesdk
```
Install the collection ([Galaxy link](https://galaxy.ansible.com/cisco/ise))
```
ansible-galaxy collection install cisco.ise
```
## ISE Setup
This collection assumes that the API Gateway, the ERS APIs and OpenAPIs are enabled.
### Using the collection on previous Cisco ISE versions
As stated before, the collection has been tested and supports Cisco ISE 3.2_beta.
It may work with Cisco ISE version 3.0, but it is not officially supported.
The recommended versions are listed below on the [Compatibility matrix](https://github.com/CiscoISE/ansible-ise#compatibility-matrix).
## Compatibility matrix
The following table shows the supported versions.
| Cisco ISE version | Ansible "cisco.ise" version | Python "ciscoisesdk" version |
|-------------------|------------------------------|------------------------------|
| 3.1.0 | 2.0.0 | 1.2.0 |
| 3.1_Patch_1 | 2.5.16 | 2.0.10 |
| 3.2_beta | 2.8.0 | 2.1.1 |
If your Ansible collection is older please consider updating it first.
*Notes*:
1. The "Python 'ciscoisesdk' version" column has the minimum recommended version used when testing the Ansible collection. This means you could use later versions of the Python "ciscoisesdk" than those listed.
2. The "Cisco ISE version" column has the value of the `ise_version` you should use for the Ansible collection.
## Installing according to Compatibility Matrix
For example, for Cisco ISE 3.1.0, it is recommended to use Ansible "cisco.ise" v2.0.0 and Python "ciscoisesdk" v1.2.0.
To get the Python Cisco ISE SDK v1.2.0 in a fresh development environment:
```
sudo pip install ciscoisesdk==1.2.0
```
To get the Ansible collection v2.0.0 in a fresh development environment:
```
ansible-galaxy collection install cisco.ise:2.0.0
```
## Using this collection
There are three ways to use it:
- [Using environment variables](#using-environment-variables)
- [Using vars_files](#using-vars_files)
- [Using group_vars directory](#using-group_vars-directory)
### Using environment variables
First, export the environment variables where you specify your Cisco ISE credentials as ansible variables:
```
export ISE_HOSTNAME=<A.B.C.D>
export ISE_USERNAME=<username>
export ISE_PASSWORD=<password>
export ISE_VERIFY=False # optional, defaults to True
export ISE_VERSION=3.2_beta # optional, defaults to 3.2_beta
export ISE_WAIT_ON_RATE_LIMIT=True # optional, defaults to True
export ISE_USES_API_GATEWAY=True # optional, defaults to True
export ISE_DEBUG=False # optional, defaults to False
export ISE_SINGLE_REQUEST_TIMEOUT:60 # optional, defaults to 60
```
Create a `hosts` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/hosts)) file that uses `[ise_servers]` with your Cisco ISE Settings:
```
[ise_servers]
ise_server
```
Then, create a playbook `myplaybook.yml` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/network_device.yml)) specifying the full namespace path to the module, plugin and/or role:
```
- hosts: ise_servers
gather_facts: no
tasks:
- name: Get network device by id
cisco.ise.network_device_info:
id: "0667bc80-78a9-11eb-b987-005056aba98b"
```
Execute the playbook:
```
ansible-playbook -i hosts myplaybook.yml
```
### Using vars_files
First, define a `credentials.yml` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/credentials.template)) file where you specify your Cisco ISE credentials as ansible variables:
```
---
ise_hostname: <A.B.C.D>
ise_username: <username>
ise_password: <password>
ise_verify: False # optional, defaults to True
ise_version: 3.2_beta # optional, defaults to 3.2_beta
ise_wait_on_rate_limit: True # optional, defaults to True
ise_debug: False # optional, defaults to False
ise_uses_api_gateway: True # optional, defaults to True
ise_uses_csrf_token: False # optional, defaults to False
ise_single_request_timeout: 60 # optional, defaults to 60
```
Create a `hosts` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/hosts)) file that uses `[ise_servers]` with your Cisco ISE Settings:
```
[ise_servers]
ise_server
```
Then, create a playbook `myplaybook.yml` referencing the variables in your credentials.yml file and specifying the full namespace path to the module, plugin and/or role:
```
- hosts: ise_servers
vars_files:
- credentials.yml
gather_facts: no
tasks:
- name: Get network device by id
cisco.ise.network_device_info:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
ise_debug: "{{ise_debug}}"
ise_uses_api_gateway: "{{ise_uses_api_gateway}}"
ise_uses_csrf_token: "{{ise_uses_csrf_token}}"
id: "0667bc80-78a9-11eb-b987-005056aba98b"
```
Execute the playbook:
```
ansible-playbook -i hosts myplaybook.yml
```
In the `playbooks` [directory](https://github.com/CiscoISE/ansible-ise/tree/main/playbooks) directory you can find more examples and use cases.
**Note**: The examples found on the `playbooks` directory use the `group_vars` variables. Remember to make the appropiate changes when running the examples.
### Using group_vars directory
First, define your group_vars for credentials `ise_servers` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/group_vars/ise_servers)) file where you specify your Cisco ISE credentials as ansible variables:
```
---
ise_hostname: <A.B.C.D>
ise_username: <username>
ise_password: <password>
ise_verify: False # optional, defaults to True
ise_version: 3.2_beta # optional, defaults to 3.2_beta
ise_wait_on_rate_limit: True # optional, defaults to True
ise_debug: False # optional, defaults to False
ise_uses_api_gateway: True # optional, defaults to True
ise_uses_csrf_token: False # optional, defaults to False
ise_single_request_timeout: 60 # optional, defaults to 60
```
Create a `hosts` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/hosts)) file that uses `[ise_servers]` with your Cisco ISE Settings:
```
[ise_servers]
ise_server
```
Then, create a playbook `myplaybook.yml` ([example](https://github.com/CiscoISE/ansible-ise/blob/main/playbooks/network_device.yml)) referencing the variables in your `group_vars/ise_servers` file and specifying the full namespace path to the module, plugin and/or role:
```
- hosts: ise_servers
gather_facts: no
tasks:
- name: Get network device by id
cisco.ise.network_device_info:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
ise_debug: "{{ise_debug}}"
ise_uses_api_gateway: "{{ise_uses_api_gateway}}"
ise_uses_csrf_token: "{{ise_uses_csrf_token}}"
id: "0667bc80-78a9-11eb-b987-005056aba98b"
```
Execute the playbook:
```
ansible-playbook -i hosts myplaybook.yml
```
In the `playbooks` [directory](https://github.com/CiscoISE/ansible-ise/tree/main/playbooks) directory you can find more examples and use cases.
**Note**: The examples found on the `playbooks` directory use the `group_vars` variables. Consider using `ansible-vault` to encrypt the file that has the `ise_username` and `ise_password`.
## Update
Getting the latest/nightly collection build
Clone the ansible-ise repository.
```
git clone https://github.com/CiscoISE/ansible-ise.git
```
Go to the ansible-ise directory
```
cd ansible-ise
```
Pull the latest master from the repo
```
git pull origin master
```
Build and install a collection from source
```
ansible-galaxy collection build --force
ansible-galaxy collection install cisco-ise-* --force
```
### See Also:
* [Ansible Using collections](https://docs.ansible.com/ansible/latest/user_guide/collections_using.html) for more details.
## Attention macOS users
If you're using macOS you may receive this error when running your playbook:
```
objc[34120]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called.
objc[34120]: +[__NSCFConstantString initialize] may have been in progress in another thread when fork() was called. We cannot safely call it or ignore it in the fork() child process. Crashing instead. Set a breakpoint on objc_initializeAfterForkError to debug.
ERROR! A worker was found in a dead state
```
If that's the case try setting these environment variables:
```
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
export no_proxy=*
```
## Contributing to this collection
Ongoing development efforts and contributions to this collection are tracked as issues in this repository.
We welcome community contributions to this collection. If you find problems, need an enhancement or need a new module, please open an issue or create a PR against the [Cisco ISE Ansible collection repository](https://github.com/CiscoISE/ansible-ise/issues).
## Code of Conduct
This collection follows the Ansible project's
[Code of Conduct](https://docs.ansible.com/ansible/devel/community/code_of_conduct.html).
Please read and familiarize yourself with this document.
## Releasing, Versioning and Deprecation
This collection follows [Semantic Versioning](https://semver.org/). More details on versioning can be found [in the Ansible docs](https://docs.ansible.com/ansible/latest/dev_guide/developing_collections.html#collection-versions).
New minor and major releases as well as deprecations will follow new releases and deprecations of the Cisco ISE product, its REST API and the corresponding Python SDK, which this project relies on.
|
