cisco.dnac.ise_radius_integration_workflow_manager module – Resource module for Authentication and Policy Servers

Note

This module is part of the cisco.dnac collection (version 6.24.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.dnac. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.dnac.ise_radius_integration_workflow_manager.

New in cisco.dnac 6.14.0

Synopsis

  • Manage operations on Authentication and Policy Servers.

  • API to create Authentication and Policy Server Access Configuration.

  • API to update Authentication and Policy Server Access Configuration.

  • API to delete Authentication and Policy Server Access Configuration.

Requirements

The below requirements are needed on the host that executes this module.

  • dnacentersdk >= 2.7.2

  • python >= 3.9

Parameters

Parameter

Comments

config

list / elements=dictionary / required

List of details of Authentication and Policy Servers being managed.

authentication_policy_server

list / elements=dictionary

Manages the Authentication and Policy Servers.

accounting_port

integer

Accounting port of RADIUS server.

Updation of accounting port is not possible.

Accounting port should be from 1 to 65535.

Default: 1813

authentication_port

integer

Authentication port of RADIUS server.

Updation of authentication port is not possible.

Authentication port should be from 1 to 65535.

Default: 1812

cisco_ise_dtos

list / elements=dictionary

List of Cisco ISE Data Transfer Objects (DTOs).

Required when server_type is set to ISE.

description

string

Description about the Cisco ISE server.

fqdn

string

Fully-qualified domain name of the Cisco ISE server.

Required for passing the cisco_ise_dtos.

ip_address

string

IP Address of the Cisco ISE Server.

Required for passing the cisco_ise_dtos.

password

string

Password of the Cisco ISE server.

Password must have 4 to 127 characters with no spaces or the following characters - “<”.

Required for passing the cisco_ise_dtos.

ssh_key

string

SSH key of the Cisco ISE server.

user_name

string

User name of the Cisco ISE server.

Required for passing the cisco_ise_dtos.

encryption_key

string

Encryption key used to encrypt shared secret.

Updation of encryption scheme is not possible.

Required when encryption_scheme is provided.

When ASCII format is selected, Encryption Key may contain alphanumeric and special characters. Key must be 16 char long.

encryption_scheme

string

Type of encryption scheme for additional security.

If encryption scheme is given, then message authenticator code and encryption keys need to be required.

Updation of encryption scheme is not possible.

KEYWRAP is used for securely wrapping and unwrapping encryption keys, ensuring their confidentiality during transmission or storage.

RADSEC is an extension of RADIUS that provides secure communication between RADIUS clients and servers over TLS/SSL. Enhances enhancing the confidentiality and integrity of authentication and accounting data exchange.

Choices:

  • "KEYWRAP"

  • "RADSEC"

external_cisco_ise_ip_addr_dtos

list / elements=dictionary

External Cisco ISE IP address data transfer objects for future use.

external_cisco_ise_ip_addresses

list / elements=dictionary

External Cisco ISE IP addresses.

external_ip_address

string

External Cisco ISE IP address.

ise_type

string

Type of the Authentication and Policy Server.

ise_integration_wait_time

integer

Indicates the sleep time after initiating the Cisco ISE integration process.

Maximum sleep time should be less or equal to 120 seconds.

Default: 20

message_authenticator_code_key

string

Message key used to encrypt shared secret.

Updation of message key is not possible.

Required when encryption_scheme is provided.

Message Authentication Code Key may contain alphanumeric and special characters. Key must be 20 char long.

protocol

string

Type of protocol for authentication and policy server.

RADIUS provides centralized services (AAA) for users in remote access scenarios.

TACACS focuses on access control and administrative authentication for network devices.

Choices:

  • "TACACS"

  • "RADIUS" ← (default)

  • "RADIUS_TACACS"

pxgrid_enabled

boolean

Set True to enable the Pxgrid and False to disable the Pxgrid.

Pxgrid is available only for the Cisco ISE Servers.

PxGrid facilitates seamless integration and information sharing across products, enhancing threat detection and response capabilities within the network ecosystem.

Choices:

  • false

  • true ← (default)

retries

integer

Number of communication retries between devices and authentication and policy server.

Retries should be from 1 to 3.

Default: 3

role

string

Role of authentication and policy server.

Updation of role is not possible

Default: "secondary"

server_ip_address

string / required

IP Address of the Authentication and Policy Server.

server_type

string

Type of the Authentication and Policy Server.

ISE for Cisco ISE servers.

AAA for Non-Cisco ISE servers.

Choices:

  • "AAA" ← (default)

  • "ISE"

shared_secret

string

Shared secret between devices and authentication and policy server.

Shared secret must have 4 to 100 characters with no spaces or the following characters - [”<”, “?”].

Shared secret is a Read-Only parameter.

timeout

integer

Number of seconds before timing out between devices and authentication and policy server.

Timeout should be from 2 to 20.

Default: 4

trusted_server

boolean

Indicates whether the certificate is trustworthy for the server.

Serves as a validation of its authenticity and reliability in secure connections.

Choices:

  • false

  • true ← (default)

use_dnac_cert_for_pxgrid

boolean

Set True to use the Cisco Catalyst Center certificate for the Pxgrid.

Choices:

  • false ← (default)

  • true

config_verify

boolean

Set to True to verify the Cisco Catalyst Center after applying the playbook config.

Choices:

  • false ← (default)

  • true

dnac_api_task_timeout

integer

Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged.

Default: 1200

dnac_debug

boolean

Indicates whether debugging is enabled in the Cisco Catalyst Center SDK.

Choices:

  • false ← (default)

  • true

dnac_host

string / required

The hostname of the Cisco Catalyst Center.

dnac_log

boolean

Flag to enable/disable playbook execution logging.

When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name.

When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name ‘dnac.log’.

When false, - Logging is disabled.

If the log file doesn’t exist, - It is created in append or write mode based on the “dnac_log_append” flag.

If the log file exists, - It is overwritten or appended based on the “dnac_log_append” flag.

Choices:

  • false ← (default)

  • true

dnac_log_append

boolean

Determines the mode of the file. Set to True for ‘append’ mode. Set to False for ‘write’ mode.

Choices:

  • false

  • true ← (default)

dnac_log_file_path

string

Governs logging. Logs are recorded if dnac_log is True.

If path is not specified, - When ‘dnac_log_append’ is True, ‘dnac.log’ is generated in the current Ansible directory; logs are appended. - When ‘dnac_log_append’ is False, ‘dnac.log’ is generated; logs are overwritten.

If path is specified, - When ‘dnac_log_append’ is True, the file opens in append mode. - When ‘dnac_log_append’ is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True.

Default: "dnac.log"

dnac_log_level

string

Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG].

CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages.

ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages.

WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages.

INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages.

DEBUG provides detailed diagnostic info. Displays all log messages.

Default: "WARNING"

dnac_password

string

The password for authentication at the Cisco Catalyst Center.

dnac_port

string

Specifies the port number associated with the Cisco Catalyst Center.

Default: "443"

dnac_task_poll_interval

integer

Specifies the interval in seconds between successive calls to the API to retrieve task details.

Default: 2

dnac_username

aliases: user

string

The username for authentication at the Cisco Catalyst Center.

Default: "admin"

dnac_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

  • false

  • true ← (default)

dnac_version

string

Specifies the version of the Cisco Catalyst Center that the SDK should use.

Default: "2.2.3.3"

state

string

The state of Cisco Catalyst Center after module completion.

Choices:

  • "merged" ← (default)

  • "deleted"

validate_response_schema

boolean

Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema.

Choices:

  • false

  • true ← (default)

Notes

Note

  • SDK Method used are system_settings.SystemSettings.add_authentication_and_policy_server_access_configuration, system_settings.SystemSettings.edit_authentication_and_policy_server_access_configuration, system_settings.SystemSettings.accept_cisco_ise_server_certificate_for_cisco_ise_server_integration, system_settings.SystemSettings.delete_authentication_and_policy_server_access_configuration, system_settings.SystemSettings.get_authentication_and_policy_servers, system_settings.SystemSettings.cisco_ise_server_integration_status,

  • Paths used are post /dna/intent/api/v1/authentication-policy-servers, put /dna/intent/api/v1/authentication-policy-servers/${id}, put /dna/intent/api/v1/integrate-ise/${id}, delete /dna/intent/api/v1/authentication-policy-servers/${id} get /dna/intent/api/v1/authentication-policy-servers get /dna/intent/api/v1/ise-integration-status

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK

  • The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection

Examples

- name: Create an AAA server.
  cisco.dnac.ise_radius_integration_workflow_manager:
    dnac_host: "{{dnac_host}}"
    dnac_username: "{{dnac_username}}"
    dnac_password: "{{dnac_password}}"
    dnac_verify: "{{dnac_verify}}"
    dnac_port: "{{dnac_port}}"
    dnac_version: "{{dnac_version}}"
    dnac_debug: "{{dnac_debug}}"
    dnac_log: True
    dnac_log_level: "{{ dnac_log_level }}"
    state: merged
    config_verify: True
    config:
    - authentication_policy_server:
      - server_type: AAA
        server_ip_address: 10.0.0.1
        shared_secret: "12345"
        protocol: RADIUS_TACACS
        encryption_scheme: KEYWRAP
        encryption_key: "1234567890123456"
        message_authenticator_code_key: asdfghjklasdfghjklas
        authentication_port: 1812
        accounting_port: 1813
        retries: 3
        timeout: 4
        role: secondary

- name: Create an Cisco ISE server.
  cisco.dnac.ise_radius_integration_workflow_manager:
    dnac_host: "{{dnac_host}}"
    dnac_username: "{{dnac_username}}"
    dnac_password: "{{dnac_password}}"
    dnac_verify: "{{dnac_verify}}"
    dnac_port: "{{dnac_port}}"
    dnac_version: "{{dnac_version}}"
    dnac_debug: "{{dnac_debug}}"
    dnac_log: True
    dnac_log_level: "{{ dnac_log_level }}"
    state: merged
    config_verify: True
    config:
    - authentication_policy_server:
      - server_type: ISE
        server_ip_address: 10.0.0.2
        shared_secret: "12345"
        protocol: RADIUS_TACACS
        encryption_scheme: KEYWRAP
        encryption_key: "1234567890123456"
        message_authenticator_code_key: asdfghjklasdfghjklas
        authentication_port: 1812
        accounting_port: 1813
        retries: 3
        timeout: 4
        role: primary
        use_dnac_cert_for_pxgrid: False
        pxgrid_enabled: True
        cisco_ise_dtos:
        - user_name: Cisco ISE
          password: "12345"
          fqdn: abs.cisco.com
          ip_address: 10.0.0.2
          description: Cisco ISE
        trusted_server: True
        ise_integration_wait_time: 20

- name: Update an AAA server.
  cisco.dnac.ise_radius_integration_workflow_manager:
    dnac_host: "{{dnac_host}}"
    dnac_username: "{{dnac_username}}"
    dnac_password: "{{dnac_password}}"
    dnac_verify: "{{dnac_verify}}"
    dnac_port: "{{dnac_port}}"
    dnac_version: "{{dnac_version}}"
    dnac_debug: "{{dnac_debug}}"
    dnac_log: True
    dnac_log_level: "{{ dnac_log_level }}"
    state: merged
    config_verify: True
    config:
    - authentication_policy_server:
      - server_type: AAA
        server_ip_address: 10.0.0.1
        protocol: RADIUS_TACACS
        retries: 3
        timeout: 5

- name: Update an Cisco ISE server.
  cisco.dnac.ise_radius_integration_workflow_manager:
    dnac_host: "{{dnac_host}}"
    dnac_username: "{{dnac_username}}"
    dnac_password: "{{dnac_password}}"
    dnac_verify: "{{dnac_verify}}"
    dnac_port: "{{dnac_port}}"
    dnac_version: "{{dnac_version}}"
    dnac_debug: "{{dnac_debug}}"
    dnac_log: True
    dnac_log_level: "{{ dnac_log_level }}"
    state: merged
    config_verify: True
    config:
    - authentication_policy_server:
      - server_type: ISE
        server_ip_address: 10.0.0.2
        protocol: RADIUS_TACACS
        retries: 3
        timeout: 5
        use_dnac_cert_for_pxgrid: False
        pxgrid_enabled: True
        cisco_ise_dtos:
        - user_name: Cisco ISE
          password: "12345"
          fqdn: abs.cisco.com
          ip_address: 10.0.0.2
          description: Cisco ISE

- name: Delete an Authentication and Policy server.
  cisco.dnac.ise_radius_integration_workflow_manager:
    dnac_host: "{{dnac_host}}"
    dnac_username: "{{dnac_username}}"
    dnac_password: "{{dnac_password}}"
    dnac_verify: "{{dnac_verify}}"
    dnac_port: "{{dnac_port}}"
    dnac_version: "{{dnac_version}}"
    dnac_debug: "{{dnac_debug}}"
    dnac_log: True
    dnac_log_level: "{{ dnac_log_level }}"
    state: deleted
    config_verify: True
    config:
    - authentication_policy_server:
      - server_ip_address: 10.0.0.1

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

response_1

dictionary

A dictionary or list with the response returned by the Cisco Catalyst Center Python SDK

Returned: always

Sample: {"response": {"taskId": "string", "url": "string"}, "version": "string"}

response_2

dictionary

A dictionary or list with the response returned by the Cisco Catalyst Center Python SDK

Returned: always

Sample: {"response": {"taskId": "string", "url": "string"}, "version": "string"}

response_3

dictionary

A dictionary or list with the response returned by the Cisco Catalyst Center Python SDK

Returned: always

Sample: {"response": {"taskId": "string", "url": "string"}, "version": "string"}

Authors

  • Muthu Rakesh (@MUTHU-RAKESH-27) Madhan Sankaranarayanan (@madhansansel)