cisco.ise.device_administration_authentication_rules module – Resource module for Device Administration Authentication Rules

Note

This module is part of the cisco.ise collection (version 2.3.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.ise.

To use it in a playbook, specify: cisco.ise.device_administration_authentication_rules.

New in version 1.0.0: of cisco.ise

Synopsis

  • Manage operations create, update and delete of the resource Device Administration Authentication Rules.

  • Device Admin - Create authentication rule.

  • Device Admin - Delete rule.

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ciscoisesdk >= 2.0.1

  • python >= 3.5

Parameters

Parameter

Comments

id

string

Id path parameter. Rule id.

identitySourceName

string

Identity source name from the identity stores.

ifAuthFail

string

Action to perform when authentication fails such as Bad credentials, disabled user and so on.

ifProcessFail

string

Action to perform when ISE is uanble to access the identity database.

ifUserNotFound

string

Action to perform when user is not found in any of identity stores.

ise_debug

boolean

Flag for Identity Services Engine SDK to enable debugging.

Choices:

  • no ← (default)

  • yes

ise_hostname

string / required

The Identity Services Engine hostname.

ise_password

string / required

The Identity Services Engine password to authenticate.

ise_username

string / required

The Identity Services Engine username to authenticate.

ise_uses_api_gateway

boolean

added in 1.1.0 of cisco.ise

Flag that informs the SDK whether to use the Identity Services Engine’s API Gateway to send requests.

If it is true, it uses the ISE’s API Gateway and sends requests to https://{{ise_hostname}}.

If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid).

Choices:

  • no

  • yes ← (default)

ise_uses_csrf_token

boolean

added in 3.0.0 of cisco.ise

Flag that informs the SDK whether we send the CSRF token to ISE’s ERS APIs.

If it is True, the SDK assumes that your ISE CSRF Check is enabled.

If it is True, it assumes you need the SDK to manage the CSRF token automatically for you.

Choices:

  • no ← (default)

  • yes

ise_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

  • no

  • yes ← (default)

ise_version

string

Informs the SDK which version of Identity Services Engine to use.

Default: “3.1.1”

ise_wait_on_rate_limit

boolean

Flag for Identity Services Engine SDK to enable automatic rate-limit handling.

Choices:

  • no

  • yes ← (default)

dictionary

Device Administration Authentication Rules’s link.

string

Device Administration Authentication Rules’s href.

string

Device Administration Authentication Rules’s rel.

string

Device Administration Authentication Rules’s type.

policyId

string

PolicyId path parameter. Policy id.

rule

dictionary

Common attributes in rule authentication/authorization.

condition

dictionary

Device Administration Authentication Rules’s condition.

attributeName

string

Dictionary attribute name.

attributeValue

string

<ul><li>Attribute value for condition</li> <li>Value type is specified in dictionary object</li> <li>if multiple values allowed is specified in dictionary object</li></ul>.

children

list / elements=dictionary

In case type is andBlock or orBlock addtional conditions will be aggregated under this logical (OR/AND) condition.

conditionType

string

<ul><li>Inidicates whether the record is the condition itself(data) or a logical(or,and) aggregation</li> <li>Data type enum(reference,single) indicates than “conditonId” OR “ConditionAttrs” fields should contain condition data but not both</li> <li>Logical aggreation(and,or) enum indicates that additional conditions are present under the children field</li></ul>.

isNegate

boolean

Indicates whereas this condition is in negate mode.

Choices:

  • no

  • yes

dictionary

Device Administration Authentication Rules’s link.

string

Device Administration Authentication Rules’s href.

string

Device Administration Authentication Rules’s rel.

string

Device Administration Authentication Rules’s type.

conditionType

string

<ul><li>Inidicates whether the record is the condition itself(data) or a logical(or,and) aggregation</li> <li>Data type enum(reference,single) indicates than “conditonId” OR “ConditionAttrs” fields should contain condition data but not both</li> <li>Logical aggreation(and,or) enum indicates that additional conditions are present under the children field</li></ul>.

datesRange

dictionary

<p>Defines for which date/s TimeAndDate condition will be matched<br> Options are - Date range, for specific date, the same date should be used for start/end date <br> Default - no specific dates<br> In order to reset the dates to have no specific dates Date format - yyyy-mm-dd (MM = month, dd = day, yyyy = year)</p>.

endDate

string

Device Administration Authentication Rules’s endDate.

startDate

string

Device Administration Authentication Rules’s startDate.

datesRangeException

dictionary

<p>Defines for which date/s TimeAndDate condition will be matched<br> Options are - Date range, for specific date, the same date should be used for start/end date <br> Default - no specific dates<br> In order to reset the dates to have no specific dates Date format - yyyy-mm-dd (MM = month, dd = day, yyyy = year)</p>.

endDate

string

Device Administration Authentication Rules’s endDate.

startDate

string

Device Administration Authentication Rules’s startDate.

description

string

Condition description.

dictionaryName

string

Dictionary name.

dictionaryValue

string

Dictionary value.

hoursRange

dictionary

<p>Defines for which hours a TimeAndDate condition will be matched<br> Time format - hh mm ( h = hour , mm = minutes ) <br> Default - All Day </p>.

endTime

string

Device Administration Authentication Rules’s endTime.

startTime

string

Device Administration Authentication Rules’s startTime.

hoursRangeException

dictionary

<p>Defines for which hours a TimeAndDate condition will be matched<br> Time format - hh mm ( h = hour , mm = minutes ) <br> Default - All Day </p>.

endTime

string

Device Administration Authentication Rules’s endTime.

startTime

string

Device Administration Authentication Rules’s startTime.

id

string

Device Administration Authentication Rules’s id.

isNegate

boolean

Indicates whereas this condition is in negate mode.

Choices:

  • no

  • yes

dictionary

Device Administration Authentication Rules’s link.

string

Device Administration Authentication Rules’s href.

string

Device Administration Authentication Rules’s rel.

string

Device Administration Authentication Rules’s type.

name

string

Condition name.

operator

string

Equality operator.

weekDays

list / elements=string

<p>Defines for which days this condition will be matched<br> Days format - Arrays of WeekDay enums <br> Default - List of All week days</p>.

weekDaysException

list / elements=string

<p>Defines for which days this condition will NOT be matched<br> Days format - Arrays of WeekDay enums <br> Default - Not enabled</p>.

default

boolean

Indicates if this rule is the default one.

Choices:

  • no

  • yes

hitCounts

integer

The amount of times the rule was matched.

id

string

The identifier of the rule.

name

string

Rule name, Valid characters are alphanumerics, underscore, hyphen, space, period, parentheses.

rank

integer

The rank(priority) in relation to other rules. Lower rank is higher priority.

state

string

The state that the rule is in. A disabled rule cannot be matched.

Notes

Note

  • SDK Method used are device_administration_authentication_rules.DeviceAdministrationAuthenticationRules.create_device_admin_authentication_rule, device_administration_authentication_rules.DeviceAdministrationAuthenticationRules.delete_device_admin_authentication_rule_by_id, device_administration_authentication_rules.DeviceAdministrationAuthenticationRules.update_device_admin_authentication_rule_by_id,

  • Paths used are post /device-admin/policy-set/{policyId}/authentication, delete /device-admin/policy-set/{policyId}/authentication/{id},

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins, but instead the embedded connection manager from Cisco ISE SDK

  • The parameters starting with ise_ are used by the Cisco ISE Python SDK to establish the connection

Examples

- name: Create
  cisco.ise.device_administration_authentication_rules:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    identitySourceName: string
    ifAuthFail: string
    ifProcessFail: string
    ifUserNotFound: string
    link:
      href: string
      rel: string
      type: string
    policyId: string
    rule:
      condition:
        attributeName: string
        attributeValue: string
        children:
        - conditionType: string
          isNegate: true
          link:
            href: string
            rel: string
            type: string
        conditionType: string
        datesRange:
          endDate: string
          startDate: string
        datesRangeException:
          endDate: string
          startDate: string
        description: string
        dictionaryName: string
        dictionaryValue: string
        hoursRange:
          endTime: string
          startTime: string
        hoursRangeException:
          endTime: string
          startTime: string
        id: string
        isNegate: true
        link:
          href: string
          rel: string
          type: string
        name: string
        operator: string
        weekDays:
        - string
        weekDaysException:
        - string
      default: true
      hitCounts: 0
      id: string
      name: string
      rank: 0
      state: string

- name: Update by id
  cisco.ise.device_administration_authentication_rules:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    id: string
    identitySourceName: string
    ifAuthFail: string
    ifProcessFail: string
    ifUserNotFound: string
    link:
      href: string
      rel: string
      type: string
    policyId: string
    rule:
      condition:
        attributeName: string
        attributeValue: string
        children:
        - conditionType: string
          isNegate: true
          link:
            href: string
            rel: string
            type: string
        conditionType: string
        datesRange:
          endDate: string
          startDate: string
        datesRangeException:
          endDate: string
          startDate: string
        description: string
        dictionaryName: string
        dictionaryValue: string
        hoursRange:
          endTime: string
          startTime: string
        hoursRangeException:
          endTime: string
          startTime: string
        id: string
        isNegate: true
        link:
          href: string
          rel: string
          type: string
        name: string
        operator: string
        weekDays:
        - string
        weekDaysException:
        - string
      default: true
      hitCounts: 0
      id: string
      name: string
      rank: 0
      state: string

- name: Delete by id
  cisco.ise.device_administration_authentication_rules:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: absent
    id: string
    policyId: string

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

ise_response

dictionary

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: “{\n \”identitySourceName\”: \”string\”,\n \”ifAuthFail\”: \”string\”,\n \”ifProcessFail\”: \”string\”,\n \”ifUserNotFound\”: \”string\”,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”rule\”: {\n \”condition\”: {\n \”conditionType\”: \”string\”,\n \”isNegate\”: true,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”description\”: \”string\”,\n \”id\”: \”string\”,\n \”name\”: \”string\”,\n \”attributeName\”: \”string\”,\n \”attributeValue\”: \”string\”,\n \”dictionaryName\”: \”string\”,\n \”dictionaryValue\”: \”string\”,\n \”operator\”: \”string\”,\n \”children\”: [\n {\n \”conditionType\”: \”string\”,\n \”isNegate\”: true,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n }\n }\n ],\n \”datesRange\”: {\n \”endDate\”: \”string\”,\n \”startDate\”: \”string\”\n },\n \”datesRangeException\”: {\n \”endDate\”: \”string\”,\n \”startDate\”: \”string\”\n },\n \”hoursRange\”: {\n \”endTime\”: \”string\”,\n \”startTime\”: \”string\”\n },\n \”hoursRangeException\”: {\n \”endTime\”: \”string\”,\n \”startTime\”: \”string\”\n },\n \”weekDays\”: [\n \”string\”\n ],\n \”weekDaysException\”: [\n \”string\”\n ]\n },\n \”default\”: true,\n \”hitCounts\”: 0,\n \”id\”: \”string\”,\n \”name\”: \”string\”,\n \”rank\”: 0,\n \”state\”: \”string\”\n }\n}\n”

ise_update_response

dictionary

added in 1.1.0 of cisco.ise

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: “{\n \”response\”: {\n \”identitySourceName\”: \”string\”,\n \”ifAuthFail\”: \”string\”,\n \”ifProcessFail\”: \”string\”,\n \”ifUserNotFound\”: \”string\”,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”rule\”: {\n \”condition\”: {\n \”conditionType\”: \”string\”,\n \”isNegate\”: true,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n },\n \”description\”: \”string\”,\n \”id\”: \”string\”,\n \”name\”: \”string\”,\n \”attributeName\”: \”string\”,\n \”attributeValue\”: \”string\”,\n \”dictionaryName\”: \”string\”,\n \”dictionaryValue\”: \”string\”,\n \”operator\”: \”string\”,\n \”children\”: [\n {\n \”conditionType\”: \”string\”,\n \”isNegate\”: true,\n \”link\”: {\n \”href\”: \”string\”,\n \”rel\”: \”string\”,\n \”type\”: \”string\”\n }\n }\n ],\n \”datesRange\”: {\n \”endDate\”: \”string\”,\n \”startDate\”: \”string\”\n },\n \”datesRangeException\”: {\n \”endDate\”: \”string\”,\n \”startDate\”: \”string\”\n },\n \”hoursRange\”: {\n \”endTime\”: \”string\”,\n \”startTime\”: \”string\”\n },\n \”hoursRangeException\”: {\n \”endTime\”: \”string\”,\n \”startTime\”: \”string\”\n },\n \”weekDays\”: [\n \”string\”\n ],\n \”weekDaysException\”: [\n \”string\”\n ]\n },\n \”default\”: true,\n \”hitCounts\”: 0,\n \”id\”: \”string\”,\n \”name\”: \”string\”,\n \”rank\”: 0,\n \”state\”: \”string\”\n }\n },\n \”version\”: \”string\”\n}\n”

Authors

  • Rafael Campos (@racampos)