cisco.ise.allowed_protocols module – Resource module for Allowed Protocols

Note

This module is part of the cisco.ise collection (version 2.5.5).

To install it, use: ansible-galaxy collection install cisco.ise. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.ise.allowed_protocols.

New in cisco.ise 1.0.0

Synopsis

  • Manage operations create, update and delete of the resource Allowed Protocols.

  • This API creates an allowed protocol.

  • This API deletes an allowed protocol.

  • This API allows the client to update an allowed protocol.

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ciscoisesdk >= 2.0.3

  • python >= 3.5

Parameters

Parameter

Comments

allowChap

boolean

allowEapFast

boolean

allowEapMd5

boolean

allowEapTls

boolean

allowEapTtls

boolean

allowLeap

boolean

allowMsChapV1

boolean

allowMsChapV2

boolean

allowPapAscii

boolean

allowPeap

boolean

allowPreferredEapProtocol

boolean

allowTeap

boolean

allowWeakCiphersForEap

boolean

description

string

Allowed Protocols’s description.

eapFast

dictionary

The eapFast is required only if allowEapFast is true, otherwise it must be ignored. The object eapFast contains the settings for EAP FAST protocol.

allowEapFastEapGtc

boolean

allowEapFastEapGtcPwdChange

boolean

The allowEapFastEapGtcPwdChange is required only if allowEapFastEapGtc is true, otherwise it must be ignored.

Choices:

allowEapFastEapGtcPwdChangeRetries

integer

The allowEapFastEapGtcPwdChangeRetries is required only if allowEapFastEapGtc is true, otherwise it must be ignored. Valid range is 0-3.

allowEapFastEapMsChapV2

boolean

allowEapFastEapMsChapV2PwdChange

boolean

The allowEapFastEapMsChapV2PwdChange is required only if allowEapFastEapMsChapV2 is true, otherwise it must be ignored.

Choices:

allowEapFastEapMsChapV2PwdChangeRetries

integer

The allowEapFastEapMsChapV2PwdChangeRetries is required only if eapTtlsEapMsChapV2 is true, otherwise it must be ignored. Valid range is 0-3.

allowEapFastEapTls

boolean

allowEapFastEapTlsAuthOfExpiredCerts

boolean

The allowEapFastEapTlsAuthOfExpiredCerts is required only if allowEapFastEapTls is true, otherwise it must be ignored.

Choices:

eapFastDontUsePacsAcceptClientCert

boolean

The eapFastDontUsePacsAcceptClientCert is required only if eapFastUsePacs is FALSE, otherwise it must be ignored.

Choices:

eapFastDontUsePacsAllowMachineAuthentication

boolean

The eapFastDontUsePacsAllowMachineAuthentication is required only if eapFastUsePacs is FALSE, otherwise it must be ignored.

Choices:

eapFastEnableEAPChaining

boolean

eapFastUsePacs

boolean

eapFastUsePacsAcceptClientCert

boolean

The eapFastUsePacsAcceptClientCert is required only if eapFastUsePacsAllowAuthenProvisioning is true, otherwise it must be ignored.

Choices:

eapFastUsePacsAllowAnonymProvisioning

boolean

The eapFastUsePacsAllowAnonymProvisioning is required only if eapFastUsePacs is true, otherwise it must be ignored.

Choices:

eapFastUsePacsAllowAuthenProvisioning

boolean

The eapFastUsePacsAllowAuthenProvisioning is required only if eapFastUsePacs is true, otherwise it must be ignored.

Choices:

eapFastUsePacsAllowMachineAuthentication

boolean

EapFastUsePacsAllowMachineAuthentication flag.

Choices:

eapFastUsePacsAuthorizationPacTtl

integer

The eapFastUsePacsAuthorizationPacTtl is required only if eapFastUsePacsStatelessSessionResume is true, otherwise it must be ignored.

eapFastUsePacsAuthorizationPacTtlUnits

string

The eapFastUsePacsAuthorizationPacTtlUnits is required only if eapFastUsePacsStatelessSessionResume is true, otherwise it must be ignored. Allowed Values - SECONDS, - MINUTES, - HOURS, - DAYS, - WEEKS.

eapFastUsePacsMachinePacTtl

integer

The eapFastUsePacsMachinePacTtl is required only if eapFastUsePacsAllowMachineAuthentication is true, otherwise it must be ignored.

eapFastUsePacsMachinePacTtlUnits

string

The eapFastUsePacsMachinePacTtlUnits is required only if eapFastUsePacsAllowMachineAuthentication is true, otherwise it must be ignored. Allowed Values - SECONDS, - MINUTES, - HOURS, - DAYS, - WEEKS.

eapFastUsePacsReturnAccessAcceptAfterAuthenticatedProvisioning

boolean

The eapFastUsePacsReturnAccessAcceptAfterAuthenticatedProvisioning is required only if eapFastUsePacsAllowAuthenProvisioning is true, otherwise it must be ignored.

Choices:

eapFastUsePacsStatelessSessionResume

boolean

The eapFastUsePacsStatelessSessionResume is required only if eapFastUsePacs is true, otherwise it must be ignored.

Choices:

eapFastUsePacsTunnelPacTtl

integer

The eapFastUsePacsTunnelPacTtl is required only if eapFastUsePacs is true, otherwise it must be ignored.

eapFastUsePacsTunnelPacTtlUnits

string

The eapFastUsePacsTunnelPacTtlUnits is required only if eapFastUsePacs is true, otherwise it must be ignored. Allowed Values - SECONDS, - MINUTES, - HOURS, - DAYS, - WEEKS.

eapFastUsePacsUseProactivePacUpdatePrecentage

integer

The eapFastUsePacsUseProactivePacUpdatePrecentage is required only if eapFastUsePacs is true, otherwise it must be ignored.

eapTls

dictionary

The eapTls is required only if allowEapTls is true, otherwise it must be ignored. The object eapTls contains the settings for EAP TLS protocol.

allowEapTlsAuthOfExpiredCerts

boolean

eapTlsEnableStatelessSessionResume

boolean

EapTlsEnableStatelessSessionResume flag.

Choices:

eapTlsSessionTicketPrecentage

integer

The eapTlsSessionTicketPrecentage is required only if eapTlsEnableStatelessSessionResume is true, otherwise it must be ignored.

eapTlsSessionTicketTtl

integer

Time to live. The eapTlsSessionTicketTtl is required only if eapTlsEnableStatelessSessionResume is true, otherwise it must be ignored.

eapTlsSessionTicketTtlUnits

string

Time to live time units. The eapTlsSessionTicketTtlUnits is required only if eapTlsEnableStatelessSessionResume is true, otherwise it must be ignored. Allowed Values - SECONDS, - MINUTES, - HOURS, - DAYS, - WEEKS.

eapTlsLBit

boolean

eapTtls

dictionary

The eapTtls is required only if allowEapTtls is true, otherwise it must be ignored. The object eapTtls contains the settings for EAP TTLS protocol.

eapTtlsChap

boolean

eapTtlsEapMd5

boolean

eapTtlsEapMsChapV2

boolean

eapTtlsEapMsChapV2PwdChange

boolean

The eapTtlsEapMsChapV2PwdChange is required only if eapTtlsEapMsChapV2 is true, otherwise it must be ignored.

Choices:

eapTtlsEapMsChapV2PwdChangeRetries

integer

The eapTtlsEapMsChapV2PwdChangeRetries is required only if eapTtlsEapMsChapV2 is true, otherwise it must be ignored. Valid range is 0-3.

eapTtlsMsChapV1

boolean

eapTtlsMsChapV2

boolean

eapTtlsPapAscii

boolean

id

string

Resource UUID, Mandatory for update.

ise_debug

boolean

Flag for Identity Services Engine SDK to enable debugging.

Choices:

ise_hostname

string / required

The Identity Services Engine hostname.

ise_password

string / required

The Identity Services Engine password to authenticate.

ise_username

string / required

The Identity Services Engine username to authenticate.

ise_uses_api_gateway

boolean

added in cisco.ise 1.1.0

Flag that informs the SDK whether to use the Identity Services Engine’s API Gateway to send requests.

If it is true, it uses the ISE’s API Gateway and sends requests to https://{{ise_hostname}}.

If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid).

Choices:

ise_uses_csrf_token

boolean

added in cisco.ise 3.0.0

Flag that informs the SDK whether we send the CSRF token to ISE’s ERS APIs.

If it is True, the SDK assumes that your ISE CSRF Check is enabled.

If it is True, it assumes you need the SDK to manage the CSRF token automatically for you.

Choices:

ise_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

ise_version

string

Informs the SDK which version of Identity Services Engine to use.

Default: :ansible-option-default:`"3.1\_Patch\_1"`

ise_wait_on_rate_limit

boolean

Flag for Identity Services Engine SDK to enable automatic rate-limit handling.

Choices:

name

string

Resource Name.

peap

dictionary

Allowed Protocols’s peap.

allowPeapEapGtc

boolean

allowPeapEapGtcPwdChange

boolean

The allowPeapEapGtcPwdChange is required only if allowPeapEapGtc is true, otherwise it must be ignored.

Choices:

allowPeapEapGtcPwdChangeRetries

integer

The allowPeapEapGtcPwdChangeRetries is required only if allowPeapEapGtc is true, otherwise it must be ignored. Valid range is 0-3.

allowPeapEapMsChapV2

boolean

allowPeapEapMsChapV2PwdChange

boolean

The allowPeapEapMsChapV2PwdChange is required only if allowPeapEapMsChapV2 is true, otherwise it must be ignored.

Choices:

allowPeapEapMsChapV2PwdChangeRetries

integer

The allowPeapEapMsChapV2PwdChangeRetries is required only if allowPeapEapMsChapV2 is true, otherwise it must be ignored. Valid range is 0-3.

allowPeapEapTls

boolean

allowPeapEapTlsAuthOfExpiredCerts

boolean

The allowPeapEapTlsAuthOfExpiredCerts is required only if allowPeapEapTls is true, otherwise it must be ignored.

Choices:

allowPeapV0

boolean

requireCryptobinding

boolean

preferredEapProtocol

string

The preferredEapProtocol is required only if allowPreferredEapProtocol is true, otherwise it must be ignored. Allowed Values - EAP_FAST, - PEAP, - LEAP, - EAP_MD5, - EAP_TLS, - EAP_TTLS, - TEAP.

processHostLookup

boolean

requireMessageAuth

boolean

teap

dictionary

The teap is required only if allowTeap is true, otherwise it must be ignored. The object teap contains the settings for TEAP protocol.

acceptClientCertDuringTunnelEst

boolean

AcceptClientCertDuringTunnelEst flag.

Choices:

allowDowngradeMsk

boolean

allowTeapEapMsChapV2

boolean

allowTeapEapMsChapV2PwdChange

boolean

The allowTeapEapMsChapV2PwdChange is required only if allowTeapEapMsChapV2 is true, otherwise it must be ignored.

Choices:

allowTeapEapMsChapV2PwdChangeRetries

integer

The allowTeapEapMsChapV2PwdChangeRetries is required only if allowTeapEapMsChapV2 is true, otherwise it must be ignored. Valid range is 0-3.

allowTeapEapTls

boolean

allowTeapEapTlsAuthOfExpiredCerts

boolean

The allowTeapEapTlsAuthOfExpiredCerts is required only if allowTeapEapTls is true, otherwise it must be ignored.

Choices:

enableEapChaining

boolean

Notes

Note

  • SDK Method used are allowed_protocols.AllowedProtocols.create_allowed_protocol, allowed_protocols.AllowedProtocols.delete_allowed_protocol_by_id, allowed_protocols.AllowedProtocols.update_allowed_protocol_by_id,

  • Paths used are post /ers/config/allowedprotocols, delete /ers/config/allowedprotocols/{id}, put /ers/config/allowedprotocols/{id},

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins, but instead the embedded connection manager from Cisco ISE SDK

  • The parameters starting with ise_ are used by the Cisco ISE Python SDK to establish the connection

Examples

- name: Update by id
  cisco.ise.allowed_protocols:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    allowChap: true
    allowEapFast: true
    allowEapMd5: true
    allowEapTls: true
    allowEapTtls: true
    allowLeap: true
    allowMsChapV1: true
    allowMsChapV2: true
    allowPapAscii: true
    allowPeap: true
    allowPreferredEapProtocol: true
    allowTeap: true
    allowWeakCiphersForEap: true
    description: string
    eapFast:
      allowEapFastEapGtc: true
      allowEapFastEapGtcPwdChange: true
      allowEapFastEapGtcPwdChangeRetries: 0
      allowEapFastEapMsChapV2: true
      allowEapFastEapMsChapV2PwdChange: true
      allowEapFastEapMsChapV2PwdChangeRetries: 0
      allowEapFastEapTls: true
      allowEapFastEapTlsAuthOfExpiredCerts: true
      eapFastDontUsePacsAcceptClientCert: true
      eapFastDontUsePacsAllowMachineAuthentication: true
      eapFastEnableEAPChaining: true
      eapFastUsePacs: true
      eapFastUsePacsAcceptClientCert: true
      eapFastUsePacsAllowAnonymProvisioning: true
      eapFastUsePacsAllowAuthenProvisioning: true
      eapFastUsePacsAllowMachineAuthentication: true
      eapFastUsePacsAuthorizationPacTtl: 0
      eapFastUsePacsAuthorizationPacTtlUnits: string
      eapFastUsePacsMachinePacTtl: 0
      eapFastUsePacsMachinePacTtlUnits: string
      eapFastUsePacsReturnAccessAcceptAfterAuthenticatedProvisioning: true
      eapFastUsePacsStatelessSessionResume: true
      eapFastUsePacsTunnelPacTtl: 0
      eapFastUsePacsTunnelPacTtlUnits: string
      eapFastUsePacsUseProactivePacUpdatePrecentage: 0
    eapTls:
      allowEapTlsAuthOfExpiredCerts: true
      eapTlsEnableStatelessSessionResume: true
      eapTlsSessionTicketPrecentage: 0
      eapTlsSessionTicketTtl: 0
      eapTlsSessionTicketTtlUnits: string
    eapTlsLBit: true
    eapTtls:
      eapTtlsChap: true
      eapTtlsEapMd5: true
      eapTtlsEapMsChapV2: true
      eapTtlsEapMsChapV2PwdChange: true
      eapTtlsEapMsChapV2PwdChangeRetries: 0
      eapTtlsMsChapV1: true
      eapTtlsMsChapV2: true
      eapTtlsPapAscii: true
    id: string
    name: string
    peap:
      allowPeapEapGtc: true
      allowPeapEapGtcPwdChange: true
      allowPeapEapGtcPwdChangeRetries: 0
      allowPeapEapMsChapV2: true
      allowPeapEapMsChapV2PwdChange: true
      allowPeapEapMsChapV2PwdChangeRetries: 0
      allowPeapEapTls: true
      allowPeapEapTlsAuthOfExpiredCerts: true
      allowPeapV0: true
      requireCryptobinding: true
    preferredEapProtocol: string
    processHostLookup: true
    requireMessageAuth: true
    teap:
      acceptClientCertDuringTunnelEst: true
      allowDowngradeMsk: true
      allowTeapEapMsChapV2: true
      allowTeapEapMsChapV2PwdChange: true
      allowTeapEapMsChapV2PwdChangeRetries: 0
      allowTeapEapTls: true
      allowTeapEapTlsAuthOfExpiredCerts: true
      enableEapChaining: true

- name: Delete by id
  cisco.ise.allowed_protocols:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: absent
    id: string

- name: Create
  cisco.ise.allowed_protocols:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    allowChap: true
    allowEapFast: true
    allowEapMd5: true
    allowEapTls: true
    allowEapTtls: true
    allowLeap: true
    allowMsChapV1: true
    allowMsChapV2: true
    allowPapAscii: true
    allowPeap: true
    allowPreferredEapProtocol: true
    allowTeap: true
    allowWeakCiphersForEap: true
    description: string
    eapFast:
      allowEapFastEapGtc: true
      allowEapFastEapGtcPwdChange: true
      allowEapFastEapGtcPwdChangeRetries: 0
      allowEapFastEapMsChapV2: true
      allowEapFastEapMsChapV2PwdChange: true
      allowEapFastEapMsChapV2PwdChangeRetries: 0
      allowEapFastEapTls: true
      allowEapFastEapTlsAuthOfExpiredCerts: true
      eapFastDontUsePacsAcceptClientCert: true
      eapFastDontUsePacsAllowMachineAuthentication: true
      eapFastEnableEAPChaining: true
      eapFastUsePacs: true
      eapFastUsePacsAcceptClientCert: true
      eapFastUsePacsAllowAnonymProvisioning: true
      eapFastUsePacsAllowAuthenProvisioning: true
      eapFastUsePacsAllowMachineAuthentication: true
      eapFastUsePacsAuthorizationPacTtl: 0
      eapFastUsePacsAuthorizationPacTtlUnits: string
      eapFastUsePacsMachinePacTtl: 0
      eapFastUsePacsMachinePacTtlUnits: string
      eapFastUsePacsReturnAccessAcceptAfterAuthenticatedProvisioning: true
      eapFastUsePacsStatelessSessionResume: true
      eapFastUsePacsTunnelPacTtl: 0
      eapFastUsePacsTunnelPacTtlUnits: string
      eapFastUsePacsUseProactivePacUpdatePrecentage: 0
    eapTls:
      allowEapTlsAuthOfExpiredCerts: true
      eapTlsEnableStatelessSessionResume: true
      eapTlsSessionTicketPrecentage: 0
      eapTlsSessionTicketTtl: 0
      eapTlsSessionTicketTtlUnits: string
    eapTlsLBit: true
    eapTtls:
      eapTtlsChap: true
      eapTtlsEapMd5: true
      eapTtlsEapMsChapV2: true
      eapTtlsEapMsChapV2PwdChange: true
      eapTtlsEapMsChapV2PwdChangeRetries: 0
      eapTtlsMsChapV1: true
      eapTtlsMsChapV2: true
      eapTtlsPapAscii: true
    name: string
    peap:
      allowPeapEapGtc: true
      allowPeapEapGtcPwdChange: true
      allowPeapEapGtcPwdChangeRetries: 0
      allowPeapEapMsChapV2: true
      allowPeapEapMsChapV2PwdChange: true
      allowPeapEapMsChapV2PwdChangeRetries: 0
      allowPeapEapTls: true
      allowPeapEapTlsAuthOfExpiredCerts: true
      allowPeapV0: true
      requireCryptobinding: true
    preferredEapProtocol: string
    processHostLookup: true
    requireMessageAuth: true
    teap:
      acceptClientCertDuringTunnelEst: true
      allowDowngradeMsk: true
      allowTeapEapMsChapV2: true
      allowTeapEapMsChapV2PwdChange: true
      allowTeapEapMsChapV2PwdChangeRetries: 0
      allowTeapEapTls: true
      allowTeapEapTlsAuthOfExpiredCerts: true
      enableEapChaining: true

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

ise_response

dictionary

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: :ansible-rv-sample-value:`{"allowChap": true, "allowEapFast": true, "allowEapMd5": true, "allowEapTls": true, "allowEapTtls": true, "allowLeap": true, "allowMsChapV1": true, "allowMsChapV2": true, "allowPapAscii": true, "allowPeap": true, "allowPreferredEapProtocol": true, "allowTeap": true, "allowWeakCiphersForEap": true, "description": "string", "eapFast": {"allowEapFastEapGtc": true, "allowEapFastEapGtcPwdChange": true, "allowEapFastEapGtcPwdChangeRetries": 0, "allowEapFastEapMsChapV2": true, "allowEapFastEapMsChapV2PwdChange": true, "allowEapFastEapMsChapV2PwdChangeRetries": 0, "allowEapFastEapTls": true, "allowEapFastEapTlsAuthOfExpiredCerts": true, "eapFastDontUsePacsAcceptClientCert": true, "eapFastDontUsePacsAllowMachineAuthentication": true, "eapFastEnableEAPChaining": true, "eapFastUsePacs": true, "eapFastUsePacsAcceptClientCert": true, "eapFastUsePacsAllowAnonymProvisioning": true, "eapFastUsePacsAllowAuthenProvisioning": true, "eapFastUsePacsAllowMachineAuthentication": true, "eapFastUsePacsAuthorizationPacTtl": 0, "eapFastUsePacsAuthorizationPacTtlUnits": "string", "eapFastUsePacsMachinePacTtl": 0, "eapFastUsePacsMachinePacTtlUnits": "string", "eapFastUsePacsReturnAccessAcceptAfterAuthenticatedProvisioning": true, "eapFastUsePacsStatelessSessionResume": true, "eapFastUsePacsTunnelPacTtl": 0, "eapFastUsePacsTunnelPacTtlUnits": "string", "eapFastUsePacsUseProactivePacUpdatePrecentage": 0}, "eapTls": {"allowEapTlsAuthOfExpiredCerts": true, "eapTlsEnableStatelessSessionResume": true, "eapTlsSessionTicketPrecentage": 0, "eapTlsSessionTicketTtl": 0, "eapTlsSessionTicketTtlUnits": "string"}, "eapTlsLBit": true, "eapTtls": {"eapTtlsChap": true, "eapTtlsEapMd5": true, "eapTtlsEapMsChapV2": true, "eapTtlsEapMsChapV2PwdChange": true, "eapTtlsEapMsChapV2PwdChangeRetries": 0, "eapTtlsMsChapV1": true, "eapTtlsMsChapV2": true, "eapTtlsPapAscii": true}, "id": "string", "link": {"href": "string", "rel": "string", "type": "string"}, "name": "string", "peap": {"allowPeapEapGtc": true, "allowPeapEapGtcPwdChange": true, "allowPeapEapGtcPwdChangeRetries": 0, "allowPeapEapMsChapV2": true, "allowPeapEapMsChapV2PwdChange": true, "allowPeapEapMsChapV2PwdChangeRetries": 0, "allowPeapEapTls": true, "allowPeapEapTlsAuthOfExpiredCerts": true, "allowPeapV0": true, "requireCryptobinding": true}, "preferredEapProtocol": "string", "processHostLookup": true, "requireMessageAuth": true, "teap": {"acceptClientCertDuringTunnelEst": true, "allowDowngradeMsk": true, "allowTeapEapMsChapV2": true, "allowTeapEapMsChapV2PwdChange": true, "allowTeapEapMsChapV2PwdChangeRetries": 0, "allowTeapEapTls": true, "allowTeapEapTlsAuthOfExpiredCerts": true, "enableEapChaining": true}}`

ise_update_response

dictionary

added in cisco.ise 1.1.0

Authors

  • Rafael Campos (@racampos)