This server provides an MCP interface to the Cisco Secure Access REST API, enabling AI clients to manage security infrastructure, policies, and deployments across five categories: Admin, Deployments, Policies, Investigate, and Reports.
Administration
API Keys: List, get, create, refresh (rotate), and delete Secure Access API keys
Alert Rules: List, get, create, and delete alert rules
Tenants: List tenants for multi-org/MSSP environments
Deployments
Network Tunnel Groups: List, get, create, and delete; list available regions
Sites: List, get, create, and delete organizational sites
Networks: List, get, create (by CIDR), and delete networks
Roaming Computers: List (with filters), get, and delete endpoint devices
Policies
Destination Lists: List, get, create, and delete allow/block lists (domains, URLs, IPs, CIDRs, apps)
Destinations: List entries, add, and remove destinations within a list
Access Rules: List, get, create, update, and delete access rules
Application Lists: List, get, create, and delete application lists
Authentication is handled via OAuth 2.0 client credentials with automatic token refresh, and multi-organization support is available via SECURE_ACCESS_ORG_ID.
Provides tools for interacting with Cisco Secure Access REST API, enabling management of admin resources, deployments, investigations, policies, and reports in a Cisco Secure Access environment.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@cisco-secure-access-mcpshow recent security alerts"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
cisco-secure-access-mcp
A community Model Context Protocol (MCP) server for Cisco Secure Access.
It exposes the Secure Access REST API to MCP-compatible AI clients (Cursor, Claude Desktop, VS Code GitHub Copilot, etc.) as a curated catalog of tools grouped by Cisco's own resource categories: Admin, Deployments, Investigate, Policies, and Reports.
Status: v1.1 + composites batches 1 & 2 — 5 categories / 44 modules / 185 tools. See
install.mdfor the build journal and per-phase progress.
Why a community DevNet server
This repo is structured to be hosted as a Cisco DevNet community MCP server, following
the CiscoDevNet/devnet-template
layout. The standard template files (AGENTS.md, CODE_OF_CONDUCT.md, CONTRIBUTING.md,
LICENSE, README.md, SECURITY.md) are present and conform to that template.
In addition, install.md is a working journal that captures every step
taken to build the server, troubleshooting notes, and any tools we add as enhancements.
It is intentionally kept in-tree so future contributors can see the reasoning trail.
Related MCP server: OpenAPI MCP Server
Quick start
# 1. Clone and install (using uv)
git clone https://github.com/sdntechforum/Secure_Access.git
cd Secure_Access
uv sync
# 2. Provide your Cisco Secure Access API credentials via environment variables
# (Admin > API Keys in the Secure Access dashboard)
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# 3. Run the server (stdio transport, default)
uv run cisco-secure-access-mcpFor client configuration (Cursor / Claude Desktop / VS Code), Docker usage, the full
list of tools, and the list of supported environment variables, see
AGENTS.md.
Authentication at a glance
OAuth 2.0 Client Credentials Flow against
POST https://api.sse.cisco.com/auth/v2/token.Bearer token cached in memory and refreshed shortly before its 1-hour expiry.
Credentials read from environment variables only — never from CLI flags or committed files.
Multi-org / MSSP supported via
SECURE_ACCESS_ORG_ID(sent asX-Umbrella-OrgId).A separate, optional Key Admin credential pair gates the small set of tools that manage other API keys.
See Cisco Secure Access — API Authentication for how to mint API keys.
Tool catalog
The full catalog of every MCP tool exposed by this server — grouped by Cisco's category taxonomy (Admin / Deployments / Investigate / Policies / Reports), with API path, signature, one-line description, and live verification status for each module — lives in TOOLS.md.
At a glance: 185 tools across 5 categories / 44 modules. 0 prompts, 0 resources — this is a tools-only MCP server.
To regenerate the catalog directly from the registered code (no hand-maintained list to drift):
python scripts/dump_catalog.py # human-readable text
python scripts/dump_catalog.py --json # machine-readable JSONTo re-run the live verification (requires a Cisco Secure Access API key
secret):
pytest -m integration tests/integration/test_list_coverage.py -vStatus note for community evaluators: as of 2026-05-04 a coverage sweep against a real Secure Access tenant found that ~32 of 47 reachable list endpoints return
404 no Route matched, indicating the v1.1API_BASEpaths in many tool modules don't match the live Cisco surface. The auth + client + retry layers are bulletproof (every 2xx exercised them end-to-end), and Admin/Deployments/ Investigate/Policies/Reports each have at least one verified working module. Seeinstall.mdPhase 9 (2026-05-04 follow-up) andTOOLS.mdfor which modules are verified vs. need a path fix. Contributions welcome.
Repo layout
.
├── AGENTS.md # Install + tool catalog + env vars (read this first if you're an AI agent)
├── CODE_OF_CONDUCT.md # Cisco DevNet template (unchanged)
├── CONTRIBUTING.md # Cisco DevNet template (project name filled in)
├── LICENSE # Apache-2.0 (Cisco DevNet template)
├── README.md # this file
├── SECURITY.md # Cisco DevNet template (project name filled in)
├── TOOLS.md # Full tool catalog (185 tools, per-module verification status)
├── install.md # Build journal — phases, troubleshooting, enhancements
├── pyproject.toml # Package metadata + entry point
├── Dockerfile # Optional secondary distribution
├── .env.example # Documented env vars; NEVER real secrets
├── scripts/
│ └── dump_catalog.py # Generates TOOLS.md content from the live registry
├── src/cisco_secure_access_mcp/
│ ├── server.py # FastMCP entrypoint (stdio default)
│ ├── auth.py # OAuth2 client-credentials + token cache
│ ├── client.py # httpx-based REST client (TLS-only, retry-aware)
│ ├── config.py # Env-var loading + validation
│ ├── errors.py # SDK / HTTP errors → MCP errors
│ ├── logging.py # Structured JSON logs with secret redaction
│ ├── registry.py # Discovers and registers tools from each category
│ └── tools/
│ ├── admin/ # admin_* — Admin Resources
│ ├── deployments/ # deploy_* — Deployments Resources
│ ├── investigate/ # investigate_* — Investigate Resources (v1.1)
│ ├── policies/ # policy_* — Policies Resources
│ └── reports/ # report_* — Reports Resources (v1.1)
└── tests/
├── unit/ # Offline; mock HTTP and clock
└── integration/ # Opt-in; requires real DevNet sandbox credentialsRunning the tests
# Unit tests only — fast, fully offline (default)
uv run pytest
# Live smoke tests against a real Secure Access tenant — opt-in only
export SECURE_ACCESS_API_KEY=...
export SECURE_ACCESS_API_SECRET=...
# optional: SECURE_ACCESS_ORG_ID, SECURE_ACCESS_BASE_URL
uv run pytest -m integration tests/integrationThe smoke tests are read-only by design: they exercise list/get endpoints
across each category (and one Investigate domain-categorization call against
cisco.com) and never mutate the org. Override the test domain with
SECURE_ACCESS_INTEGRATION_TEST_DOMAIN=example.com if needed.
Security
This repo follows the security rules in .cursor (parameterization, no hardcoded
credentials, structured logging with redaction, TLS 1.2+ enforcement, distroless-style
container hardening, etc.). To report a vulnerability, see SECURITY.md.
License
Apache License 2.0 — see LICENSE.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/CiscoDevNet/mcp-secure-access-community'
If you have feedback or need assistance with the MCP directory API, please join our Discord server