https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439137#M519483 <HTML><HEAD></HEAD><BODY><P>I read that as well. It says they are encrypted but does not give details on HOW it is encrypted. That is a big deal for customers with IA audits. They need to know if it's a one way hash, uses a shared encryption key, uses the servers public asymmetrical key or just passed inside an encrypted TLS connection i.e. not encrypted. I could not find any docs internally that clarifies those details. And someone else is now saying it is not encrypted.</P><P>Thanks</P></BODY></HTML> Wed, 29 Nov 2017 16:01:15 GMT Tim Baum 2017-11-29T16:01:15Z https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439134#M519476 <HTML><HEAD></HEAD><BODY><P>I've read that ISE REST API uses TLS (https) over port 9060 with basic authentication. Is there any additional encryption being done for the username and/or password other than sending the data thru the TLS tunnel? e.g. password encrypted with public key of ISE server or some hash?</P><P>Thanks</P></BODY></HTML> Tue, 28 Nov 2017 21:10:43 GMT https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439134#M519476 Tim Baum 2017-11-28T21:10:43Z https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439135#M519478 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD> <P class="pB1_Body1" style="margin-top: 12px; margin-bottom: 12px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; color: #58585b;">The External RESTful Services APIs are based on HTTPS protocol and REST methodology and uses port 9060.</P> <P class="pB1_Body1" style="margin-top: 12px; margin-bottom: 12px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; color: #58585b;"><A name="pgfId-1092472" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>The External RESTful Services APIs support basic authentication. The authentication credentials are encrypted and are part of the request header.</P> <P class="pB1_Body1" style="margin-top: 12px; margin-bottom: 12px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; color: #58585b;"><A name="pgfId-1092473" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>The ISE administrator must assign special privileges to a user to perform operations using the External RESTful Services APIs.</P> <P class="pB1_Body1" style="margin-top: 12px; margin-bottom: 12px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; color: #58585b;"><A name="pgfId-1092474" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>To perform operations using the External RESTful Services APIs (except for the Guest API), the users must be assigned to one of the following Admin Groups and must be authenticated against the credentials stored in the Cisco ISE internal database (internal admin users):</P> <UL> <LI><A name="pgfId-1092475" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>External RESTful Services Admin—Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests.</LI> <LI><A name="pgfId-1092476" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>External RESTful Services Operator—Read Only access (GET request only).</LI> </UL> <P class="pB1_Body1" style="margin-top: 12px; margin-bottom: 12px; font-size: 14px; font-family: CiscoSans, Arial, sans-serif; color: #58585b;"><A name="pgfId-1092477" style="font-style: inherit; font-size: inherit; font-family: inherit; color: #007fab;"></A>If you do not have the required permissions and still try to perform operations using the External RESTful Services APIs, you will receive an error response.</P> </TD></TR></TBODY></TABLE></BLOCKQUOTE><P><SPAN style="font-size: 13.3333px;">According to the <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/api_ref_guide/api_ref_book/ise_api_ref_ers1.html#pgfId-1079726">Cisco Identity Services Engine API Reference Guide, Release 2.x</A>, the authentication credentials ARE encrypted and not just sent through the tunnel.</SPAN></P></BODY></HTML> Tue, 28 Nov 2017 21:25:43 GMT https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439135#M519478 Charlie Moreton 2017-11-28T21:25:43Z https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439136#M519481 <HTML><HEAD></HEAD><BODY><P>No. It’s no different than logging into your bank’s web site.</P><P></P><P>Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.</P></BODY></HTML> Tue, 28 Nov 2017 21:26:45 GMT https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439136#M519481 gbekmezi-DD 2017-11-28T21:26:45Z https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439137#M519483 <HTML><HEAD></HEAD><BODY><P>I read that as well. It says they are encrypted but does not give details on HOW it is encrypted. That is a big deal for customers with IA audits. They need to know if it's a one way hash, uses a shared encryption key, uses the servers public asymmetrical key or just passed inside an encrypted TLS connection i.e. not encrypted. I could not find any docs internally that clarifies those details. And someone else is now saying it is not encrypted.</P><P>Thanks</P></BODY></HTML> Wed, 29 Nov 2017 16:01:15 GMT https://community.cisco.com/t5/network-access-control/how-does-ise-rest-api-encrypt-data-to-and-from-the-ise-server/m-p/3439137#M519483 Tim Baum 2017-11-29T16:01:15Z