topic Re: Problems with ISE 2.3 REST API for creating authorization profiles in Network Access Control

Problems with ISE 2.3 REST API for creating authorization profiles

jan.nielsen — Tue, 08 Aug 2017 13:44:24 GMT

I have been trying to use the new api calls introduced in ISE 2.3, for authorization profile listing, modification, creation and deletion of profiles with not much luck. The SDK documentation specifies which fields need to be included in the XML for a create call, however that does not match with what errors i get when i attempt to create a basic authorization profile that just sends access-accept and a vlan name. The XML example from the docs, includes both macsec, asavpn group, airespace acl name and other things, but these are not required according to the documentation, and i also don't want to use these parameters. If i remove any of those settings from the xml my request fails, referencing that the field is missing, if include the field, but don't put anything in the content it fails. Anyone tried this yet?

Jan

Re: Problems with ISE 2.3 REST API for creating authorization profiles

hslai — Tue, 08 Aug 2017 16:11:07 GMT

Below works for me. However, I did get an error while trying asaVpn.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

"AuthorizationProfile" : {

"id" : "",

"name" : "demoTest3",

"accessType" : "ACCESS_ACCEPT",

"webRedirection" : {

"WebRedirectionType" : "CentralizedWebAuth",

"acl" : "ACL_WEBAUTH_REDIRECT",

"portalName" : "Self-Registered Guest Portal (default)",

"displayCertificatesRenewalMessages" : false

}

-- response --

201 Created

Set-Cookie: APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1

Date: Tue, 08 Aug 2017 16:07:12 GMT

Content-Type: application/json;charset=utf-8

Content-Length: 0

Server:

Re: Problems with ISE 2.3 REST API for creating authorization profiles

jan.nielsen — Wed, 09 Aug 2017 08:07:51 GMT

Your example works and also in xml format, but the second you remove the webauth part, it fails. That must be a bug, you wouldn't always have a webauth redirect in your authz profile.

Re: Problems with ISE 2.3 REST API for creating authorization profiles

hslai — Thu, 10 Aug 2017 19:04:31 GMT

This one works for me, as well.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

"AuthorizationProfile" : {

"id" : "",

"name" : "demoTest2",

"accessType" : "ACCESS_ACCEPT"

}

-- response --

201 Created

Set-Cookie: JSESSIONIDSSO=A5D7338F5B6E803E0C0EFC3CD162FEB5; Path=/; Secure; HttpOnly APPSESSIONID=B99CC6430612A3824F3A9DD54556FBF9; Path=/ers; Secure; HttpOnly

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://myISE:9060/ers/config/authorizationprofile/d82ecb30-7c51-11e7-8d8a-005056ab51e1

Date: Tue, 08 Aug 2017 15:54:22 GMT

Content-Type: application/json;charset=utf-8

Content-Length: 0

Server:

Re: Problems with ISE 2.3 REST API for creating authorization profiles

jan.nielsen — Thu, 10 Aug 2017 19:29:07 GMT

Thanks, that actually works, i also am able to assign a vlan name using json. I think what i found is that the json model is working as expected, However the xml is not. If i add the same settings but in xml it fails.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/xml

Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>

<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="testauthz001">

<accessType>ACCESS_ACCEPT</accessType>

<authzProfileType>SWITCH</authzProfileType>

<vlan>

<nameID>vlanName</nameID>

</vlan>

</ns0:authorizationprofile>

Response from ISE :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<ns3:ersResponse operation="POST-create-authorizationprofile" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">

<title>XML Schema Validation Failed :: at line 1, column 356 : cvc-complex-type.2.4.a: Invalid content was found starting with element 'vlan'. One of '{autoSmartPort, avcProfile, daclName, easywiredSessionCandidate}' is expected.</title>

</message>

</messages>

</ns3:ersResponse>

Jan

Re: Problems with ISE 2.3 REST API for creating authorization profiles

hslai — Mon, 14 Aug 2017 21:48:26 GMT

CSCvf61114 logged to track this issue.

As it's a new bug, it might not be visible externally in next 24 hours.

Re: Problems with ISE 2.3 REST API for creating authorization profiles

matthew.shelley — Thu, 30 Jul 2020 06:49:19 GMT

Just a FYI for all, this bug is still current in ISE 2.6 and 2.7 even though it is not in the Open Caveats of the release notes of either version.

Re: Problems with ISE 2.3 REST API for creating authorization profiles

matthew.shelley — Thu, 20 Aug 2020 03:50:11 GMT

Cisco TAC have reopened this case, which is great.