ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

ajc — Thu, 11 Apr 2019 18:33:15 GMT

I am giving a try to the instructions from the following link for the: Create the Guest user using the guest API query.

https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

But I got the following error. Does anyone have a suggestion?, thanks in advance.

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

hslai — Sun, 14 Apr 2019 17:47:10 GMT

Please check and ensure that the user invoking the ISE Guest ERS API is a valid sponsor user and that the sponsor user is a member of an ISE Sponsor User group entitled to use the ISE Guest ERS API.

Requisites to Create an ISE Guest User via ISE ERS API

To create a guest user via the ISE Guest ERS API, we need:

A valid ISE Sponsor Portal ID
A valid ISE Sponsor user
- an active ISE internal or external user with valid username and password
- belonging to an ISE Sponsor group that can access ISE Guest ERS API
A valid ISE Guest Type name
(Optional) A valid location name -- created under ISE Admin web UI > Work Centers > Guest Access > Settings >Guest Locations and SSIDs > Guest Locations

Details with Examples

GET Sponsor Portal ID (via ERS)

## Auth: ERS-Admin User credentials
## The value of the ID attribute is used as that for portalId to create an ISE guest user.

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorportal'

Permit Sponsor Group Access to ERS API

### [ The option at ISE Admin Web UI ]
[ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
### To enable it via ERS, first we get the ISE Sponsor Group ID
## Auth: ERS-Admin User credentials

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup'

### Once we have ISE Sponsor Group ID and if this sponsor group has no API access yet, we may enable it via ISE ERS API
## Auth: ERS-Admin User credentials
## id for SponsorGroup obtained from the output of the previous request.

curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup/9f1eca71-8c01-11e6-996c-525400b48521' \
--data '{
  "SponsorGroup" : {
    "id" : "9f1eca71-8c01-11e6-996c-525400b48521",
    "otherPermissions" : {
      "canAccessViaRest" : true
    }
  }
}'

Get Internal User Group ALL_ACCOUNTS ID

In case we need to create an ISE internal user to act as the sponsor user with access to ISE Guest ERS API
## Auth: ERS-Admin User credentials
## NB: This ISE internal user group ID differs from that of the sponsor group ID
## Below shows to get the info on ISE internal group with a name starts with ALL_ACCOUNTS

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/identitygroup?filter=name.STARTSW.ALL_ACCOUNTS'

Create an Internal User with a group membership of ‘ALL_ACCOUNTS (default)’

## a176c430-8c01-11e6-996c-525400b48521 below obtained from the output of the previous request

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/internaluser' \
--data '{
  "InternalUser" : {
    "name" : "mySponsor",
    "enabled" : true,
    "password" : "mySponsorPass",
    "changePassword" : false,
    "identityGroups" : "a176c430-8c01-11e6-996c-525400b48521",
    "expiryDateEnabled" : false,
    "customAttributes" : {
    },
    "passwordIDStore" : "Internal Users"
  }
}'

Create a Guest User

## NB: CSCvi42404 validDays does not match span of fromDate to toDate for ERS created guests
## Auth: ISE Sponsor User credentials with a sponsor group membership that allows to use REST (aka ERS) API

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://mySponsor:mySponsorPass@myISE24FCS:9060/ers/config/guestuser' \
--data '{
  "GuestUser" : {
    "guestType" : "Weekly (default)",
    "guestInfo" : {
      "userName" : "testGST01",
      "firstName" : "John",
      "lastName" : "Smith",
      "password" : "9048"
    },
    "guestAccessInfo" : {
      "validDays" : 6,
      "fromDate" : "04/14/2019 16:49",
      "toDate" : "04/19/2019 23:59",
      "location" : "UTC"
    },
    "portalId" : "40963c00-2e02-11e8-ba71-005056872c7f"
  }
}'

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

ajc — Thu, 18 Apr 2019 18:51:16 GMT

Hi Hslai,

I am using Postman and just copying the curl commands and data into the body worked. However, I still have one question:

Is the data/guides/instructions of MY https://PRIMARY_PAN_ISE.DOMAIN:9060/ers/sdk# , running ISE 2.4 patch 5 still valid/updated? I will give a try and post a comment before closing as "ANSWERED" this post.

thanks

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

hslai — Fri, 19 Apr 2019 13:51:19 GMT

The on-box SDK guide is our main source of documentation on ISE ERS API. Please let us know if you find an error or any suggestion for improvements.

topic Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API in Network Access Control

ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

Requisites to Create an ISE Guest User via ISE ERS API

Details with Examples

GET Sponsor Portal ID (via ERS)

Permit Sponsor Group Access to ERS API

Get Internal User Group ALL_ACCOUNTS ID

Create an Internal User with a group membership of ‘ALL_ACCOUNTS (default)’

Create a Guest User

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

Re: ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API