topic Re: Cisco ISE API - Sponsor portal account creation in Network Access Control

Cisco ISE API - Sponsor portal account creation

Riccardo Atzeni — Wed, 18 Jan 2023 20:35:17 GMT

Hello Everyone.
I'm working with ISE's API and I'm facing a strange error creating an account.
Basically, I'm using Python with the requests module to:
- obtain the sponsor portal ID (GET);
- obtain the sponsor ID (GET);
- create the guest user on the sponsor portal (POST);

This is the Java error with HTTP status code 500:

{ "ERSResponse" : { "operation" : "POST-create-guestuser", "messages" : [ { "title" : "Creating GuestUser failed due to com.cisco.cpm.guestaccess.exception.GuestAccessSystemException: java.util.concurrent.TimeoutException", "type" : "ERROR", "code" : "CRUD operation exception" } ], "link" : { "rel" : "related", "href" : "https://<IPADDRESS>:<PORT>/ers/config/guestuser", "type" : "application/xml" } } }

Anyway, the user is created on the ISE but I cannot be sure because I'm expecting an HTTP status code 201.

Can someone help me, please?

Re: Cisco ISE API - Sponsor portal account creation

balaji.bandi — Wed, 18 Jan 2023 21:06:26 GMT

500(Internal Server Error): Indicates an issue on the server side. Logs on ISE may help understand the cause.

As you mentioned 200 and 201 expected success and accounts created.

check below example :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215476-configure-ise-guest-accounts-with-rest-a.html

https://community.cisco.com/t5/security-knowledge-base/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

Re: Cisco ISE API - Sponsor portal account creation

Riccardo Atzeni — Fri, 20 Jan 2023 09:58:50 GMT

Hello BB,

thanks for answering.

There aren't relevant logs on "Reports" --> "Sponsor Login and Audit" only authentications by the ERS user.

Anyway, the Guest User is created, what is wrong?

This is the payload that I'm using:

payload = { "GuestUser": { "guestType": "Weekly (default)", "personBeingVisited": "internal.usern@compa.ny", "portalId": sponsorPortalID, "sponsorUserName": usernameERS, "sponsorUserId": sponsorID, "guestInfo": { "enabled": True, "firstName": "GuestFirstName", "lastName": "GuestLastName", "emailAddress": "guest@gue.st", "company": "Guest Company", "phoneNumber": "+1234567890" }, "guestAccessInfo": { "validDays": validDays, "location": location, "fromDate": fromDate, "toDate": toDate }, "customFields": {}, "link": {} } }

Re: Cisco ISE API - Sponsor portal account creation

Riccardo Atzeni — Fri, 20 Jan 2023 17:52:23 GMT

This is the python script that I made:

#!/usr/bin/env python3 import base64, json, requests, urllib3 from datetime import datetime as dt, timedelta as td urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) ip = "10.10.10.10" port = "443" usernameADM = "********" passwordADM = "********" usernameERS = "********" passwordERS = "********" authB64ADM = bytes.decode(base64.b64encode(str.encode(f"{usernameADM}:{passwordADM}"))) authB64ERS = bytes.decode(base64.b64encode(str.encode(f"{usernameERS}:{passwordERS}"))) uris = { "guestuser": "/ers/config/guestuser", "guestuserinfo": "/ers/config/guestuser/versioninfo", "sponsorportal": "/ers/config/sponsorportal", "sponsor": "/ers/config/internaluser" } def httpHeader(auth): headers = { "Content-Type": "application/json", "Accept": "application/json", "Authorization": f"Basic {auth}", "Cache-Control": "no-cache" } return headers def getSponsorPortalId(): url = f"https://{ip}:{port}{uris['sponsorportal']}" headers = httpHeader(authB64ADM) r = requests.get(url, headers=headers, verify=False) if r.status_code == 200: jsonResponse = r.json() sponsorPortlalId = json.dumps(jsonResponse['SearchResult']['resources'][1]['id'], indent=4).strip('"') return sponsorPortlalId def getSponsorId(): url = f"https://{ip}:{port}{uris['sponsor']}" headers = httpHeader(authB64ADM) parameters = { "size": 100 } r = requests.get(url, headers=headers, params=parameters, verify=False) if r.status_code == 200: jsonResponse = r.json() for index in jsonResponse['SearchResult']['resources']: if usernameERS in index['name']: return index['id'].strip('"') def createGuestUser(numOfDays): fromDate = ( dt.now() ).strftime( "%m/%d/%Y %H:%M" ) toDate = ( dt.now() + td( days=numOfDays ) ).strftime( "%m/%d/%Y %H:%M" ) validDays = numOfDays payload = { "GuestUser": { "guestType": "ERS_GuestType", "personBeingVisited": "internal.user@mycompa.ny", "reasonForVisit": "Visit", "portalId": sponsorPortalID, "sponsorUserName": usernameERS, "sponsorUserId": sponsorID, "guestInfo": { "firstName": "Guest", "lastName": "Guest", "emailAddress": "guest@gue.st", "company": "Guest Company", "phoneNumber": "+1234567890", }, "guestAccessInfo": { "validDays": validDays, "location": "(UTC+01:00)", "fromDate": fromDate, "toDate": toDate }, "customFields": {} } } jsonPayload = json.dumps(payload, indent=4) url = f"https://{ip}:{port}{uris['guestuser']}" headers = httpHeader(authB64ERS) r = requests.post(url, headers=headers, data=jsonPayload, verify=False) print(r.status_code) print("") print(r.text) sponsorPortalID = getSponsorPortalId() sponsorID = getSponsorId() createGuestUser(3)

Re: Cisco ISE API - Sponsor portal account creation

Rodrigo Diaz — Mon, 23 Jan 2023 20:11:37 GMT

hello @Riccardo Atzeni , it would appear as per the script that you are not using the port used for ERS which is 9060 , please follow the next guidelines to configure API calls with guest users.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215476-configure-ise-guest-accounts-with-rest-a.html

Let me know if that helped you.

Re: Cisco ISE API - Sponsor portal account creation

Riccardo Atzeni — Wed, 25 Jan 2023 11:51:03 GMT

Hello Rodrigo,

thanks for answering.

Both ports (443 or 9060) should work as expected:
https://developer.cisco.com/docs/identity-services-engine/latest/#!cisco-ise-api-framework/cisco-ise-api-service

"ERS APIs are REST APIs that are based on the HTTPS protocol and operate over the standard HTTPS port 443 (port 9060 can also be used)."

Anyway, also using port 9060 I still have the same error.

The user is created but java returns a timeout error, it is something else.

=================================== vvv UPDATE 1 vvv ===================================
I tested the same script on my old infrastructure (ISE 2.4) and everything is working as expected
On the new one (ISE 3.1), with the same request, I still receiving HTTP 500
=================================== ^^^ UPDATE 1 ^^^ ===================================