topic Re: REST API for DACLs Not Accurate in Network Access Control

REST API for DACLs Not Accurate

paul — Fri, 05 Apr 2019 17:10:59 GMT

I don't open TAC cases for REST API issues because I don't have the time. I am just posting to see if this is a known issue on 2.4 patch 6.

The current policy export XML file doesn't contain the contents of the DACLs (another issue that should get fixed) so I am trying to use the REST APIs to pull authorization profiles, tie them to DACL names and get the DACL contents.

I can make the REST call to get all the authorization profiles:

https://<Admin_Node>:9060/ers/config/authorizationprofile

I can then parse through that to get the IDs for each authorization profile and make calls to get the authorization profile contents:

https://<Admin_Node>:9060/ers/config/authorizationprofile/00ec24a0-f2ad-11e8-8505-005056830148

In the results it will have the DACL name;

"daclName": "Vendor_DACL",

The DACL name is useless because you can't do a filter by name when you make a DACL REST query (another problem that should be fixed):

https://<Admin_Node>:9060/ers/config/downloadableacl?filter=name.EQ.Vendor_DAC

So now I am forced to do a Get-All on the DACLs and parse my way through the result. Not a problem except the Get-All is busted and doesn't return all the DACLs. The first indicator of the problem is:

{
"SearchResult": {
"total": 0,

Even though the query returned 20 DACLs to me. Okay so it returned 20 DACLs out of my 110 DACLs maybe it is a paging issue. If that were true there should be an HREF at the bottom of the output to the next page. There is nothing for that.

Is this a known issue?

Re: REST API for DACLs Not Accurate

anthonylofreso — Fri, 05 Apr 2019 17:16:43 GMT

This, sounds painful... And it's unfortunate to hear as I plan to use the API to present things like dacls to other teams since the RBAC controls in ISE GUI are so poor.

Re: REST API for DACLs Not Accurate

paul — Fri, 05 Apr 2019 18:32:33 GMT

Okay, I got a little father. Even though the HREF to next page wasn't there in the general call I was able to work my way through the list by doing:

https://:9060/ers/config/downloadableacl?page=1<>

https:// :9060/ers/config/downloadableacl?page=2<>

etc.

Because there is no count reported the only way you know you are finished is if you do a search of the result for "id:". If that doesn't exist then no DACLs were in the output. So at 110 DACLS and 20 a page I stopped seeing results on page 7.

Not great but something I can work with.

Re: REST API for DACLs Not Accurate

anthonylofreso — Fri, 05 Apr 2019 18:59:52 GMT

Is there any way to change the default pagination value?

Re: REST API for DACLs Not Accurate

Jeffrey Ness — Thu, 01 Jun 2023 22:21:44 GMT

Yes use ?size=pageSize

Re: REST API for DACLs Not Accurate

thomas — Fri, 16 Jun 2023 21:29:23 GMT

The default ISE ERS REST page size is 20 with a max of 100. See Pagination

You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).

The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.

curl --include --insecure --location \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \ --request GET https://$ISE_HOSTNAME/ers/config/downloadableacl HTTP/1.1 200 { "SearchResult" : { "total" : 4, "resources" : [ { "id" : "9825aa40-8c01-11e6-996c-525400b48521", "name" : "DENY_ALL_IPV4_TRAFFIC", "description" : "Deny all ipv4 traffic", "link" : { "rel" : "self", "href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521", "type" : "application/json" } }, { "id" : "380c6620-f532-11ed-8ed8-0050568fa0ed", "name" : "DENY_ALL_IPV6_TRAFFIC", "description" : "Deny all ipv6 traffic", "link" : { "rel" : "self", "href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed", "type" : "application/json" } }, { "id" : "982498d0-8c01-11e6-996c-525400b48521", "name" : "PERMIT_ALL_IPV4_TRAFFIC", "description" : "Allow all ipv4 Traffic", "link" : { "rel" : "self", "href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521", "type" : "application/json" } }, { "id" : "380a4340-f532-11ed-8ed8-0050568fa0ed", "name" : "PERMIT_ALL_IPV6_TRAFFIC", "description" : "Allow all ipv6 Traffic", "link" : { "rel" : "self", "href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed", "type" : "application/json" } } ] } }

If it helps, I've written an ise_get.py Python script to make this fast and easy for you:

❱ ise_get.py downloadableacl --details { "downloadableacl": [ { "id": "9825aa40-8c01-11e6-996c-525400b48521", "name": "DENY_ALL_IPV4_TRAFFIC", "description": "Deny all ipv4 traffic", "dacl": "deny ip any any", "daclType": "IPV4" }, { "id": "380c6620-f532-11ed-8ed8-0050568fa0ed", "name": "DENY_ALL_IPV6_TRAFFIC", "description": "Deny all ipv6 traffic", "dacl": "deny ipv6 any any", "daclType": "IPV6" }, { "id": "982498d0-8c01-11e6-996c-525400b48521", "name": "PERMIT_ALL_IPV4_TRAFFIC", "description": "Allow all ipv4 Traffic", "dacl": "permit ip any any", "daclType": "IPV4" }, { "id": "380a4340-f532-11ed-8ed8-0050568fa0ed", "name": "PERMIT_ALL_IPV6_TRAFFIC", "description": "Allow all ipv6 Traffic", "dacl": "permit ipv6 any any", "daclType": "IPV6" } ] }

Re: REST API for DACLs Not Accurate

Daniel G. — Fri, 11 Aug 2023 07:49:24 GMT

Hello Thomas,

thank you for your script, it seams very useful, but i have question.

I am trying to use your python script "ise_get.py downloadableacl" or "ise_get_ers_resource.py downloadableacl" and it seems it give me 100 of records (we have approx 260 dACLs). How can get all dACLs or page through all pages with these scripts?