topic Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working in Network Access Control

AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort — Mon, 01 Apr 2024 21:43:52 GMT

I am very new to both Ansible and ISE APIs. I have read through the Cisco Dev site and utilized the playbooks to view and list the groups. However, I am getting an "Unexpected failure during module execution: Unknown API version, known versions are 3.1.0, 3.1.1, 3.1.Patch.1 and 3.2_beta.",

The playbook is relatively simple so not sure why it is not working. Is this an error due to the fact our ISE PAN runs patch 7? I tried the ise_version set to 3.1.Patch1 but that did not work. Does the account I am using require authorization of some kind to create via API?

---

- hosts: My PAN server name
gather_facts: false

tasks:

- name: Create Site Group Under "Location#All Locations"
cisco.ise.network_device_group:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
state: present
description: GroupDesc
name: "Location#All Locations#GroupDesc"
ndgtype: Location

I admit this may be a simple problem as I am still ramping up skills. But I have not had any luck finding an answer or a path to research.

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort — Tue, 02 Apr 2024 11:32:56 GMT

I believe this is the issue. It appears to be related to this https://github.com/CiscoISE/ansible-ise/issues/56

Has anyone found a work around?

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

Greg Gibbs — Tue, 02 Apr 2024 22:09:49 GMT

Those Ansible modules are only community supported and there is currently no development being done on that code.

The only workaround would be using Ansible to call the APIs themselves similar to this example:
https://opensource.com/article/21/9/ansible-rest-apis

You can find all of the relevant ISE API documentation to use in your Ansible code at https://cs.co/ise-api

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

thomas — Tue, 02 Apr 2024 22:31:57 GMT

Correct - the problem is the breaking ISE change introduced by renaming the othername attribute to ndgtype.

According to my ise_network_device_groups role:

# 🐞 ISE 3.1 Patch 4 and 3.2 `networkdevicegroup` create fails.
# 🐞 It expects an `ndgtype` attribute instead of `othername`.
# 🐞 This should be fixed in ISE 3.1 Patch 5 and ISE 3.2 Patch 1

You best option is to upgrade to the latest patch and just use the othername attribute.

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

Greg Gibbs — Wed, 03 Apr 2024 00:26:39 GMT

Here is an example of using Ansible to create the Network Device Group by calling the API directly using the ansible.builtin.uri module.
I tested this against my ISE 3.1 patch 7 instance.

---
- name: Create NDG using API calls 
  hosts: localhost
  gather_facts: no
  vars_files:
  - variables.yaml

  tasks:
  - name: Create NDG -- GroupDesc
    ansible.builtin.uri:
      url: https://{{ ise_hostname }}:9060/ers/config/networkdevicegroup
      return_content: true
      method: POST
      validate_certs: false
      headers:
        Content-Type: application/json
        Accept: application/json
        Authorization: Basic {{ ers_username_password | b64encode }}
      body_format: json
      status_code: 201
      body:
        NetworkDeviceGroup:
          name: Location#All Locations#GroupDesc
          description: GroupDesc
          othername: Location

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort — Thu, 04 Apr 2024 18:01:11 GMT

Thank You will give this a try.

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort — Thu, 04 Apr 2024 18:18:52 GMT

Thank you for the reply.

The ISE instance is on patch 3.1 patch 7 and I have tried othername as suggested, but the play still fails, it is saying othername is not a valid parameter.

The full traceback is:
NoneType: None
fatal: [localhost]: FAILED! => {
"changed": false,
"msg": ["othername. Supported parameters include: description, id, ise_debug, ise_hostname, ise_password, ise_single_request_timeout, ise_username, ise_uses_api_gateway, ise_uses_csrf_token, ise_verify, ise_version, ise_wait_on_rate_limit, name, ndgtype, state."]}
When I try using ndgtype it fails, but then tells me that othername is required.

"msg": "An error occurred when executing operation. The error was: [400] - Validation Error - Mandatory fields missing: [othername]

Now I am definitely no expert and it is very possible I could have something else incorrectly configured or missed a pre-req. I am continuing to develop, test and troubleshoot ISE playbooks.

I can manually create the Device Group in ISE and create a network group device with all the appropriate settings with out issue.

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

Greg Gibbs — Thu, 04 Apr 2024 21:05:51 GMT

Correct. I get the same behaviour when using the Ansible ISE module. This is due to the breaking changes in the API that where later reversed. The Ansible module developers updated the module to resolve the initial breaking change, but there was no more development done on the module after the API change was reversed.

You might be able to use an older version of the API (check the changelog and closed issues) before this change was made in the module, but there could be other issues in that version.
I would suggest either using the ansible.builtin.uri module option I provided an example for or look into using Terraform as per this example.

Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort — Mon, 29 Apr 2024 12:15:12 GMT

Thank you to all who replied.

I just now was able to get back to this project. Using the ansible.builtin.uri module worked.