topic ISE 3.3 change custom name Policy Element via API in Network Access Control

ISE 3.3 change custom name Policy Element via API

JPavonM — Mon, 14 Oct 2024 14:40:55 GMT

Hi colleagues,

This question is part of a M&A integration were their Identity Store for authentication and authorization is Entra ID, but we don't have Advanced licenses to connect with InTune so need a manual workaround to deny machines with revoked certificates. (Allowed machines' authorization is done via a policy to match hostnames pattern. (Not secure but enough during the merge)

I am using a custom Policy element named "Deny Machine Names" where I'm placing all machine names that I don't want to connect to the wireless. (We are using EAP-TLS so need to look for revoked certs), as ISE cannot consult their private CRL/OCSP URL on the on-premises CA, so the only way that I have found is to manually exclude the hostnames of the machines with revoked certificates.

This element is then used in an Authorization Policy - Global Exceptions:

Now the problem that I have found is that I cannot find how to edit that custom Policy Element via API.

Is there any way to do that?

Re: ISE 3.3 change custom name Policy Element via API

Greg Gibbs — Mon, 14 Oct 2024 21:02:30 GMT

You should be able to use the Policy (OpenAPI) calls to create and update conditions as documented here:
https://developer.cisco.com/docs/identity-services-engine/latest/policy-openapi/

The following PUT API call should allow you to update that custom condition:

/api/v1/policy/network-access/condition/condition-by-name/{conditionName}

Re: ISE 3.3 change custom name Policy Element via API

JPavonM — Tue, 15 Oct 2024 06:05:19 GMT

Thanks for that, I was only looking into ERS APIs

Re: ISE 3.3 change custom name Policy Element via API

JPavonM — Tue, 15 Oct 2024 07:55:07 GMT

But how can I import the Open API schemas to be used in Postman?
https://<ise>/api/swagger-ui/index.html