topic Help with ISE 3.2 API powershell scripting in Network Access Control

Help with ISE 3.2 API powershell scripting

James Vale — Tue, 04 Feb 2025 16:29:49 GMT

Hi guys.

New to this API call scripting malarky and need some assistance.. Basically im trying to change the access code on an ISE 3.2 guest portal. I can pull the necesary varibles with the script below, look at them, convernt them to json etc, but as soon as I go to change them back I get a 400 error..

Im sure its something insanely basic so if someone can tell me where I am going wrong I would be greatful 🙂
Script below:

$ISEServer = "https://fqdn.of.server"
$Username = "ERSUser"
$Password = "XXXXXX"
$PortalID = "04f0e934-8d39-471d-bbb0-d24505e995e9"
$NewAccessCode = "NewPassword"

# Encode Credentials for Basic Authentication
$AuthHeader = @{
Authorization = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$Username`:$Password"))
"Content-Type" = "application/json"
Accept = "application/json"
}

# Get the existing portal configuration
$GetPortalUrl = "$ISEServer/ers/config/portal/$PortalID"
$CurrentPortal = Invoke-RestMethod -Uri $GetPortalUrl -Headers $AuthHeader -Method Get

$CurrentPortal.ERSPortal.aupPageAccessCode | Write-Output
$CurrentPortal.ERSPortal.aupPageAccessCode = $NewAccessCode
$CurrentPortal.ERSPortal.aupPageAccessCode | Write-Output

$CurrentPortal | Convertto-Json

$UpdatedPortalJson = $CurrentPortal | Convertto-Json

$Response = Invoke-RestMethod -Uri $GetPortalUrl -Headers $AuthHeader -Method Put -Body $UpdatedPortalJson

Re: Help with ISE 3.2 API powershell scripting

Arne Bier — Wed, 05 Feb 2025 21:08:09 GMT

I'm not a Powershell coder myself, but I have dabbled a bit with Postman, curl and some python libraries. I would look for things like:

Does your python request enforce a certificate check when speaking with the ISE server? Ideally, you should provide the CA chain to your script to validate/establish that trust. Failing that, enable a switch/parameter to force the security check off.
Are you pointing the URL to the PAN on port 443?
Test the concept in curl first (the python script has too many moving parts) - some calls must be made to the MNT, and not the PAN

e.g. when using curl, I can cheat by using the '--insecure' parameter to ignore cert checks

curl --insecure --netrc-file ~/.secrets/.netrc -X 'GET' 'https://rnolabise01.rnlab.local:443/ers/config/portala486c6ef-6c77-4bc1-bf6d-4e479b3aeae88' -H 'accept: application/json' { "ERSPortal" : { "id" : "a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8", "name" : "ISE Portal (default)", "description" : "Ise Portal for saml based feature purpose", "portalType" : "GUEST", "link" : { "rel" : "self", "href" : "https://rnolabise01.rnlab.local/ers/config/portal/a486c6ef-6c77-4bc1-bf6d-4e479b3aeae8", "type" : "application/json" } } }

Re: Help with ISE 3.2 API powershell scripting

James Vale — Wed, 05 Feb 2025 21:13:32 GMT

Thanks.

I found the problem in the end.. Slight script modifications converting BASH to Powershell via ChatGPT but the main cause was the fact that /ers/config/portal does not permit PUT or PATCH. I had to use /ers/config/hotspotportal instead.

Code below for anyone else looking to achieve the same using Powershell

# Variables $NewAccessCode = "XXXX" #Guest Portal Access Password Change this Weekly $ISEServer = "XXXX" #ISE Server URL $Username = "ERSAdmin" #ERS User $Password = "XXXXXXXXXXX" #ERS User Password $PortalID = "XXXXXXXXDXXXXXXXXXXXXXXXXXXXXXXX" #ISE Portal ID # Encode Credentials for Basic Authentication $AuthHeader = @{ Authorization = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$Username`:$Password")) "Content-Type" = "application/json" Accept = "application/json" } $url = "https://$ISEServer/ers/config/hotspotportal/$PortalID" #ISE API Portal URL $body = @{ "HotspotPortal" = @{ "settings" = @{ "aupSettings" = @{ "accessCode" = "NewPassword" } } } } | ConvertTo-Json -Depth 10 try { Invoke-RestMethod -Uri $url -Method Patch -Headers $AuthHeader -Body $body Write-Output "Hotspot portal access code updated successfully." } catch { Write-Output "Error Response (PUT Request):" Write-Output $_.Exception.Message Write-Output "Press Enter to exit..." Read-Host break }

Re: Help with ISE 3.2 API powershell scripting

Greg Gibbs — Wed, 05 Feb 2025 21:43:13 GMT

The API endpoint you are using '/ers/config/portal' only supports GET methods as per the documentation. You cannot use this API endpoint to make changes.
https://developer.cisco.com/docs/identity-services-engine/latest/portal/

To make updates to an existing portal, try using the PUT method with the '/ers/config/sponsoredguestportal/{portal-id}' API endpoint.
https://developer.cisco.com/docs/identity-services-engine/latest/sponsoredguestportal/