cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
2
Replies

ISE2.4: REST API : Change password : enable password filled with asterisks even if blank

gillessapene
Level 1
Level 1

I am working on a Python script to change a tacacs password based on a tacacs account as an input.

The script runs REST API commands.

The first one is to get the tacacs account "id", using the identity as an input parameter

The second one is to get the details of the identity, using the above "id" as an input parameter.

I want to change the password, so I need to know if I have to change the enable password or not,

 

I am surprised because the output json contains :"enablePassword": "*******", even if there is no enable password. I have run an identity list export to confirm.

 

Is there a way to know if the identity has an enable password or not so I have to change the password + the enable password.

or the password only.

Here is the output of the API query:

 

{
    "InternalUser": {
        "id": "11d2fbff-fa22-4a67-b13f-ed7f033245c2",
        "name": "noenable",
        "enabled": true,
        "password": "*******",
        "firstName": "zzz",
        "lastName": "yyy",
        "changePassword": false,
        "identityGroups": "4844b750-1421-11e9-ac18-de49dabd0b44",
        "expiryDateEnabled": false,
        "enablePassword": "*******",
        "customAttributes": {
            "Address": "",
            "Phone_number": "",
            "Real_Name": "",
            "cmd-set": "",
            "priv_lvl": "",
            "max_priv_lvl": ""
        },
        "passwordIDStore": "Internal Users",
        "link": {
            "rel": "self",
            "href": "https://x.x.x.x:9060/ers/config/internaluser/11d2fbff-fa22-4a67-b13f-ed7f033245c2",
            "type": "application/xml"
        }
    }
}

Thanks

 

 

 

2 Accepted Solutions

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

This seems a current limitation so I opened a bug -- CSCvq68524

Perhaps, you may use a group or the description field to indicate whether a user has the enable password set.

View solution in original post

It s a good idea for a workaround. 

It must be possible to export all the  identities in a csv file , then to look at the ones which don't have an enable passowrd and to add a comment in the description field before reimporting the csv file.

To be honest I don't like to do a mass update on a production server :)

Thanks anyway.

Gilles

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

This seems a current limitation so I opened a bug -- CSCvq68524

Perhaps, you may use a group or the description field to indicate whether a user has the enable password set.

It s a good idea for a workaround. 

It must be possible to export all the  identities in a csv file , then to look at the ones which don't have an enable passowrd and to add a comment in the description field before reimporting the csv file.

To be honest I don't like to do a mass update on a production server :)

Thanks anyway.

Gilles

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: