Re: REST API Basics

SamuelFullman6827 · ‎02-14-2019

I am working with ISE version 2.4.x

I am successfully using ISE API calls to get endpoint data as JSON, however I'm having very poor results with any of the query string parameters.

?filter=groupId.EQ.xxxxxx - this works.

But, how do I do multiple filters? What name/fields (groupId etc.) and what comparators (EQ, maybe LT/GT?) are available? I've looked for the reference to this so far and haven't found it.

page= and size= - I can only get size to work, page doesn't give me page 2 or 3 etc.

A resource or an overview of query string options, plus why page is not working, would be appreciated.

Also, this SDK reference, https://10.1.1.1:9060/ers/sdk#_, is good but I'm wondering if I could assist contributing to it. Perhaps adding the items I have in question if not there, as well as many of the examples are postman screenshots, and some of those are truncated. Translating those into copy-able styled HTML with code highlighting would be a big help!

anthonylofreso · ‎02-14-2019

Here is the reference I've been using: https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623

I'm not sure how to get what your asking though. May run some tests in our environment. I've been using the API more lately, as it's much better than managing ISE via the gui.

Also, how did you get JSON data back instead of XML?? This would be very helpful. What call are you using for endpoint data? I'm currently using this one:

https://<iseserver>/admin/API/mnt/AuthStatus/MACAddress/<macaddress>/0/100/All

thomas · ‎02-14-2019

Anthony,

I show very typical examples in How to Invoke the REST APIs > cURL

that show the Headers needed to communicate the output data you will Accept (GET)

Accept-Type: application/json

and the data you will submit (Update/Create)

Content-Type: application/json

The problem is you are referring to the MNT APIs which are different than the ERS APIs.

MNT APIs only do XML today. 8-(

anthonylofreso · ‎02-14-2019

Ahh, I see! Is there a way to get the level of endpoint detail the MNT API provides via ERS?:

NAS IP address
Identity Group
Network Device Name
Network Port IT
IP Address
ACS Server
Location

hslai · ‎02-14-2019

Nope.

Most of scripting languages have libraries/modules to convert between JSON and XML. I would suggest you to look into such instead.

paul · ‎03-18-2019

I don't believe you can get that level of detail from the M&T and query the M&T on anything but a lab or small deployment is painfully slow. Here is all you can get from the M&T that I know of:

"A session list includes the MAC address, network access device (NAD) IP address, username, and session ID information associated with a session."

hslai · ‎02-14-2019

Here is an example of multiple filters:

curl -k -v -H 'Content-Type: application/json' -H 'Accept: application/json'  'https://<myERSoperator>:<myERSpass>@<myISE>:9060/ers/config/sgt?filter=name.CONTAINS.Servers&filter=description.CONTAINS.Test'

On paging, please give a specific not-working example.

The quick reference of the on-box SDK doc has a section on searching a resource. If you have a specific issue, please provide the detail so this community may provide some help.

Yes, you are welcome to contribute.

Mikkel Troest · ‎03-17-2019

@hslai did you test that with more than two filters?

I'm on an ISE 2.4p5, and single filter works, two filters work, but with three or more filters, only the first two in the querystring are interpreted by ISE, numbers three and further are completely ignored.

Examples below with order of parameters:

page=1

filtertype=or

fiilter=name.STARTSW.Sony

filter=name.EQ.Cisco-Meraki-Device

filter=name.STARTSW.Apple

- only Sony and Cisco-Meraki matched:

https://ise24p5.example.com:9060/ers/config/endpointgroup?page=1&filtertype=or&filter=name.STARTSW.Sony&filter=name.EQ.Cisco-Meraki-Device&filter=name.STARTSW.Apple
result:
{
    "SearchResult": {
        "total": 1,
        "resources": [
            {
                "id": "38a73670-8c00-11e6-996c-525400b48521",
                "name": "Sony-Device",
                "description": "Identity Group for Profile: Sony-Device",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/38a73670-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            },
            {
                "id": "1e2700a0-8c00-11e6-996c-525400b48521",
                "name": "Cisco-Meraki-Device",
                "description": "Identity Group for Profile: Cisco-Meraki-Device",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/1e2700a0-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            }
        ]
    }
}

page=1

filtertype=or

filter=name.STARTSW.Apple

fiilter=name.STARTSW.Sony

filter=name.EQ.Cisco-Meraki-Device

- only Apple and Sony is matched:

https://ise24p5.example.com:9060/ers/config/endpointgroup?page=1&filtertype=or&filter=name.STARTSW.Apple&filter=name.STARTSW.Sony&filter=name.EQ.Cisco-Meraki-Device
result:
{
    "SearchResult": {
        "total": 1,
        "resources": [
            {
                "id": "38a73670-8c00-11e6-996c-525400b48521",
                "name": "Sony-Device",
                "description": "Identity Group for Profile: Sony-Device",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/38a73670-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            },
            {
                "id": "0a4a50f0-8c00-11e6-996c-525400b48521",
                "name": "Apple-iDevice",
                "description": "Identity Group for Profile: Apple-iDevice",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/0a4a50f0-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            }
        ]
    }
}

page=1

filtertype=or

filter=name.EQ.Cisco-Meraki-Device

filter=name.STARTSW.Apple

fiilter=name.STARTSW.Sony

- only Cisco-Meraki and Apple is matched

https://ise24p5.example.com:9060/ers/config/endpointgroup?page=1&filtertype=or&filter=name.EQ.Cisco-Meraki-Device&filter=name.STARTSW.Apple&filter=name.STARTSW.Sony
result:
{
    "SearchResult": {
        "total": 1,
        "resources": [
            {
                "id": "1e2700a0-8c00-11e6-996c-525400b48521",
                "name": "Cisco-Meraki-Device",
                "description": "Identity Group for Profile: Cisco-Meraki-Device",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/1e2700a0-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            },
            {
                "id": "0a4a50f0-8c00-11e6-996c-525400b48521",
                "name": "Apple-iDevice",
                "description": "Identity Group for Profile: Apple-iDevice",
                "link": {
                    "rel": "self",
                    "href": "https://ise24p5.example.com:9060/ers/config/endpointgroup/0a4a50f0-8c00-11e6-996c-525400b48521",
                    "type": "application/xml"
                }
            }
        ]
    }
}

If that's by design, please update the documentation. Currently it just says "More than one filter can be sent".

While you're there, you could have someone look at the SearchResult.Total which seems to to blindly represent (maybe) a total returned from one of the filters - not the complete chain.