No need to handle the other cookies. Last I tried this option, I was only able to use the same token for one or two requests.

Here's my python code:

#!/usr/local/bin/python3

###########################################################################
#                                                                         #
# This script demonstrates how to use the ISE ERS internal users          #
# API  by executing a Python script.                                      #
#                                                                         #
# SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION!                #
# The script allows connections to SSL sites without trusting             #
# the server certificates.                                                #
# For production, it is required to add certificate check.                #
#                                                                         #
# Usage: create-endpoint.py <ise-ip-address> <username> <password>        #
#      <description> <Endpoint MAC Address> <group>'                      #
###########################################################################

import http.client
import base64
import ssl
import sys
import json

# host and authentication credentials
host = sys.argv[1] # "10.20.30.40"
user = sys.argv[2] # "ersad"
password = sys.argv[3] # "Password1"

#parameters
description = sys.argv[4] 
mac = sys.argv[5]
groupName = sys.argv[6]

# create BASE64 encoded auth from CLI creds
creds = str.encode(':'.join((user, password)))
encodedAuth = bytes.decode(base64.b64encode(creds))

# Lookup the group ID by its name

headers1 = {
    'accept': "application/json",
    'content-type': "application/json",
    'authorization': " ".join(("Basic",encodedAuth)),
    'cache-control': "no-cache",
    'X-CSRF-TOKEN': "fetch"
    }

# This is run through a local proxy on 8080 for testing purposes
conn = http.client.HTTPSConnection("localhost",8080, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2))
conn.set_tunnel(host, port=9060)
#conn.debuglevel = 2
conn.request("GET", "/ers/config/endpointgroup/name/{}".format(groupName), headers=headers1)

res1 = conn.getresponse()
data1 = res1.read()
csrfToken = res1.getheader('X-CSRF-Token')
groupJSON = json.loads(data1.decode("utf-8"))
groupID = groupJSON['EndPointGroup']['id']
print("=== Group Lookup ===\nStatus: {}".format(res1.status))
print("Header:\n{}".format(res1.headers))
print("CSRF Token: {}".format(csrfToken))
print("Group: {} ➤ {}".format(groupName,groupID))

cookies = res1.getheader('Set-Cookie')
print("Cookie\n{}".format(cookies))


# Add endpoint to group
headers2 = {
    'X-CSRF-Token': csrfToken,
    'accept': "application/json",
    'content-type': "application/json",
    'authorization': " ".join(("Basic",encodedAuth)),
    'cache-control': "no-cache",
    }
print("\nHeaders: {}\n\n".format(headers2))

req_body_json = """  {{
  "ERSEndPoint" : {{
    "description" : "{}",
    "mac" : "{}",
    "groupId" : "{}",
    "staticGroupAssignment" : true
  }}
}}
""".format(description,mac,groupID)

conn.request("POST", "/ers/config/endpoint", headers=headers2, body=req_body_json)

res2 = conn.getresponse()
data2 = res2.read()

print("\n=== Endpoint Create ===\nStatus: {}".format(res2.status))
print("Header:\n{}".format(res2.headers))
print("Body:\n{}".format(data2.decode("utf-8")))

And the output:

$ ./create-endpoint-csrf.py 10.1.1.1 apiuser ******** csrf-test 00:01:02:03:04:05 groupGreen
=== Group Lookup ===
Status: 200
Header:
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONIDSSO=005413EF42E504EFA5BEB4C9023C9CB5; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=EE1CA8DC3F1B1831EAE1E6A714D55619; Path=/ers; Secure; HttpOnly
X-CSRF-Token: 87B6304D78217E1620DA519BF1454786
Pragma: no-cache
ETag: "D5755A00DC6F46C650D6B5D8E550DBE0"
Date: Thu, 07 Feb 2019 09:50:30 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 322
Connection: close
Server: 


CSRF Token: 87B6304D78217E1620DA519BF1454786
Group: groupGreen ➤ bb6b38b0-298b-11e9-9d19-005056a47a4e
Cookie
JSESSIONIDSSO=005413EF42E504EFA5BEB4C9023C9CB5; Path=/; Secure; HttpOnly, APPSESSIONID=EE1CA8DC3F1B1831EAE1E6A714D55619; Path=/ers; Secure; HttpOnly

Headers: {'X-CSRF-Token': '87B6304D78217E1620DA519BF1454786', 'accept': 'application/json', 'content-type': 'application/json', 'authorization': 'Basic bGVldDoxMzM3aDRYMHI=', 'cache-control': 'no-cache'}



=== Endpoint Create ===
Status: 404
Header:
Set-Cookie: JSESSIONIDSSO=DF4C74D1F4AC909D9DE41BA41DDE883A; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=3528AA65F48759B3FA9260DC87707D66; Path=/ers; Secure; HttpOnly
X-CSRF-Token: Required
Content-Length: 0
Date: Thu, 07 Feb 2019 09:50:31 GMT
Connection: close
Server: 


Body:

I am also unable to get this to work. Please disable the CSRF validation for now. I will check with our engineering team.

Hi,

any update on this? I guess this issue is still there in ISE 2.4 Patch 6 - correct?

Correct.

According to the release notes this bug is fixed with 2.4 Patch 8

(https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_105872)

However, I haven't tested it yet.

Patch 8 includes the fix for CSCvi80094 but that is a different issue and does not fix the CSRF issue which is being tracked as CSCvp22075.

Good to know with the cookie.... however, it's still not working as expected, right? The ERS API documentation doesn't say anything about cookies.

---

@Johannes Luther wrote:

... however, it's still not working as expected, right? The ERS API documentation doesn't say anything about cookies.

---

This is how this feature working in ISE. CSCvp22075 is now used to update the on-box documentation.