04-01-2024 02:42 PM - edited 04-01-2024 02:43 PM
I am very new to both Ansible and ISE APIs. I have read through the Cisco Dev site and utilized the playbooks to view and list the groups. However, I am getting an "Unexpected failure during module execution: Unknown API version, known versions are 3.1.0, 3.1.1, 3.1.Patch.1 and 3.2_beta.",
The playbook is relatively simple so not sure why it is not working. Is this an error due to the fact our ISE PAN runs patch 7? I tried the ise_version set to 3.1.Patch1 but that did not work. Does the account I am using require authorization of some kind to create via API?
---
- hosts: My PAN server name
gather_facts: false
tasks:
- name: Create Site Group Under "Location#All Locations"
cisco.ise.network_device_group:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
state: present
description: GroupDesc
name: "Location#All Locations#GroupDesc"
ndgtype: Location
I admit this may be a simple problem as I am still ramping up skills. But I have not had any luck finding an answer or a path to research.
Solved! Go to Solution.
04-02-2024 05:26 PM
Here is an example of using Ansible to create the Network Device Group by calling the API directly using the ansible.builtin.uri module.
I tested this against my ISE 3.1 patch 7 instance.
---
- name: Create NDG using API calls
hosts: localhost
gather_facts: no
vars_files:
- variables.yaml
tasks:
- name: Create NDG -- GroupDesc
ansible.builtin.uri:
url: https://{{ ise_hostname }}:9060/ers/config/networkdevicegroup
return_content: true
method: POST
validate_certs: false
headers:
Content-Type: application/json
Accept: application/json
Authorization: Basic {{ ers_username_password | b64encode }}
body_format: json
status_code: 201
body:
NetworkDeviceGroup:
name: Location#All Locations#GroupDesc
description: GroupDesc
othername: Location
04-02-2024 04:32 AM
I believe this is the issue. It appears to be related to this https://github.com/CiscoISE/ansible-ise/issues/56
Has anyone found a work around?
04-02-2024 03:09 PM
Those Ansible modules are only community supported and there is currently no development being done on that code.
The only workaround would be using Ansible to call the APIs themselves similar to this example:
https://opensource.com/article/21/9/ansible-rest-apis
You can find all of the relevant ISE API documentation to use in your Ansible code at https://cs.co/ise-api
04-02-2024 05:26 PM
Here is an example of using Ansible to create the Network Device Group by calling the API directly using the ansible.builtin.uri module.
I tested this against my ISE 3.1 patch 7 instance.
---
- name: Create NDG using API calls
hosts: localhost
gather_facts: no
vars_files:
- variables.yaml
tasks:
- name: Create NDG -- GroupDesc
ansible.builtin.uri:
url: https://{{ ise_hostname }}:9060/ers/config/networkdevicegroup
return_content: true
method: POST
validate_certs: false
headers:
Content-Type: application/json
Accept: application/json
Authorization: Basic {{ ers_username_password | b64encode }}
body_format: json
status_code: 201
body:
NetworkDeviceGroup:
name: Location#All Locations#GroupDesc
description: GroupDesc
othername: Location
04-04-2024 11:01 AM
Thank You will give this a try.
04-02-2024 03:31 PM
Correct - the problem is the breaking ISE change introduced by renaming the othername attribute to ndgtype.
According to my ise_network_device_groups role:
#ISE 3.1 Patch 4 and 3.2 `networkdevicegroup` create fails.
#It expects an `ndgtype` attribute instead of `othername`.
#This should be fixed in ISE 3.1 Patch 5 and ISE 3.2 Patch 1
You best option is to upgrade to the latest patch and just use the othername attribute.
04-04-2024 11:17 AM - edited 04-04-2024 11:18 AM
Thank you for the reply.
The ISE instance is on patch 3.1 patch 7 and I have tried othername as suggested, but the play still fails, it is saying othername is not a valid parameter.
The full traceback is:
NoneType: None
fatal: [localhost]: FAILED! => {
"changed": false,
"msg": ["othername. Supported parameters include: description, id, ise_debug, ise_hostname, ise_password, ise_single_request_timeout, ise_username, ise_uses_api_gateway, ise_uses_csrf_token, ise_verify, ise_version, ise_wait_on_rate_limit, name, ndgtype, state."]}
When I try using ndgtype it fails, but then tells me that othername is required.
"msg": "An error occurred when executing operation. The error was: [400] - Validation Error - Mandatory fields missing: [othername]
Now I am definitely no expert and it is very possible I could have something else incorrectly configured or missed a pre-req. I am continuing to develop, test and troubleshoot ISE playbooks.
I can manually create the Device Group in ISE and create a network group device with all the appropriate settings with out issue.
04-04-2024 02:05 PM
Correct. I get the same behaviour when using the Ansible ISE module. This is due to the breaking changes in the API that where later reversed. The Ansible module developers updated the module to resolve the initial breaking change, but there was no more development done on the module after the API change was reversed.
You might be able to use an older version of the API (check the changelog and closed issues) before this change was made in the module, but there could be other issues in that version.
I would suggest either using the ansible.builtin.uri module option I provided an example for or look into using Terraform as per this example.
04-29-2024 05:15 AM
Thank you to all who replied.
I just now was able to get back to this project. Using the ansible.builtin.uri module worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide