cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

126
Views
0
Helpful
6
Replies
Highlighted
Contributor

Accessing local users via API based on email address

Interesting dilemma.

This particular use case is a web-based form that takes input from a guest, including the email address of their sponsor.  it will look up that email address against the internal users in ISE, and if it finds a match, it will generate the guest account, and assign it to the sponsor based on the email match.

I need to create a local user in ISE, and that user's internal email address is internal only (in this case, "employee@demo.local").  Since this is not a valid TLD, during the creation of the local account, it complains, and does not allow me to enter this email account.

In order to bypass this, I created a custom attribute, InternalEmail, and entered the "employee@demo.local" string there, hoping to use that as a condition to search for, instead of the email address field (which is now invalid, since it will not allow the .local TLD).  Unfortunately, I am getting messages from ISE that custom attributes cannot be used as filter conditions in API calls.

{

    "ERSResponse": {

        "operation": "GET-getAll-internaluser",

        "messages": [

            {

                "title": "The filter field 'customAttributes' is not supported",

                "type": "ERROR",

                "code": "Query string validation exception"

            }

        ],

        "link": {

            "rel": "related",

            "href": "https://[REDACTED]/ers/config/internaluser?filter=customAttributes.InternalEmail.CONTAINS.em",

            "type": "application/xml"

        }

    }

}

Based on what I need to do, any particular recommendations on how to get around this?

Thanks!

Bob

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Accessing local users via API based on email address

That is expected. For Get-All of Internal User, only these fields can be filtered:

[firstName, lastName, identityGroup, name, description, email, enabled]

I supposed demo.local is what you are using in the lab but you should be able to setup your mail server to accept emails from some non-local domains.

View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Re: Accessing local users via API based on email address

Checking with SME jakunst

Highlighted
Cisco Employee

Re: Accessing local users via API based on email address

Bob please share the api call

Likely this is not going to work with custom attribute but will check with developers

Also have you checked using a different email address? Perhaps you can check with a dCloud demo spun up and use its services?

Contributor

Re: Accessing local users via API based on email address

Jason,

The API call is:

https://[REDACTED]/ers/config/internaluser?filter=customAttributes.InternalEmail.CONTAINS.em

(the InternalEmail field is where I put "employee@demo.local" email address)


The issue lies in the fact that the input field of the Internal User email field validates the email, and limits the extensions.  Since I need to use a different domain extension, i need to store that information somewhere, and it appears as though customAttributes cannot be used in searches.


Here is the actual user information:


{

    "InternalUser": {

        "id": "5e83a381-d727-4d0d-babe-8e41a2595cf4",

        "name": "employee",

        "enabled": true,

        "email": "employee@demo.com",

        "password": "*******",

        "changePassword": false,

        "identityGroups": "a1740510-8c01-11e6-996c-525400b48521",

        "expiryDateEnabled": false,

        "enablePassword": "*******",

        "customAttributes": {

            "InternalEmail": "emplyee@demo.local"

        },

        "passwordIDStore": "DEMO_AD_DOMAIN",

        "link": {

            "rel": "self",

            "href": "https://[REDACTED]:9060/ers/config/internaluser/5e83a381-d727-4d0d-babe-8e41a2595cf4",

            "type": "application/xml"

        }

    }

}


Any help is appreciated!


Thanks,


Bob


Highlighted
Cisco Employee

Re: Accessing local users via API based on email address

That is expected. For Get-All of Internal User, only these fields can be filtered:

[firstName, lastName, identityGroup, name, description, email, enabled]

I supposed demo.local is what you are using in the lab but you should be able to setup your mail server to accept emails from some non-local domains.

View solution in original post

Highlighted
Contributor

Re: Accessing local users via API based on email address

Is there a different call I can use that will give me access to customAttributes as well? Also, is it possible to get all guest user details, including password, for printing?

Thanks!

Highlighted
Cisco Employee

Re: Accessing local users via API based on email address

When you create account you should be able to grab this

Check out the tips here

https://communities.cisco.com/docs/DOC-71891