Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1445
Views
15
Helpful
6
Replies

API delete endpoint from Identity Group without deleting endpoint itself

Go to solution
SamuelFullman6827
Level 1
Level 1

‎07-30-2019 10:29 AM

I've successfully implemented a `delete` method already for endpoints via their unique id.

 

What I want to do is remove a specific MAC address from an identity group, without deleting the MAC itself from ISE.  How do I do this?

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to SamuelFullman6827

‎07-31-2019 11:34 AM

I recommend trying something along these lines:
API_OLD_DEVICE2 = "https://ABCDEFGH:9060/ers/config/endpoint/"+ temp (or your endpoint ID string; all depends on your code)
API_ERS_USER = "ERS_USER","PASSWORD"
API_DATA = {
"ERSEndPoint" : {
"staticGroupAssignment" : "true",
"description" : "test",
"groupId" : "",
}
}

r = requests.put(url=API_OLD_DEVICE2, auth=API_ERS_USER, verify=True, json=API_DATA)
print "**********************"
print "ISE Request", r.reason
print "**********************"
See what happens when leaving groupID with "" instead of specifying a specific group.

View solution in original post

Go to solution
eneskayahan
Level 1
Level 1

‎12-16-2022 04:07 AM

 

Note: To remove an endpoint from an ID group, simply change staticGroupAssignment to false.

I tried this and it worked

Source:

https://community.cisco.com/t5/security-knowledge-base/ise-ers-api-examples/ta-p/3622623#toc-hId--843015986

View solution in original post

6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-30-2019 10:59 AM

You should be able to accomplish this via a PUT call. Are you trying to move the endpoint from identity group to another? Or simply not have it assigned to a group at all and still keep in ISE db?
0 Helpful

Go to solution
SamuelFullman6827
Level 1
Level 1
In response to Mike.Cifelli

‎07-31-2019 10:27 AM

I am wanting to unassign it to THAT group, without regard to changing any other group. Which means, if it's not in any other group then yes it's just in the ISE db as you said. How is a `PUT` with a reference to the identity groupId I _DON'T_ want the endpoint to be in serve to remove the endpoint from that identity group?
0 Helpful

Go to solution
Johannes Luther
Level 4
Level 4

‎07-30-2019 10:39 PM

It's the "Update" operation of the endpoint API (like Mike said it's an HTTP PUT).

Do you know, that the API documentation in the ISE live system is pretty good for this?

https://{FQDN-YOUR-ISE}:9060/ers/sdk

 

For your specific question:

API URL: https://{FQDN-YOUR-ISE}:9060/ers/config/endpoint/{id}

Method: PUT

Content (json):

{
  "ERSEndPoint" : {
    "groupId" : "groupId"
  }
}

 

Go to solution
SamuelFullman6827
Level 1
Level 1
In response to Johannes Luther

‎07-31-2019 10:23 AM

OK, but how is a `PUT` with a reference to the identity groupId I _DON'T_ want the endpoint to be in serve to remove the endpoint from that identity group?
0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to SamuelFullman6827

‎07-31-2019 11:34 AM

I recommend trying something along these lines:
API_OLD_DEVICE2 = "https://ABCDEFGH:9060/ers/config/endpoint/"+ temp (or your endpoint ID string; all depends on your code)
API_ERS_USER = "ERS_USER","PASSWORD"
API_DATA = {
"ERSEndPoint" : {
"staticGroupAssignment" : "true",
"description" : "test",
"groupId" : "",
}
}

r = requests.put(url=API_OLD_DEVICE2, auth=API_ERS_USER, verify=True, json=API_DATA)
print "**********************"
print "ISE Request", r.reason
print "**********************"
See what happens when leaving groupID with "" instead of specifying a specific group.

Go to solution
eneskayahan
Level 1
Level 1

‎12-16-2022 04:07 AM

 

Note: To remove an endpoint from an ID group, simply change staticGroupAssignment to false.

I tried this and it worked

Source:

https://community.cisco.com/t5/security-knowledge-base/ise-ers-api-examples/ta-p/3622623#toc-hId--843015986

Customers Also Viewed These Support Documents