cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1477
Views
20
Helpful
4
Replies

Best Practices to enable API access to the Cisco ISE.

Folks,
Are there any best practices/suggestions when enabling API access to the Cisco ISE? Few questions that I have:

1. Should the API access be enabled directly for the PAN node, or there is some Proxy configuration also that we can use?
i.e. a dedicated note in the cluster which will listen only to API's? Or we can configure the Secondary admin node for this?

2. I understand we can create a username/password locally and assign that to the ERS admin group. However, can we ensure that this username/password has restricted API's calls? e.g. do a PUT operation to a singe Identity Group, Do a CoA operation only. 

3. Once API's are enabled can we initiate some tests from Postman? I am sure this should be possible.

4. I am going through this API documentation:
https://developer.cisco.com/docs/identity-services-engine/latest/#!endpointgroup
This does mention that we can do the API for this group, but we can add MAC ID's also. Right?

Some of the questions may sound as a novice, but that is what we are on the API's.



Regards,
N!!

1 Accepted Solution

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

1. Should the API access be enabled directly for the PAN node, or there is some Proxy configuration also that we can use?
i.e. a dedicated note in the cluster which will listen only to API's? Or we can configure the Secondary admin node for this?

From Cisco ISE Release 3.1 onwards, the MnT (Monitoring) APIs, the ERS APIs and the Open APIs all are routed through the API Gateway. The following ports need to opened between the API gateway node and all other nodes in the deployment for the respective APIs.

MnT APIs: 9443
Open APIs: 9070
ERS APIs: standard HTTPS port 443 (port 9060 can also be used)

 


2. I understand we can create a username/password locally and assign that to the ERS admin group. However, can we ensure that this username/password has restricted API's calls? e.g. do a PUT operation to a singe Identity Group, Do a CoA operation only. 

The ERS Admin, ERS Operator, and ERS Trustsec RBAC Policies all default to Super Admin Data Access. It's all or nothing.

 


3. Once API's are enabled can we initiate some tests from Postman? I am sure this should be possible.

Absolutely!  GET requests are the safest.

 


4. I am going through this API documentation:
https://developer.cisco.com/docs/identity-services-engine/latest/#!endpointgroup
This does mention that we can do the API for this group, but we can add MAC ID's also. Right?

You can use the PUT request ro update the Endpoint Identity Group 

PUT https://$ise_address/ers/config/endpointgroup/{id}

Remember to perform a GET request to get the id of the Endpoint Identity Group you wish to update.

 

 

View solution in original post

4 Replies 4

Charlie Moreton
Cisco Employee
Cisco Employee

1. Should the API access be enabled directly for the PAN node, or there is some Proxy configuration also that we can use?
i.e. a dedicated note in the cluster which will listen only to API's? Or we can configure the Secondary admin node for this?

From Cisco ISE Release 3.1 onwards, the MnT (Monitoring) APIs, the ERS APIs and the Open APIs all are routed through the API Gateway. The following ports need to opened between the API gateway node and all other nodes in the deployment for the respective APIs.

MnT APIs: 9443
Open APIs: 9070
ERS APIs: standard HTTPS port 443 (port 9060 can also be used)

 


2. I understand we can create a username/password locally and assign that to the ERS admin group. However, can we ensure that this username/password has restricted API's calls? e.g. do a PUT operation to a singe Identity Group, Do a CoA operation only. 

The ERS Admin, ERS Operator, and ERS Trustsec RBAC Policies all default to Super Admin Data Access. It's all or nothing.

 


3. Once API's are enabled can we initiate some tests from Postman? I am sure this should be possible.

Absolutely!  GET requests are the safest.

 


4. I am going through this API documentation:
https://developer.cisco.com/docs/identity-services-engine/latest/#!endpointgroup
This does mention that we can do the API for this group, but we can add MAC ID's also. Right?

You can use the PUT request ro update the Endpoint Identity Group 

PUT https://$ise_address/ers/config/endpointgroup/{id}

Remember to perform a GET request to get the id of the Endpoint Identity Group you wish to update.

 

 

Charlie, is there a feature request for more granular user level based API access?  I would like to add my company to that feature request.  We have teams I would like to give tight access to specific (read-only in some cases) API resources, but which cross ERS and MNT APIs on v2.7 so they only work with full admin read/write ERS accounts.  Having the ability to select an Open API path and the get/put/post/etc types allowed (i.e. select read/write levels basically) would allow me to give them direct controls to run the postman workspace RUNNER I designed (w/javascript to chain it, of course).  I cannot now because I would have to give them a full access ers-admin level read/write account, which I am not willing to do.  If this does not exist as a feature request, how can I (or get my reps to) add a feature request for, say versions 3.1 and onward, as we hope to upgrade to 3.1 or 3.2 in fY2023.

Hi Charlie, this helps me a ton. The API journey is starting for me with me still in kindergarden. 
I will work on communities as I have questions.

Thanks a ton.

thomas
Cisco Employee
Cisco Employee

Watch our past ISE Webinars on this topic :
ISE 3.1 APIs, Ansible, and Automation 2021/07/06
ISE REST APIs 2021/04/06
or consider registering for our upcoming webinars @ https://cs.co/ise-webinars where we will cover some of these topics and a lot more.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: