Hi David, Thanks a ton.
Again from an API novice standpoint, this Send Disconnect will be a POST call.
Right?


Regards!!

I have edited my post to show they are both GET statements in my postman runner, which I've tested on video for our security team using a wired MAB endpoint, a wired 802.1x endpoint and a wireless 802.1x endpoint. 

What I have not mentioned is the other calls and javascript code in my postman runner, which chain the commands together, and also get + set custom attributes.  The security team can set the "quarantine" custom attribute to one of 2 keywords (then update the endpoint in the runner instantly) so when the port disconnect + re-auth occurs, the 3 types of endpoints tested could be pushed into a blocked state, a state where the security team can scan it from a limited subnet (cidr in DACL), or even re-run without the quarantine custom attribute being set, to go back to normal (ex: cleared if suspected of having a virus or successfully cleaned if it had a virus [or more]).

-David

Hi David,
Our team was going through the below document:
https://developer.cisco.com/docs/identity-services-engine/latest/#!using-change-of-authorization-rest-apis/session-disconnect-api-call

Do you also need GU access to send the COA call?

We are confused as the document says GUI access in the "Invoking the Reauth API Call".
I guess this is only to get the URL and nothing else.

So what this is saying that is the login page give you:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash

then replace the "/admin/" with "/admin/API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>:"

which will now make the API GET request as :
https://acme123/admin//API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>

or is it: 
https://acme123/admin//API/mnt/CoA/<specific-api-call>/<macaddress>/<reauthtype>/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash?

Thanks for the help.

Regards,

N!

{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}} is simply the URL to send to ISE to get the response.  You still need your headers:

The full request (using cURL) will look like this:

curl --include --insecure --location \
--header 'Accept: application/json' \
--user {{ise_username}}:{{ise_password}} \
--request GET https://{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}}

 --include = Include protocol response headers in the output

--insecure = Allow insecure connections when using SSL (you don't have to present a certificate to authenticate)

--location = Follow redirects

You can write this all on the same line as shown here: 

curl --include --insecure --location --header 'Accept: application/json' --user {{ise_username}}:{{ise_password}} --request GET https://{{baseUrl}}/admin/API/mnt/CoA/Reauth/{{psn_name}}/{{mac}}/{{reauth_type}}

but the use of the \ when using cURL allows for a line break and makes your API request infinitely more readable.

Once you install cURL into your terminal application, issue the curl --help command to explore all the options. 

Hi Charlie, this should also work on Postman.
Correct?

I am able to do successful GET calls to "/ers" but not to "/admin".
Any suggestions?


Regards,

N!

My calls used BASIC auth and did not need any initial login, nor, to my knowledge, did it store cookies for sessions.  It just sends BASIC credentials for each request.