Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1443
Views
0
Helpful
5
Replies

Cisco ISE API - Sponsor portal account creation

Riccardo Atzeni
Level 1
Level 1

‎01-18-2023 12:35 PM

Hello Everyone.
I'm working with ISE's API and I'm facing a strange error creating an account.
Basically, I'm using Python with the requests module to:
- obtain the sponsor portal ID (GET);
- obtain the sponsor ID (GET);
- create the guest user on the sponsor portal (POST);

This is the Java error with HTTP status code 500:

 

 

{
  "ERSResponse" : {
    "operation" : "POST-create-guestuser",
    "messages" : [ {
      "title" : "Creating GuestUser failed due to com.cisco.cpm.guestaccess.exception.GuestAccessSystemException: java.util.concurrent.TimeoutException",
      "type" : "ERROR",
      "code" : "CRUD operation exception"
    } ],
    "link" : {
      "rel" : "related",
      "href" : "https://<IPADDRESS>:<PORT>/ers/config/guestuser",
      "type" : "application/xml"
    }
  }
}

 

 

Anyway, the user is created on the ISE but I cannot be sure because I'm expecting an HTTP status code 201.

Can someone help me, please?

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎01-18-2023 01:06 PM

500(Internal Server Error): Indicates an issue on the server side. Logs on ISE may help understand the cause.

As you mentioned 200 and 201 expected success and accounts created.

check below example :

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215476-configure-ise-guest-accounts-with-rest-a.html

https://community.cisco.com/t5/security-knowledge-base/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Riccardo Atzeni
Level 1
Level 1
In response to balaji.bandi

‎01-20-2023 01:58 AM

Hello BB,
thanks for answering.
There aren't relevant logs on "Reports" --> "Sponsor Login and Audit" only authentications by the ERS user.
Anyway, the Guest User is created, what is wrong?
This is the payload that I'm using:
payload = {
	"GuestUser": {
		"guestType": "Weekly (default)",
		"personBeingVisited": "internal.usern@compa.ny",
		"portalId": sponsorPortalID,
		"sponsorUserName": usernameERS,
		"sponsorUserId": sponsorID,
		"guestInfo": {
			"enabled": True,
			"firstName": "GuestFirstName",
			"lastName": "GuestLastName",
			"emailAddress": "guest@gue.st",
			"company": "Guest Company",
			"phoneNumber": "+1234567890"
		},
		"guestAccessInfo": {
			"validDays": validDays,
			"location": location,
			"fromDate": fromDate,
			"toDate": toDate
		},
		"customFields": {},
		"link": {}
	}
}
0 Helpful

Riccardo Atzeni
Level 1
Level 1
In response to Riccardo Atzeni

‎01-20-2023 09:52 AM

This is the python script that I made:

#!/usr/bin/env python3

import base64, json, requests, urllib3
from datetime import datetime as dt, timedelta as td
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

ip   = "10.10.10.10"
port = "443"
usernameADM = "********"
passwordADM = "********"
usernameERS = "********"
passwordERS = "********"

authB64ADM = bytes.decode(base64.b64encode(str.encode(f"{usernameADM}:{passwordADM}")))
authB64ERS = bytes.decode(base64.b64encode(str.encode(f"{usernameERS}:{passwordERS}")))

uris = {
	"guestuser": "/ers/config/guestuser",
	"guestuserinfo": "/ers/config/guestuser/versioninfo",
	"sponsorportal": "/ers/config/sponsorportal",
	"sponsor": "/ers/config/internaluser"
}

def httpHeader(auth):
	headers = {
		"Content-Type": "application/json",
		"Accept": "application/json",
		"Authorization": f"Basic {auth}",
		"Cache-Control": "no-cache"
	}
	return headers

def getSponsorPortalId():
	url = f"https://{ip}:{port}{uris['sponsorportal']}"
	headers = httpHeader(authB64ADM)
	r = requests.get(url, headers=headers, verify=False)
	if r.status_code == 200:
		jsonResponse = r.json()
		sponsorPortlalId = json.dumps(jsonResponse['SearchResult']['resources'][1]['id'], indent=4).strip('"')
		return sponsorPortlalId

def getSponsorId():
	url = f"https://{ip}:{port}{uris['sponsor']}"
	headers = httpHeader(authB64ADM)
	parameters = {
		"size": 100
	}
	r = requests.get(url, headers=headers, params=parameters, verify=False)	
	if r.status_code == 200:
		jsonResponse = r.json()
		for index in jsonResponse['SearchResult']['resources']:
			if usernameERS in index['name']:
				return index['id'].strip('"')

def createGuestUser(numOfDays):
	fromDate  = ( dt.now() ).strftime( "%m/%d/%Y %H:%M" )
	toDate    = ( dt.now() + td( days=numOfDays ) ).strftime( "%m/%d/%Y %H:%M" )
	validDays = numOfDays
	payload = {
		"GuestUser": {
			"guestType": "ERS_GuestType",
			"personBeingVisited": "internal.user@mycompa.ny",
			"reasonForVisit": "Visit",
			"portalId": sponsorPortalID,
			"sponsorUserName": usernameERS,
			"sponsorUserId": sponsorID,
			"guestInfo": {
				"firstName": "Guest",
				"lastName": "Guest",
				"emailAddress": "guest@gue.st",
				"company": "Guest Company",
				"phoneNumber": "+1234567890",
			},
			"guestAccessInfo": {
				"validDays": validDays,
				"location":  "(UTC+01:00)",
				"fromDate":  fromDate,
				"toDate":    toDate
			},
			"customFields": {}
		}
	}
	jsonPayload = json.dumps(payload, indent=4)
	url = f"https://{ip}:{port}{uris['guestuser']}"
	headers = httpHeader(authB64ERS)
	r = requests.post(url, headers=headers, data=jsonPayload, verify=False)
	print(r.status_code)
	print("")
	print(r.text)

sponsorPortalID = getSponsorPortalId()
sponsorID = getSponsorId()
createGuestUser(3)

 

0 Helpful

Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to Riccardo Atzeni

‎01-23-2023 12:11 PM

hello @Riccardo Atzeni , it would appear as per the script that you are not using the port used for ERS which is 9060 , please follow the next guidelines to configure API calls with guest users. 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215476-configure-ise-guest-accounts-with-rest-a.html

Let me know if that helped you. 

0 Helpful

Riccardo Atzeni
Level 1
Level 1
In response to Rodrigo Diaz

‎01-24-2023 03:19 AM - edited ‎01-25-2023 03:51 AM

Hello Rodrigo,

thanks for answering.

Both ports (443 or 9060) should work as expected:
https://developer.cisco.com/docs/identity-services-engine/latest/#!cisco-ise-api-framework/cisco-ise-api-service

"ERS APIs are REST APIs that are based on the HTTPS protocol and operate over the standard HTTPS port 443 (port 9060 can also be used)."

Anyway, also using port 9060 I still have the same error.

The user is created but java returns a timeout error, it is something else.

=================================== vvv UPDATE 1 vvv ===================================
I tested the same script on my old infrastructure (ISE 2.4) and everything is working as expected
On the new one (ISE 3.1), with the same request, I still receiving HTTP 500
=================================== ^^^ UPDATE 1 ^^^ ===================================

0 Helpful
Customers Also Viewed These Support Documents