Solved: Cisco ISE Endpoint API Create with Authoization Policy

BrandonSharp37516 · ‎03-05-2021

Hello!

I am trying to automate the importing of devices into ISE. The current workflow is make a csv with 3 fields from the Context Visibility => Endpoints => Import from file.

The 3 fields are

MAC Address | Endpoint_Policy | Identity_Group

I can use the following payload, but cannot find a parameter to set the Authorization Policy. Is this something that is in the API?

{

"ERSEndPoint" : {

"mac" : "01:01:01:01:01:01",

"groupId" : "111111-111111-1111-1111-11111111",

"staticGroupAssignment" : true

}

We are on ISE 2.4 at the moment.

Thank you!

thomas · ‎03-13-2021

Brandon,

We cover this specific topic using 2 different methods : 1) static endpoint group and 2) custom attributes.

See ISE ERS API Examples :

Your Authorization Policy is totally separate from the endpoint profile and looks like this:

IdentityGroup-Name EQUALS Endpoint Identity Groups:MyGroupName

See Static Endpoint Group(s) for the details.

Also, tune into our ISE Webinar in April when I will discuss and demo ISE REST APIs !

View solution in original post

Mike.Cifelli · ‎03-05-2021

AFAIK that is not supported. I would suggest taking a peek at the SDK via: https://<pan ip>:9060/ers/sdk#

There you can find examples and supported payload syntax/content. This is pulled directly from the SDK (ISE 2.7p3) for the creation of endpoints:

JSON
{
  "ERSEndPoint": {
    "name": "name",
    "description": "description",
    "mac": "00:01:02:03:04:05",
    "profileId": "profileId",
    "staticProfileAssignment": false,
    "groupId": "groupId",
    "staticGroupAssignment": true,
    "portalUser": "portalUser",
    "identityStore": "identityStore",
    "identityStoreId": "identityStoreId",
    "customAttributes": {
      "customAttributes": {
        "key1": "value1",
        "key2": "value2"
      }
    }

BrandonSharp37516 · ‎03-05-2021

Hi Mike,

Thanks, that looks similar to the API Create call for ise/ers/config/endpoint.

{
  "ERSEndPoint" : {
    "id" : "id",
    "name" : "name",
    "description" : "description",
    "mac" : "00:01:02:03:04:05",
    "profileId" : "profileId",
    "staticProfileAssignment" : false,
    "groupId" : "groupId",
    "staticGroupAssignment" : true,
    "portalUser" : "portalUser",
    "identityStore" : "identityStore",
    "identityStoreId" : "identityStoreId",
    "customAttributes" : {
      "customAttributes" : {
        "key1" : "value1",
        "key2" : "value2"
      }
    },
    "mdmAttributes" : {
      "mdmServerName" : "MdmServerName",
      "mdmReachable" : true,
      "mdmEnrolled" : false,
      "mdmComplianceStatus" : false,
      "mdmOS" : "iOS",
      "mdmManufacturer" : "Apple Inc.",
      "mdmModel" : "iPad",
      "mdmSerial" : "10000000001",
      "mdmEncrypted" : false,
      "mdmPinlock" : false,
      "mdmJailBroken" : false,
      "mdmIMEI" : "IMEI",
      "mdmPhoneNumber" : "Phone Number"
    }
  }
}

Still doesn't look like a way to apply an Authorization Policy programmatically.

thomas · ‎03-13-2021