03-05-2021 09:26 AM
Hello!
I am trying to automate the importing of devices into ISE. The current workflow is make a csv with 3 fields from the Context Visibility => Endpoints => Import from file.
The 3 fields are
MAC Address | Endpoint_Policy | Identity_Group
I can use the following payload, but cannot find a parameter to set the Authorization Policy. Is this something that is in the API?
Solved! Go to Solution.
03-13-2021 06:59 PM - edited 03-13-2021 06:59 PM
Brandon,
We cover this specific topic using 2 different methods : 1) static endpoint group and 2) custom attributes.
See ISE ERS API Examples :
Your Authorization Policy is totally separate from the endpoint profile and looks like this:
IdentityGroup-Name EQUALS Endpoint Identity Groups:MyGroupName
See Static Endpoint Group(s) for the details.
Also, tune into our ISE Webinar in April when I will discuss and demo ISE REST APIs !
03-05-2021 12:00 PM
AFAIK that is not supported. I would suggest taking a peek at the SDK via: https://<pan ip>:9060/ers/sdk#
There you can find examples and supported payload syntax/content. This is pulled directly from the SDK (ISE 2.7p3) for the creation of endpoints:
JSON { "ERSEndPoint": { "name": "name", "description": "description", "mac": "00:01:02:03:04:05", "profileId": "profileId", "staticProfileAssignment": false, "groupId": "groupId", "staticGroupAssignment": true, "portalUser": "portalUser", "identityStore": "identityStore", "identityStoreId": "identityStoreId", "customAttributes": { "customAttributes": { "key1": "value1", "key2": "value2" } }
03-05-2021 01:50 PM
Hi Mike,
Thanks, that looks similar to the API Create call for ise/ers/config/endpoint.
{ "ERSEndPoint" : { "id" : "id", "name" : "name", "description" : "description", "mac" : "00:01:02:03:04:05", "profileId" : "profileId", "staticProfileAssignment" : false, "groupId" : "groupId", "staticGroupAssignment" : true, "portalUser" : "portalUser", "identityStore" : "identityStore", "identityStoreId" : "identityStoreId", "customAttributes" : { "customAttributes" : { "key1" : "value1", "key2" : "value2" } }, "mdmAttributes" : { "mdmServerName" : "MdmServerName", "mdmReachable" : true, "mdmEnrolled" : false, "mdmComplianceStatus" : false, "mdmOS" : "iOS", "mdmManufacturer" : "Apple Inc.", "mdmModel" : "iPad", "mdmSerial" : "10000000001", "mdmEncrypted" : false, "mdmPinlock" : false, "mdmJailBroken" : false, "mdmIMEI" : "IMEI", "mdmPhoneNumber" : "Phone Number" } } }
Still doesn't look like a way to apply an Authorization Policy programmatically.
03-13-2021 06:59 PM - edited 03-13-2021 06:59 PM
Brandon,
We cover this specific topic using 2 different methods : 1) static endpoint group and 2) custom attributes.
See ISE ERS API Examples :
Your Authorization Policy is totally separate from the endpoint profile and looks like this:
IdentityGroup-Name EQUALS Endpoint Identity Groups:MyGroupName
See Static Endpoint Group(s) for the details.
Also, tune into our ISE Webinar in April when I will discuss and demo ISE REST APIs !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide