Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
5
Helpful
3
Replies

ERROR MESSAGE WHEN CREATING GUEST USER USING GUEST API

Go to solution
ajc
Level 7
Level 7

‎04-11-2019 11:33 AM

I am giving a try to the instructions from the following link for the: Create the Guest user using the guest API query.

https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

But I got the following error. Does anyone have a suggestion?, thanks in advance.

 

ERROR API.png

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-14-2019 10:47 AM

Please check and ensure that the user invoking the ISE Guest ERS API is a valid sponsor user and that the sponsor user is a member of an ISE Sponsor User group entitled to use the ISE Guest ERS API.

Requisites to Create an ISE Guest User via ISE ERS API

To create a guest user via the ISE Guest ERS API, we need:

  • A valid ISE Sponsor Portal ID
  • A valid ISE Sponsor user
    • an active ISE internal or external user with valid username and password
    • belonging to an ISE Sponsor group that can access ISE Guest ERS API
  • A valid ISE Guest Type name
  • (Optional) A valid location name -- created under ISE Admin web UI > Work Centers > Guest Access > Settings >Guest Locations and SSIDs > Guest Locations

 

Details with Examples

GET Sponsor Portal ID (via ERS)

## Auth: ERS-Admin User credentials
## The value of the ID attribute is used as that for portalId to create an ISE guest user.

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorportal'

 

Permit Sponsor Group Access to ERS API

### [ The option at ISE Admin Web UI ]
[ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
### To enable it via ERS, first we get the ISE Sponsor Group ID
## Auth: ERS-Admin User credentials

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup'


### Once we have ISE Sponsor Group ID and if this sponsor group has no API access yet, we may enable it via ISE ERS API
## Auth: ERS-Admin User credentials
## id for SponsorGroup obtained from the output of the previous request.

curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup/9f1eca71-8c01-11e6-996c-525400b48521' \
--data '{
  "SponsorGroup" : {
    "id" : "9f1eca71-8c01-11e6-996c-525400b48521",
    "otherPermissions" : {
      "canAccessViaRest" : true
    }
  }
}'

 

Get Internal User Group ALL_ACCOUNTS ID

In case we need to create an ISE internal user to act as the sponsor user with access to ISE Guest ERS API
## Auth: ERS-Admin User credentials
## NB: This ISE internal user group ID differs from that of the sponsor group ID
## Below shows to get the info on ISE internal group with a name starts with ALL_ACCOUNTS

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/identitygroup?filter=name.STARTSW.ALL_ACCOUNTS'

 

Create an Internal User with a group membership of ‘ALL_ACCOUNTS (default)’

## a176c430-8c01-11e6-996c-525400b48521 below obtained from the output of the previous request

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/internaluser' \
--data '{
  "InternalUser" : {
    "name" : "mySponsor",
    "enabled" : true,
    "password" : "mySponsorPass",
    "changePassword" : false,
    "identityGroups" : "a176c430-8c01-11e6-996c-525400b48521",
    "expiryDateEnabled" : false,
    "customAttributes" : {
    },
    "passwordIDStore" : "Internal Users"
  }
}'

 

Create a Guest User

## NB: CSCvi42404 validDays does not match span of fromDate to toDate for ERS created guests
## Auth: ISE Sponsor User credentials with a sponsor group membership that allows to use REST (aka ERS) API

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://mySponsor:mySponsorPass@myISE24FCS:9060/ers/config/guestuser' \
--data '{
  "GuestUser" : {
    "guestType" : "Weekly (default)",
    "guestInfo" : {
      "userName" : "testGST01",
      "firstName" : "John",
      "lastName" : "Smith",
      "password" : "9048"
    },
    "guestAccessInfo" : {
      "validDays" : 6,
      "fromDate" : "04/14/2019 16:49",
      "toDate" : "04/19/2019 23:59",
      "location" : "UTC"
    },
    "portalId" : "40963c00-2e02-11e8-ba71-005056872c7f"
  }
}'

 

 

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-14-2019 10:47 AM

Please check and ensure that the user invoking the ISE Guest ERS API is a valid sponsor user and that the sponsor user is a member of an ISE Sponsor User group entitled to use the ISE Guest ERS API.

Requisites to Create an ISE Guest User via ISE ERS API

To create a guest user via the ISE Guest ERS API, we need:

  • A valid ISE Sponsor Portal ID
  • A valid ISE Sponsor user
    • an active ISE internal or external user with valid username and password
    • belonging to an ISE Sponsor group that can access ISE Guest ERS API
  • A valid ISE Guest Type name
  • (Optional) A valid location name -- created under ISE Admin web UI > Work Centers > Guest Access > Settings >Guest Locations and SSIDs > Guest Locations

 

Details with Examples

GET Sponsor Portal ID (via ERS)

## Auth: ERS-Admin User credentials
## The value of the ID attribute is used as that for portalId to create an ISE guest user.

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorportal'

 

Permit Sponsor Group Access to ERS API

### [ The option at ISE Admin Web UI ]
[ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
### To enable it via ERS, first we get the ISE Sponsor Group ID
## Auth: ERS-Admin User credentials

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup'


### Once we have ISE Sponsor Group ID and if this sponsor group has no API access yet, we may enable it via ISE ERS API
## Auth: ERS-Admin User credentials
## id for SponsorGroup obtained from the output of the previous request.

curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup/9f1eca71-8c01-11e6-996c-525400b48521' \
--data '{
  "SponsorGroup" : {
    "id" : "9f1eca71-8c01-11e6-996c-525400b48521",
    "otherPermissions" : {
      "canAccessViaRest" : true
    }
  }
}'

 

Get Internal User Group ALL_ACCOUNTS ID

In case we need to create an ISE internal user to act as the sponsor user with access to ISE Guest ERS API
## Auth: ERS-Admin User credentials
## NB: This ISE internal user group ID differs from that of the sponsor group ID
## Below shows to get the info on ISE internal group with a name starts with ALL_ACCOUNTS

curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/identitygroup?filter=name.STARTSW.ALL_ACCOUNTS'

 

Create an Internal User with a group membership of ‘ALL_ACCOUNTS (default)’

## a176c430-8c01-11e6-996c-525400b48521 below obtained from the output of the previous request

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/internaluser' \
--data '{
  "InternalUser" : {
    "name" : "mySponsor",
    "enabled" : true,
    "password" : "mySponsorPass",
    "changePassword" : false,
    "identityGroups" : "a176c430-8c01-11e6-996c-525400b48521",
    "expiryDateEnabled" : false,
    "customAttributes" : {
    },
    "passwordIDStore" : "Internal Users"
  }
}'

 

Create a Guest User

## NB: CSCvi42404 validDays does not match span of fromDate to toDate for ERS created guests
## Auth: ISE Sponsor User credentials with a sponsor group membership that allows to use REST (aka ERS) API

curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://mySponsor:mySponsorPass@myISE24FCS:9060/ers/config/guestuser' \
--data '{
  "GuestUser" : {
    "guestType" : "Weekly (default)",
    "guestInfo" : {
      "userName" : "testGST01",
      "firstName" : "John",
      "lastName" : "Smith",
      "password" : "9048"
    },
    "guestAccessInfo" : {
      "validDays" : 6,
      "fromDate" : "04/14/2019 16:49",
      "toDate" : "04/19/2019 23:59",
      "location" : "UTC"
    },
    "portalId" : "40963c00-2e02-11e8-ba71-005056872c7f"
  }
}'

 

 

Go to solution
ajc
Level 7
Level 7
In response to hslai

‎04-18-2019 11:51 AM

Hi Hslai,

 

I am using Postman and just copying the curl commands and data into the body worked. However, I still have one question:

 

Is the data/guides/instructions of MY https://PRIMARY_PAN_ISE.DOMAIN:9060/ers/sdk# , running ISE 2.4 patch 5 still valid/updated? I will give a try and post a comment before closing as "ANSWERED" this post.

 

thanks

 

 

 

 

 

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ajc

‎04-19-2019 06:51 AM

The on-box SDK guide is our main source of documentation on ISE ERS API. Please let us know if you find an error or any suggestion for improvements.

0 Helpful
Customers Also Viewed These Support Documents