04-11-2019 11:33 AM
I am giving a try to the instructions from the following link for the: Create the Guest user using the guest API query.
https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773
But I got the following error. Does anyone have a suggestion?, thanks in advance.
Solved! Go to Solution.
04-14-2019 10:47 AM
Please check and ensure that the user invoking the ISE Guest ERS API is a valid sponsor user and that the sponsor user is a member of an ISE Sponsor User group entitled to use the ISE Guest ERS API.
To create a guest user via the ISE Guest ERS API, we need:
## Auth: ERS-Admin User credentials
## The value of the ID attribute is used as that for portalId to create an ISE guest user.
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorportal'
### [ The option at ISE Admin Web UI ]
[ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
### To enable it via ERS, first we get the ISE Sponsor Group ID
## Auth: ERS-Admin User credentials
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup'
### Once we have ISE Sponsor Group ID and if this sponsor group has no API access yet, we may enable it via ISE ERS API
## Auth: ERS-Admin User credentials
## id for SponsorGroup obtained from the output of the previous request.
curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup/9f1eca71-8c01-11e6-996c-525400b48521' \ --data '{ "SponsorGroup" : { "id" : "9f1eca71-8c01-11e6-996c-525400b48521", "otherPermissions" : { "canAccessViaRest" : true } } }'
In case we need to create an ISE internal user to act as the sponsor user with access to ISE Guest ERS API
## Auth: ERS-Admin User credentials
## NB: This ISE internal user group ID differs from that of the sponsor group ID
## Below shows to get the info on ISE internal group with a name starts with ALL_ACCOUNTS
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/identitygroup?filter=name.STARTSW.ALL_ACCOUNTS'
## a176c430-8c01-11e6-996c-525400b48521 below obtained from the output of the previous request
curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/internaluser' \
--data '{ "InternalUser" : { "name" : "mySponsor", "enabled" : true, "password" : "mySponsorPass", "changePassword" : false, "identityGroups" : "a176c430-8c01-11e6-996c-525400b48521", "expiryDateEnabled" : false, "customAttributes" : { }, "passwordIDStore" : "Internal Users" } }'
## NB: CSCvi42404 validDays does not match span of fromDate to toDate for ERS created guests
## Auth: ISE Sponsor User credentials with a sponsor group membership that allows to use REST (aka ERS) API
curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://mySponsor:mySponsorPass@myISE24FCS:9060/ers/config/guestuser' \
--data '{ "GuestUser" : { "guestType" : "Weekly (default)", "guestInfo" : { "userName" : "testGST01", "firstName" : "John", "lastName" : "Smith", "password" : "9048" }, "guestAccessInfo" : { "validDays" : 6, "fromDate" : "04/14/2019 16:49", "toDate" : "04/19/2019 23:59", "location" : "UTC" }, "portalId" : "40963c00-2e02-11e8-ba71-005056872c7f" } }'
04-14-2019 10:47 AM
Please check and ensure that the user invoking the ISE Guest ERS API is a valid sponsor user and that the sponsor user is a member of an ISE Sponsor User group entitled to use the ISE Guest ERS API.
To create a guest user via the ISE Guest ERS API, we need:
## Auth: ERS-Admin User credentials
## The value of the ID attribute is used as that for portalId to create an ISE guest user.
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorportal'
### [ The option at ISE Admin Web UI ]
[ ] Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
### To enable it via ERS, first we get the ISE Sponsor Group ID
## Auth: ERS-Admin User credentials
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup'
### Once we have ISE Sponsor Group ID and if this sponsor group has no API access yet, we may enable it via ISE ERS API
## Auth: ERS-Admin User credentials
## id for SponsorGroup obtained from the output of the previous request.
curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/sponsorgroup/9f1eca71-8c01-11e6-996c-525400b48521' \ --data '{ "SponsorGroup" : { "id" : "9f1eca71-8c01-11e6-996c-525400b48521", "otherPermissions" : { "canAccessViaRest" : true } } }'
In case we need to create an ISE internal user to act as the sponsor user with access to ISE Guest ERS API
## Auth: ERS-Admin User credentials
## NB: This ISE internal user group ID differs from that of the sponsor group ID
## Below shows to get the info on ISE internal group with a name starts with ALL_ACCOUNTS
curl -X GET -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \ 'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/identitygroup?filter=name.STARTSW.ALL_ACCOUNTS'
## a176c430-8c01-11e6-996c-525400b48521 below obtained from the output of the previous request
curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://myErsAdmin:myErsAdminPass@myISE24FCS:9060/ers/config/internaluser' \
--data '{ "InternalUser" : { "name" : "mySponsor", "enabled" : true, "password" : "mySponsorPass", "changePassword" : false, "identityGroups" : "a176c430-8c01-11e6-996c-525400b48521", "expiryDateEnabled" : false, "customAttributes" : { }, "passwordIDStore" : "Internal Users" } }'
## NB: CSCvi42404 validDays does not match span of fromDate to toDate for ERS created guests
## Auth: ISE Sponsor User credentials with a sponsor group membership that allows to use REST (aka ERS) API
curl -X POST -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i \
'https://mySponsor:mySponsorPass@myISE24FCS:9060/ers/config/guestuser' \
--data '{ "GuestUser" : { "guestType" : "Weekly (default)", "guestInfo" : { "userName" : "testGST01", "firstName" : "John", "lastName" : "Smith", "password" : "9048" }, "guestAccessInfo" : { "validDays" : 6, "fromDate" : "04/14/2019 16:49", "toDate" : "04/19/2019 23:59", "location" : "UTC" }, "portalId" : "40963c00-2e02-11e8-ba71-005056872c7f" } }'
04-18-2019 11:51 AM
Hi Hslai,
I am using Postman and just copying the curl commands and data into the body worked. However, I still have one question:
Is the data/guides/instructions of MY https://PRIMARY_PAN_ISE.DOMAIN:9060/ers/sdk# , running ISE 2.4 patch 5 still valid/updated? I will give a try and post a comment before closing as "ANSWERED" this post.
thanks
04-19-2019 06:51 AM
The on-box SDK guide is our main source of documentation on ISE ERS API. Please let us know if you find an error or any suggestion for improvements.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide