I've read that ISE REST API uses TLS (https) over port 9060 with basic authentication. Is there any additional encryption being done for the username and/or password other than sending the data thru the TLS tunnel? e.g. password encrypted with public key of ISE server or some hash?
The External RESTful Services APIs are based on HTTPS protocol and REST methodology and uses port 9060.
The External RESTful Services APIs support basic authentication. The authentication credentials are encrypted and are part of the request header.
The ISE administrator must assign special privileges to a user to perform operations using the External RESTful Services APIs.
To perform operations using the External RESTful Services APIs (except for the Guest API), the users must be assigned to one of the following Admin Groups and must be authenticated against the credentials stored in the Cisco ISE internal database (internal admin users):
External RESTful Services Admin—Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests.
External RESTful Services Operator—Read Only access (GET request only).
If you do not have the required permissions and still try to perform operations using the External RESTful Services APIs, you will receive an error response.
The External RESTful Services APIs are based on HTTPS protocol and REST methodology and uses port 9060.
The External RESTful Services APIs support basic authentication. The authentication credentials are encrypted and are part of the request header.
The ISE administrator must assign special privileges to a user to perform operations using the External RESTful Services APIs.
To perform operations using the External RESTful Services APIs (except for the Guest API), the users must be assigned to one of the following Admin Groups and must be authenticated against the credentials stored in the Cisco ISE internal database (internal admin users):
External RESTful Services Admin—Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests.
External RESTful Services Operator—Read Only access (GET request only).
If you do not have the required permissions and still try to perform operations using the External RESTful Services APIs, you will receive an error response.
I read that as well. It says they are encrypted but does not give details on HOW it is encrypted. That is a big deal for customers with IA audits. They need to know if it's a one way hash, uses a shared encryption key, uses the servers public asymmetrical key or just passed inside an encrypted TLS connection i.e. not encrypted. I could not find any docs internally that clarifies those details. And someone else is now saying it is not encrypted.
Thanks
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
