Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3232
Views
5
Helpful
2
Replies

ISE 3.0 rest (ropc)

Martin Sopotnik
Level 1
Level 1

‎11-26-2020 03:15 AM

Hello,

 

Has anyone done any testing with ISE 3.0 external ID source via Rest (ROPC)? I have it set up in testing with 2 Azure tenants. I have no problems authenticating with my testing tenant without much custom configuration, but when I set it up with our production tenant I cannot receive groups from Azure.

Might be interesting for the devs to look in to before it becomes a feature on a golden version.

 

ISE log trace:

11:10:23.551 [http-nio-9601-exec-10] DEBUG c.c.i.r.u.HttpClientWrapper - Start building http client
11:10:23.552 [http-nio-9601-exec-10] DEBUG c.c.i.r.u.HttpClientWrapper - No proxy found, continue without proxy
11:10:23.556 [http-nio-9601-exec-10] DEBUG c.c.i.r.e.c.CertificateCache - Created SSLContext with TLSv1.2 algorithm
11:10:23.556 [http-nio-9601-exec-10] DEBUG c.c.i.r.e.c.CertificateCache - SSLContext initialized with trust managers
11:10:23.859 [http-nio-9601-exec-10] DEBUG c.c.i.r.u.HttpClientWrapper - Start building http client
11:10:23.859 [http-nio-9601-exec-10] DEBUG c.c.i.r.u.HttpClientWrapper - No proxy found, continue without proxy
11:10:23.860 [http-nio-9601-exec-10] DEBUG c.c.i.r.e.c.CertificateCache - Created SSLContext with TLSv1.2 algorithm
11:10:23.860 [http-nio-9601-exec-10] DEBUG c.c.i.r.e.c.CertificateCache - SSLContext initialized with trust managers
11:10:24.172 [http-nio-9601-exec-10] ERROR c.c.i.r.p.a.AzureIdentityProviderFacade - Couldn't fetch application groups, REST error
java.net.SocketException: Socket is closed
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1524)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:95)
        at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137)
        at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153)
        at org.apache.http.impl.io.SessionInputBufferImpl.read(SessionInputBufferImpl.java:206)
        at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:176)
        at org.apache.http.conn.EofSensorInputStream.read(EofSensorInputStream.java:135)
        at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:238)
        at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
        at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:117)
        at org.apache.http.client.entity.LazyDecompressingInputStream.read(LazyDecompressingInputStream.java:70)
        at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:284)
        at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:326)
        at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:178)
        at java.io.InputStreamReader.read(InputStreamReader.java:184)
        at java.io.Reader.read(Reader.java:140)
        at org.apache.http.util.EntityUtils.toString(EntityUtils.java:227)
        at org.apache.http.util.EntityUtils.toString(EntityUtils.java:270)
        at org.apache.http.util.EntityUtils.toString(EntityUtils.java:290)
        at com.cisco.ise.ropc.utilities.RestUtility.get(RestUtility.java:80)
        at com.cisco.ise.ropc.providers.azure.AzureIdentityProviderFacade.getGroups(AzureIdentityProviderFacade.java:220)
        at com.cisco.ise.ropc.providers.azure.AzureIdentityProviderFacade.fetchApplicationGroups(AzureIdentityProviderFacade.java:161)
        at com.cisco.ise.ropc.controllers.RopcController.getGroups(RopcController.java:110)
        at sun.reflect.GeneratedMethodAccessor53.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:189)
        at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:138)
        at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:102)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
        at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:800)
        at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1038)
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:942)
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1005)
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:897)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:882)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:112)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:115)
        at org.springframework.boot.web.support.ErrorPageFilter.access$000(ErrorPageFilter.java:59)
        at org.springframework.boot.web.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:90)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.boot.web.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:108)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
11:10:24.179 [http-nio-9601-exec-10] ERROR c.c.i.r.u.JsonUtility - Cannot parse null as json
11:10:24.180 [http-nio-9601-exec-10] ERROR c.c.i.r.u.JsonUtility - Cannot verify keys for a null json

 

 

 

7 people had this problem
0 Helpful
2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎04-08-2021 02:08 PM

I suspect the problem is that you need to import the new DigiCert Global Root G2 cert.

You cannot retrieve the groups without it in my experience. 

I call this out in our What's New in ISE 3.0 Webinar @ 14:06

Microsoft updated their Graph API service cert just before ISE 3.0 FCS and we couldn't get this new cert into the ISE build in time.

 

What's New in ISE 3.0 Webinar
What's New in ISE 3.0 Webinar
youtube.com/watch?v=92ncCo3_M84
Cisco ISE Release 3.0 Is here! Join us for an overview of the new ISE 3.0 including features, licensing changes, supported platforms and more! 00:00 Intro & Agenda 02:33 ISE 3.0 Feature List 02:55 ISE 3.0 GUI Overview 04:00 Keyboard Shortcuts 04:25 Make a Wish 04:54 Interactive Help 05:15 ...

Martin Sopotnik
Level 1
Level 1

‎04-09-2021 03:47 AM

Thomas, thank you for your reply. I can confirm that is an issue when you first deploy the system, but I did import it and as stated before managed to have a working connection with a Azure tenant I use for testing (more or less default deployment). This issue happened when I connected ISE to our production Azure with quite a lot of customizations.

Since I opened this topic I was also in contact with the Azure team and they couldn't figure our what could be missing.

0 Helpful
Customers Also Viewed These Support Documents