cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3640
Views
5
Helpful
2
Replies
Josh Morris
Participant

ISE API call to add user groups to Active Directory?

I am trying to write a script that will search AD for group membership then add that group as a usable group in ISE so I can put it into policy. I am following these logical steps so far:

1) Get ID of domain (https://{{URL}}/ers/config/activedirectory)

2) Get SID of vendor group based on search (https://{{URL}}/ers/config/activedirectory/{id}/getGroupsByDomain) with the OU name in the body

3) Search current applied user groups to see if group exists

4) ???

 

The only call I can see in the API is to use the 'addGroups' call, but I'm having issues adding a new group with the name/SID. Any suggestions on this?

1 ACCEPTED SOLUTION

Accepted Solutions
Josh Morris
Participant

I think I got it figured out. You can use the addGroups call in the following manner without all the additional values. I do get a 204 response here instead of 200, but the group shows up in ISE and can be used in policy. 

 

--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic XXX' \
--header 'Cookie: APPSESSIONID=XXX' \
--data-raw '{
  "ERSActiveDirectory" : {
    "id" : "{id}}",
    "name" : "{domain_name}",
    "description" : "",
    "domain" : "{domain_name}}",
    "enableDomainAllowedList" : true,
    "adgroups" : {
      "groups" : [ {
        "name" : "{full group path, can be seen in GUI under group name}",
        "sid" : "{path SID}",
        "type" : "GLOBAL"
      } ]
    }
  }
}'

 

View solution in original post

2 REPLIES 2
Mike.Cifelli
VIP Advocate

What version of ISE are you working with?

The only call I can see in the API is to use the 'addGroups' call, but I'm having issues adding a new group with the name/SID. Any suggestions on this?

-If possible, please share any related error output, code snippets, etc. that will allow the community to better assist.

Josh Morris
Participant

I think I got it figured out. You can use the addGroups call in the following manner without all the additional values. I do get a 204 response here instead of 200, but the group shows up in ISE and can be used in policy. 

 

--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic XXX' \
--header 'Cookie: APPSESSIONID=XXX' \
--data-raw '{
  "ERSActiveDirectory" : {
    "id" : "{id}}",
    "name" : "{domain_name}",
    "description" : "",
    "domain" : "{domain_name}}",
    "enableDomainAllowedList" : true,
    "adgroups" : {
      "groups" : [ {
        "name" : "{full group path, can be seen in GUI under group name}",
        "sid" : "{path SID}",
        "type" : "GLOBAL"
      } ]
    }
  }
}'

 

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel