Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4874
Views
6
Helpful
2
Replies

ISE API call to add user groups to Active Directory?

Go to solution
Josh Morris
Level 3
Level 3

‎07-15-2021 08:37 AM

I am trying to write a script that will search AD for group membership then add that group as a usable group in ISE so I can put it into policy. I am following these logical steps so far:

1) Get ID of domain (https://{{URL}}/ers/config/activedirectory)

2) Get SID of vendor group based on search (https://{{URL}}/ers/config/activedirectory/{id}/getGroupsByDomain) with the OU name in the body

3) Search current applied user groups to see if group exists

4) ???

 

The only call I can see in the API is to use the 'addGroups' call, but I'm having issues adding a new group with the name/SID. Any suggestions on this?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Josh Morris
Level 3
Level 3

‎07-15-2021 10:39 AM

I think I got it figured out. You can use the addGroups call in the following manner without all the additional values. I do get a 204 response here instead of 200, but the group shows up in ISE and can be used in policy. 

 

--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic XXX' \
--header 'Cookie: APPSESSIONID=XXX' \
--data-raw '{
  "ERSActiveDirectory" : {
    "id" : "{id}}",
    "name" : "{domain_name}",
    "description" : "",
    "domain" : "{domain_name}}",
    "enableDomainAllowedList" : true,
    "adgroups" : {
      "groups" : [ {
        "name" : "{full group path, can be seen in GUI under group name}",
        "sid" : "{path SID}",
        "type" : "GLOBAL"
      } ]
    }
  }
}'

 

View solution in original post

2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎07-15-2021 09:01 AM

What version of ISE are you working with?

The only call I can see in the API is to use the 'addGroups' call, but I'm having issues adding a new group with the name/SID. Any suggestions on this?

-If possible, please share any related error output, code snippets, etc. that will allow the community to better assist.

0 Helpful

Go to solution
Josh Morris
Level 3
Level 3

‎07-15-2021 10:39 AM

I think I got it figured out. You can use the addGroups call in the following manner without all the additional values. I do get a 204 response here instead of 200, but the group shows up in ISE and can be used in policy. 

 

--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic XXX' \
--header 'Cookie: APPSESSIONID=XXX' \
--data-raw '{
  "ERSActiveDirectory" : {
    "id" : "{id}}",
    "name" : "{domain_name}",
    "description" : "",
    "domain" : "{domain_name}}",
    "enableDomainAllowedList" : true,
    "adgroups" : {
      "groups" : [ {
        "name" : "{full group path, can be seen in GUI under group name}",
        "sid" : "{path SID}",
        "type" : "GLOBAL"
      } ]
    }
  }
}'

 

Customers Also Viewed These Support Documents