Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
10
Helpful
2
Replies

ISE ERS API - RBAC

Go to solution
rdediana
Cisco Employee
Cisco Employee

‎11-11-2019 05:16 AM

Hello Team. 

My customer is looking at consuming the ERS Api for specific uses and has enquired whether it is possible to restrict access to a limited subset of API? In reviewing the documentation, it seems that once an account is created for API access, it is granted full access to all ERS APIs.

 - External RESTful Services Admin-Full access to all ERS APIs (GET, POST, DELETE, PUT). This user can Create, Read, Update, and Delete ERS API requests

Secondly, is it possible to report/audit API calls; determine what account and APIs have been used/called and when?

Lastly, my current understanding is that the API uses Basic Authentication within the http headers which is simply consist of a username and password base64 encoded. if this is correct, are there any best practices employed by other customer to avoid the credentials from being compromised and used by an unauthorized app/user?

 

Header    Values    Description
ACCEPT    Application/XML or Application/JSON    Indicates to the server what media type(s) this client is willing to accept
AUTHORIZATION    "Basic " plus username and password (per RFC 2617)    Identifies the authorized user making this request
CONTENT-TYPE    Application/XML or Application/JSON    Describes the representation and syntax of the request message body.
ERS-Media-Type    Consists Of: resource-namespace.resource-name.resource-version    This Header is not mandatory. It describes ERS resource version. If not sent from client, the server will assume latest version.

https://tools.ietf.org/html/rfc2617#section-2

the client sends the userid and password,
   separated by a single colon (":") character, within a base64 [
7]
   encoded string in the credentials

Thanks, 

Regan

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-14-2019 06:51 AM - edited ‎11-14-2019 07:59 AM

The first item is not available at present. I would suggest to check with our PM team(s) for enhancements.

The second item has some in our existing audit reports. Please have a look at them.

The third items will be done the same as the usual. Restrict access to the ERS API service port(s) by firewall and not using common user credentials, etc. ERS API has an option to allow CSRF validation, but this is not working with DNAC integration.

The last item does not seem a question or comment.

View solution in original post

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to hslai

‎11-14-2019 07:55 AM

Hi @hslai , @rdediana 

Here is the enhancement request already opened for this - CSCvr07394 (Create ERS users with specific privileges)

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

View solution in original post

2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎11-14-2019 06:51 AM - edited ‎11-14-2019 07:59 AM

The first item is not available at present. I would suggest to check with our PM team(s) for enhancements.

The second item has some in our existing audit reports. Please have a look at them.

The third items will be done the same as the usual. Restrict access to the ERS API service port(s) by firewall and not using common user credentials, etc. ERS API has an option to allow CSRF validation, but this is not working with DNAC integration.

The last item does not seem a question or comment.

Go to solution
Anurag Sharma
Cisco Employee
Cisco Employee
In response to hslai

‎11-14-2019 07:55 AM

Hi @hslai , @rdediana 

Here is the enhancement request already opened for this - CSCvr07394 (Create ERS users with specific privileges)

 

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents