Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
1
Replies

ISE ERS Network Device API / PUT (update) operation: How to remove RADIUS authentication?

Go to solution
Johannes Luther
Level 4
Level 4

‎02-11-2020 11:49 PM

Hi board,

I'm having this network device in my ISE 2.4 patch 11 deployment:

#

{
  "NetworkDevice": {
    "id": "aa874f10-497f-11ea-8848-0050568b5bee",
    "name": "myDevice1",
    "description": "new description",
    "authenticationSettings": {
      "networkProtocol": "RADIUS",
      "radiusSharedSecret": "SuperSecret",
      "enableKeyWrap": false,
      "dtlsRequired": false,
      "keyEncryptionKey": "",
      "messageAuthenticatorCodeKey": "",
      "keyInputFormat": "ASCII",
      "enableMultiSecret": "false"
    },
    "profileName": "Cisco",
    "coaPort": 0,
    "NetworkDeviceIPList": [
      {
        "ipaddress": "192.0.2.1",
        "mask": 32
      }
    ],
    "NetworkDeviceGroupList": [
      "Location#All Locations",
      "Device Type#All Device Types",
      "IPSEC#Is IPSEC Device"
    ]
  }
}

 

 

So in this example, the network device is configured for RADIUS. In the ISE the "RADIUS authentication settings" are enabled.

grafik.png

 

How do I remove the "RADIUS authentication settings" from the network device using the API (so remove RADIUS support)?

I tried the following:

  • PUT body: Send the whole JSON data, excluding the "authenticationSettings" key (section).
    ==> HTTP 200: No values were updated ({'UpdatedFieldsList': {'updatedField': []}})
  • PUT body: Send the whole JSON data, and setting of the "enabled" attribute in the "authenticationSettings". The "enabled" attribute is outlined in the ERS API documentation, but I never saw it in real life :)
    "authenticationSettings": {"enabled": false}
    ==> HTTP 400: Invalid JSON: Unrecognized field \"enabled\"
  • PUT body: Empty authenticationSettings ("authenticationSettings": {})
    ==> HTTP 200: No values were updated ({'UpdatedFieldsList': {'updatedField': []}})

So anybody know, how to get rid of the "authenticationSettings" using the ERS API?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-12-2020 05:27 PM

According to the Resource Definition documented in DevNet, the 'authenticationSettings' attribute is not a boolean value, therefore there does not appear to be an option for a true/false value.

Even when I create a new NAD via the API with the 'authenticationSettings' section removed, the output from a Get-by-id call still includes basic values for that section:

<authenticationSettings>
<dtlsRequired>false</dtlsRequired>
<enableKeyWrap>false</enableKeyWrap>
<enableMultiSecret>false</enableMultiSecret>
</authenticationSettings>

 

I suspect the only way to disable the RADIUS settings via API after they have been configured would be to Delete and re-create the NAD. For a definitive answer, you would likely have to open a TAC case to get confirmation from the development engineers.

 

Cheers,

Greg

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-12-2020 05:27 PM

According to the Resource Definition documented in DevNet, the 'authenticationSettings' attribute is not a boolean value, therefore there does not appear to be an option for a true/false value.

Even when I create a new NAD via the API with the 'authenticationSettings' section removed, the output from a Get-by-id call still includes basic values for that section:

<authenticationSettings>
<dtlsRequired>false</dtlsRequired>
<enableKeyWrap>false</enableKeyWrap>
<enableMultiSecret>false</enableMultiSecret>
</authenticationSettings>

 

I suspect the only way to disable the RADIUS settings via API after they have been configured would be to Delete and re-create the NAD. For a definitive answer, you would likely have to open a TAC case to get confirmation from the development engineers.

 

Cheers,

Greg

 

0 Helpful
Customers Also Viewed These Support Documents