Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1910
Views
1
Helpful
2
Replies

ISE Migrate guest users

Go to solution
gtilburg
Cisco Employee
Cisco Employee

‎03-10-2016 03:49 AM

hi,

Our customer has a 1.2 deployment with Guest users and want to migrate the guest accounts to their new 1.4 deployment.

I assume there is no automatic way to do this - with the exception of a backup/restore of the 1.2 config (which is not what we want as the 1.4 has some different policies).

I was thinking of following approach:

- upgrade the secondary 1.2 pan to 1.4

- use REST API to get the guest accounts

- use REST API to import these guest accounts in the new 1.4 deployment.

This requires a lot of scripting to make it doable for 2000 guest accounts.

Do you see any alternatives?

If REST is the way to go, any scripts available to make it easier?

Regards

Gert

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gtilburg

‎03-10-2016 04:40 AM

There is no way to do this as you can't set the password via the api

You would need to point ISE to itself as an external radius token server

Or recommend do a backup/restore and then update the policies on the 1.4 box

You will see that in the post example you cannot set password when creating an account

Also look at the guest passwords section of the doc

Guest Passwords

ISE automatically generates a password when a guest is created. It is possible to reset a guest's password through the Guest REST API by calling the resetpassword operation.

You cannot change a guest's password to a specific string using the REST API.

Use the GET operation to retrieve a guest user's information and view their password. Cisco ISE guest passwords are visible in the response to a GET operation as long as the password was:

1. Automatically generated by ISE.

2. Reset through this API or via the Sponsor Portal.

In some guest flows, the guest has the ability to change their own password. Cisco ISE guest passwords that have been changed by the guest are not visible in the sponsor portal and are not visible via the REST API.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
gtilburg
Cisco Employee
Cisco Employee

‎03-10-2016 04:26 AM

Hi Jason,

This url seems to indicate the password can be set when creating a guest.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-4/api_ref_guide/api_ref_book/ise_api_ref_ers2.html#pgfId-1159328

Did I misunderstand?

Regards

Gert

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to gtilburg

‎03-10-2016 04:40 AM

There is no way to do this as you can't set the password via the api

You would need to point ISE to itself as an external radius token server

Or recommend do a backup/restore and then update the policies on the 1.4 box

You will see that in the post example you cannot set password when creating an account

Also look at the guest passwords section of the doc

Guest Passwords

ISE automatically generates a password when a guest is created. It is possible to reset a guest's password through the Guest REST API by calling the resetpassword operation.

You cannot change a guest's password to a specific string using the REST API.

Use the GET operation to retrieve a guest user's information and view their password. Cisco ISE guest passwords are visible in the response to a GET operation as long as the password was:

1. Automatically generated by ISE.

2. Reset through this API or via the Sponsor Portal.

In some guest flows, the guest has the ability to change their own password. Cisco ISE guest passwords that have been changed by the guest are not visible in the sponsor portal and are not visible via the REST API.

0 Helpful
Customers Also Viewed These Support Documents