cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1736
Views
40
Helpful
6
Replies
mstefanka
Beginner

ISE REST API - AuthZ Profile modification

Hello, I am using API (xml/json) to change parameters of authorization profile in ISE. All good (VLAN, dACL,...), except attribute "RADIUS_ACCEPT" or "RADIUS_REJECT". This object doesn't change, even it is in documentation as supported value.

ISE 2.7 Patch3

 

Can you check/fix/advise...

 

Thanks, Marian

1 ACCEPTED SOLUTION

Accepted Solutions

Sorry for late update: TAC  confirmed the issue and will provide FIX. See info bellow:

 

I was chasing the development team, and they have fixed the defect we opened already.

The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July

View solution in original post

6 REPLIES 6
Greg Gibbs
Cisco Employee

As per the REST API SDK published at https://cs.co/ise-api the values for the accessType attribute are 'ACCESS_ACCEPT' or 'ACCESS_REJECT'.

If you are still having issues, please post your JSON code using the Preformatted font.

mstefanka
Beginner

Thanks Greg, sorry for my quick mistype. Sure I am using correct attribute as documented, however, it is not working. I can not figure out why. See JSON or XML bellow. Thanks

 

JSON Style profile update: PUT

{

    "AuthorizationProfile": {

        "id""213db950-9e8e-11eb-ba35-005056b09749",

        "name""AuthZ-Profile-RESTAPI",

        "description""updateted by JSON",

        "accessType""ACCESS_ACCEPT",

        "authzProfileType""SWITCH",

        "vlan": {

            "nameID""10",

            "tagID"1

        },

        "trackMovement"false,

        "serviceTemplate"false,

        "easywiredSessionCandidate"false,

        "profileName""Cisco"

    }

}

 

XML Style update: PUT

<?xml version="1.0" encoding="UTF-8"?>
<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="updateted by XML" id="213db950-9e8e-11eb-ba35-005056b09749" name="AuthZ-Profile-RESTAPI">

    <accessType>ACCESS_REJECT</accessType>

    <authzProfileType>SWITCH</authzProfileType>

    <easywiredSessionCandidate>false</easywiredSessionCandidate>

    <profileName>Cisco</profileName>

    <serviceTemplate>false</serviceTemplate>

    <trackMovement>false</trackMovement>

    <vlan>

        <nameID>111</nameID>

        <tagID>1</tagID>

    </vlan>

</ns0:authorizationprofile>

 

 

 

 

 

 

I tested the same in my lab trying to update the 'accessType' attribute using PUT with JSON and it also does not update. I can update the 'description' value, but not the 'accessType'. I can create a new AuthZ Profile using POST with the requested value for 'accessType', but not update an existing one.

If the AuthZ Profile is not currently used in an AuthZ Policy, you could delete it and re-create it as a workaround.

I tested with both ISE 2.7 p3 and ISE 3.0 p2 and found the same results. This may be a bug, so I would suggest opening a TAC case to confirm and determine if there is a workaround.

This policy is used, thus can not be deleted.

Thanks for confirmation about attribute misfunction. I will open a TAC case.

Sorry for late update: TAC  confirmed the issue and will provide FIX. See info bellow:

 

I was chasing the development team, and they have fixed the defect we opened already.

The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July

View solution in original post

Just FYI for anyone else interested, this is being tracked in the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy51073

 

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel