Solved: Re: ISE REST API - AuthZ Profile modification

mstefanka · ‎05-06-2021

Hello, I am using API (xml/json) to change parameters of authorization profile in ISE. All good (VLAN, dACL,...), except attribute "RADIUS_ACCEPT" or "RADIUS_REJECT". This object doesn't change, even it is in documentation as supported value.

ISE 2.7 Patch3

Can you check/fix/advise...

Thanks, Marian

mstefanka · ‎07-23-2021

Sorry for late update: TAC confirmed the issue and will provide FIX. See info bellow:

I was chasing the development team, and they have fixed the defect we opened already.

The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July

View solution in original post

Greg Gibbs · ‎05-06-2021

As per the REST API SDK published at https://cs.co/ise-api the values for the accessType attribute are 'ACCESS_ACCEPT' or 'ACCESS_REJECT'.

If you are still having issues, please post your JSON code using the Preformatted font.

mstefanka · ‎05-07-2021

Thanks Greg, sorry for my quick mistype. Sure I am using correct attribute as documented, however, it is not working. I can not figure out why. See JSON or XML bellow. Thanks

JSON Style profile update: PUT

{

    "AuthorizationProfile": {

        "id": "213db950-9e8e-11eb-ba35-005056b09749",

        "name": "AuthZ-Profile-RESTAPI",

        "description": "updateted by JSON",

        "accessType": "ACCESS_ACCEPT",

        "authzProfileType": "SWITCH",

        "vlan": {

            "nameID": "10",

            "tagID": 1

        },

        "trackMovement": false,

        "serviceTemplate": false,

        "easywiredSessionCandidate": false,

        "profileName": "Cisco"

    }

}

XML Style update: PUT

<?xml version="1.0" encoding="UTF-8"?>
<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="updateted by XML" id="213db950-9e8e-11eb-ba35-005056b09749" name="AuthZ-Profile-RESTAPI">

    <accessType>ACCESS_REJECT</accessType>

    <authzProfileType>SWITCH</authzProfileType>

    <easywiredSessionCandidate>false</easywiredSessionCandidate>

    <profileName>Cisco</profileName>

    <serviceTemplate>false</serviceTemplate>

    <trackMovement>false</trackMovement>

    <vlan>

        <nameID>111</nameID>

        <tagID>1</tagID>

    </vlan>

</ns0:authorizationprofile>

Greg Gibbs · ‎05-09-2021

I tested the same in my lab trying to update the 'accessType' attribute using PUT with JSON and it also does not update. I can update the 'description' value, but not the 'accessType'. I can create a new AuthZ Profile using POST with the requested value for 'accessType', but not update an existing one.

If the AuthZ Profile is not currently used in an AuthZ Policy, you could delete it and re-create it as a workaround.

I tested with both ISE 2.7 p3 and ISE 3.0 p2 and found the same results. This may be a bug, so I would suggest opening a TAC case to confirm and determine if there is a workaround.

mstefanka · ‎05-10-2021

This policy is used, thus can not be deleted.

Thanks for confirmation about attribute misfunction. I will open a TAC case.

mstefanka · ‎07-23-2021

Sorry for late update: TAC confirmed the issue and will provide FIX. See info bellow:

I was chasing the development team, and they have fixed the defect we opened already.

The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July

Greg Gibbs · ‎07-25-2021

Just FYI for anyone else interested, this is being tracked in the following bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy51073