05-06-2021 12:01 AM
Hello, I am using API (xml/json) to change parameters of authorization profile in ISE. All good (VLAN, dACL,...), except attribute "RADIUS_ACCEPT" or "RADIUS_REJECT". This object doesn't change, even it is in documentation as supported value.
ISE 2.7 Patch3
Can you check/fix/advise...
Thanks, Marian
Solved! Go to Solution.
07-23-2021 03:23 AM
Sorry for late update: TAC confirmed the issue and will provide FIX. See info bellow:
I was chasing the development team, and they have fixed the defect we opened already.
The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July
05-06-2021 08:01 PM
As per the REST API SDK published at https://cs.co/ise-api the values for the accessType attribute are 'ACCESS_ACCEPT' or 'ACCESS_REJECT'.
If you are still having issues, please post your JSON code using the Preformatted font.
05-07-2021 10:42 AM
Thanks Greg, sorry for my quick mistype. Sure I am using correct attribute as documented, however, it is not working. I can not figure out why. See JSON or XML bellow. Thanks
JSON Style profile update: PUT
{
"AuthorizationProfile": {
"id": "213db950-9e8e-11eb-ba35-005056b09749",
"name": "AuthZ-Profile-RESTAPI",
"description": "updateted by JSON",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"vlan": {
"nameID": "10",
"tagID": 1
},
"trackMovement": false,
"serviceTemplate": false,
"easywiredSessionCandidate": false,
"profileName": "Cisco"
}
}
XML Style update: PUT
<?xml version="1.0" encoding="UTF-8"?>
<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="updateted by XML" id="213db950-9e8e-11eb-ba35-005056b09749" name="AuthZ-Profile-RESTAPI">
<accessType>ACCESS_REJECT</accessType>
<authzProfileType>SWITCH</authzProfileType>
<easywiredSessionCandidate>false</easywiredSessionCandidate>
<profileName>Cisco</profileName>
<serviceTemplate>false</serviceTemplate>
<trackMovement>false</trackMovement>
<vlan>
<nameID>111</nameID>
<tagID>1</tagID>
</vlan>
</ns0:authorizationprofile>
05-09-2021 04:58 PM
I tested the same in my lab trying to update the 'accessType' attribute using PUT with JSON and it also does not update. I can update the 'description' value, but not the 'accessType'. I can create a new AuthZ Profile using POST with the requested value for 'accessType', but not update an existing one.
If the AuthZ Profile is not currently used in an AuthZ Policy, you could delete it and re-create it as a workaround.
I tested with both ISE 2.7 p3 and ISE 3.0 p2 and found the same results. This may be a bug, so I would suggest opening a TAC case to confirm and determine if there is a workaround.
05-10-2021 12:40 AM
This policy is used, thus can not be deleted.
Thanks for confirmation about attribute misfunction. I will open a TAC case.
07-23-2021 03:23 AM
Sorry for late update: TAC confirmed the issue and will provide FIX. See info bellow:
I was chasing the development team, and they have fixed the defect we opened already.
The defect fix will be added to 2.7 patch 5, 3.0 patch 3, and 3.1., patch 5 of ISE 2.7 is expected to be released in August and patch 3 of ISE 3.0 is expected to be ready at mid-July
07-25-2021 04:33 PM
Just FYI for anyone else interested, this is being tracked in the following bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvy51073
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide