Solved: Re: ISE REST API - how to apply an ANC policy

Cristian Ruta · ‎09-01-2016

Hello community,

I am testing out ISE 2.1 REST API.

I managed to create a new ANC policy and want to apply it to an endpoint.

When I PUT https://IP:9060/ers/config/ancendpoint/apply

I receive 400 bad request:

<title>No additional attribute has been defined</title>

Do you have an example of how to deploy a quarantine ANC policy for a specific IP via REST?

Thank you,

Cristian

PS: I want to do this without pxgrid.

jeppich · ‎09-15-2016

Hey Cristian,

Just to close the loop on this thread, i emailed you a screenshot using POSTMAN of assigning the endpoint to an ANC policy. If you have additiona questions, email me directly.

Thanks,

John

jeppich@cisco.com

View solution in original post

Charlie Moreton · ‎09-02-2016

Cristian,

I was able to find this, albeit from ISE 1.3, but I have not been able to find anything newer.

According to the chart, what you are looking to do is only available through pxGrid.

If there are any updates to this chart, I hope it is posted.

It's at the bottom of this document:

ISE Version 1.3 pxGrid Integration with IPS pxLog Application - Cisco

Charles Moreton

Cristian Ruta · ‎09-02-2016

Hello Charles,

Thank you for your time on this.

As per ISE2.1 API documentation[1], operations like applying a policy to a mac address are developed. Also the /ers/sdk page on ISE2.1 documents apply operation, but without details. I cannot figure it out how a successful PUT looks in this case, i am not sure what OperationAdditionalData means.

Operation	HTTP Method	URL
Get all	GET	https://<hostname>:9060/ers/config/ancendpoint
Get by ID	GET	https://<hostname>:9060/ers/config/ancendpoint/{id}
Get by MAC	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData MACAddress
Get by IP	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData IPAddress
Apply by MAC	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData MACAddress and PolicyName
Clear by MAC	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData MACAddress and PolicyName
Apply by IP	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData IPAddress and PolicyName
Clear by IP	PUT	https://<hostname>:9060/ers/config/ancendpoint with OperationAdditionalData IPAddress and PolicyName

Is there any chance to find the answer for this?

tha

[1]Cisco Identity Services Engine API Reference Guide, Release 2.1 - External RESTful Services Calls [Cisco Identity Servic…

jeppich · ‎09-02-2016

Hey Christian,

Are you using POSTMAN for issuing the REST API requests? You need to fill in the HTTP "Accept" header and HTTP "Content-Type" header information. You can see the values in ISE via https://{ip adderess:9060/ers/sdk.

Thanks,

John

jeppich@cisco.com

Cristian Ruta · ‎09-02-2016

Hello John,

I am so happy for the prompt answers, thank you!

Yes I am also using Postman for this and I send the Content-type and Accept header as specified in sdk page.

I am not sure how the body should be:

I have successfully POSTed ancpolicies. results are appearing in real time on ISE, but with ancendpoints POST method is not implemented, and i am a little bit confused of how can i update(PUT) an ancendpoint if no ancendpoint exists.

Thanks for your involvement,

Cristian

ruta.cristian@gmail.com

jeppich · ‎09-02-2016

Hey Christian,

You would either have to create an endpoint or use an existing endpoint. Let me work up some examples and email them out to you.

Thanks,

John

jeppich@cisco.com

Cristian Ruta · ‎09-08-2016

Hello John,

Thank you very much!

Have you had the time to test it out?

Best regards,

Cristian

jeppich · ‎09-08-2016

Hey Christian,

I will get this done today and email this out to you.

Thanks,

John

jeppich@cisco.com

Cristian Ruta · ‎09-11-2016

Thank you John,

Any news?

Sorry for keep asking,

Cristian

imbashir · ‎09-14-2016

Here's one example

https://172.23.91.103:9060/ers/sdk#_

Cristian Ruta · ‎09-14-2016

Hello imbashir,

Have you tried this with postman ?

Thanks,

Cristian

jeppich · ‎09-15-2016

Hey Cristian,

I will work on this today and directly email you the procedure using POSTMAN.

Thanks

John

jeppich@cisco.com

jeppich · ‎09-15-2016

Hey Cristian,

Just to close the loop on this thread, i emailed you a screenshot using POSTMAN of assigning the endpoint to an ANC policy. If you have additiona questions, email me directly.

Thanks,

John

jeppich@cisco.com

Cristian Ruta · ‎11-10-2016

problem solved, thanks John