05-26-2022 01:33 AM
Dear all
Does anyone face an issue with calling API to create Guest wireless accounts with Cisco ISE (we are running version 2.6 with latest patch#9).
There are brilliant articles and pretty straightforward from Cisco and even here on community:
https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773
However whatever we do we always get an error when trying to create guest user or reset password or delete guest:
"HTTP Status 401 – Unauthorized"
"The request has not been applied because it lacks valid authentication credentials for the target resource."
It works fine for obtaining portal ID, and get guest user information etc. However once we try to create,delete or password reset than it doesn't work.
Based on the articles we have local account configured with ERS Admin permissions which is being used (we also tried AD account from Network users). It has given our own custom sponsor group (NOT always referred one "ALL_ACCOUNTS" but there we have enabled option "Access Cisco ISE guest accounts with the use of the programmatic interface...". Based on the guides it looks all is set correctly, also we can use some API calls (like to get guest user info or portal ID) but all other operations we are not able to do.
Any idea or recommendation what should we look into?
Thanks in advance for any lead or hint
(hope we don't face any bug)
Martin
Solved! Go to Solution.
05-27-2022 02:01 AM
Hi Greg,
Confirmed, when I switch to use ALL_ACCOUNTS (the default group) then all works just fine, easy and simple. However it should be possible to also use a custom sponsor group and NOT only ALL_ACCOUNTS and that seems to be not working at least in ISE 2.6P#9.
I will give a try if update to Patch#11 can fix it or not in our LAB environment.
So you are right, with default sponsor groups it works like a charm, however not with custom sponsor group.
/Martin
06-03-2022 04:14 AM
Hi Greg,
Just worth to mention, it was a really bug in ISE 2.6P#9, simply wasn't working though I have not search neither explored existing bugs.
We did update to Patch11 (ISE2.6P#11) and all works like a charm with custom sponsor group etc. No need to use ALL_ACCOUNTS anymore.
So it was really a version specific issue!
Glad it is fixed in Patch#11 and hope will work just fine from now on even in next releases like 3.+.
Martin
05-26-2022 09:36 PM
I don't have an active 2.6 instance, but using the procedure in the following guide work perfectly for me in ISE 3.0 p5.
Configure ISE Guest Accounts with REST API
It's unclear what user account you are using for the API call, but it's important to understand that manipulating Guest accounts requires using a valid Sponsor account in the relevant Sponsor Group; not an ERS Admin account.
If you are using an AD user account, you need to ensure that relevant AD Group is added as a Member in your Sponsor Group. If you are using a local Network Access User configured in ISE, that user must be a member of a group that is added as a Member in your Sponsor Group.
05-26-2022 10:16 PM
HI Greg,
Thanks for your answer.
I believe all setup is based on guides above. So I do have one local account defined as ERS Admin (given priviliges). This one I used to get sponsor portal ID etc.
And for creation of wireless guest account I do have one AD account with membership in respective Sponsor Group we have (it is not default one as ALL_Accounts etc., it is as custom one), also tried with local account as well but basically results are always the same.
I have seen Cisco has release ISE 2.6 Patch#11 just couple days ago, we will try to deploy it to see if that would help. Otherwise not sure what else. Potentially I can raise TAC obviously but thought to ask here first
Thank you
Martin
05-26-2022 11:42 PM
I spun up my 2.6 p10 instance and tested the same API call and it also worked. You might try creating a user/group in the default ALL_ACCOUNTS Sponsor Group to see if that makes any difference.
05-27-2022 12:56 AM
Hi Greg,
Thanks for testing ISE 2.6P#10, I will give a try with default group ALL_ACCOUNTS, just documentation refers that other custom groups can be used as well. Will give a try with ALL_ACCOUNTS since we still have Patch#9.
Let me test.
Thanks!
05-27-2022 02:01 AM
Hi Greg,
Confirmed, when I switch to use ALL_ACCOUNTS (the default group) then all works just fine, easy and simple. However it should be possible to also use a custom sponsor group and NOT only ALL_ACCOUNTS and that seems to be not working at least in ISE 2.6P#9.
I will give a try if update to Patch#11 can fix it or not in our LAB environment.
So you are right, with default sponsor groups it works like a charm, however not with custom sponsor group.
/Martin
05-29-2022 04:17 PM
Hi Martin,
I tested using a new Sponsor Group with both a local user as well as an AD user group membership and it still works for me, so I'm not able to replicate the issue. There may be some other factor that causing the error.
Could there be an overlapping user group membership with another Sponsor Group that is conflicting?
Have you tried logging into the Sponsor Portal GUI to see if you can create a guest account with the same Sponsor user?
If all else fails, you may need to open a TAC case to investigate further.
05-30-2022 12:21 AM
Hi Greg,
Most likely will give a try first with recent cumulative patch#11 to retest.
I can easily use AD account to log into GUI, create guest accounts etc. So should work just fine with API calls. As noted before it also works just fine with ALL_ACCOUNTS, but we need to use custom Sponsor group ideally. And that is something I have a problem even with local account (where there is no issue with group membership with another Sponsor Group conficts) and same for AD account one...
So at the moment I bet to the patch we run and that patch#10+ has it fixed. If not, than will move on with TAC to check with me.
Thanks a lot!
06-03-2022 04:14 AM
Hi Greg,
Just worth to mention, it was a really bug in ISE 2.6P#9, simply wasn't working though I have not search neither explored existing bugs.
We did update to Patch11 (ISE2.6P#11) and all works like a charm with custom sponsor group etc. No need to use ALL_ACCOUNTS anymore.
So it was really a version specific issue!
Glad it is fixed in Patch#11 and hope will work just fine from now on even in next releases like 3.+.
Martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide