cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3400
Views
3
Helpful
8
Replies

ISE Sponsor Guest account creation API (ERS) with 401 – Unauthorized

Martin Jelinek
Level 1
Level 1

Dear all

 

Does anyone face an issue with calling API to create Guest wireless accounts with Cisco ISE (we are running version 2.6 with latest patch#9).

There are brilliant articles and pretty straightforward from Cisco and even here on community:

https://community.cisco.com/t5/security-documents/ise-guest-sponsor-api-tips-amp-tricks/ta-p/3636773

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215476-configure-ise-guest-accounts-with-rest-a.html

 

However whatever we do we always get an error when trying to create guest user or reset password or delete guest:

"HTTP Status 401 – Unauthorized"

"The request has not been applied because it lacks valid authentication credentials for the target resource."

 

It works fine for obtaining portal ID, and get guest user information etc. However once we try to create,delete or password reset than it doesn't work.

 

Based on the articles we have local account configured with ERS Admin permissions which is being used (we also tried AD account from Network users). It has given our own custom sponsor group (NOT always referred one "ALL_ACCOUNTS" but there we have enabled option "Access Cisco ISE guest accounts with the use of the programmatic interface...". Based on the guides it looks all is set correctly, also we can use some API calls (like to get guest user info or portal ID) but all other operations we are not able to do.

 

Any idea or recommendation what should we look into? 

 

Thanks in advance for any lead or hint

(hope we don't face any bug)

Martin

2 Accepted Solutions

Accepted Solutions

Hi Greg,

 

Confirmed, when I switch to use ALL_ACCOUNTS (the default group) then all works just fine, easy and simple. However it should be possible to also use a custom sponsor group and NOT only ALL_ACCOUNTS and that seems to be not working at least in ISE 2.6P#9.

 

I will give a try if update to Patch#11 can fix it or not in our LAB environment.

 

So you are right, with default sponsor groups it works like a charm, however not with custom sponsor group. That's an issue.

 

/Martin

View solution in original post

Hi Greg,

 

Just worth to mention, it was a really bug in ISE 2.6P#9, simply wasn't working though I have not search neither explored existing bugs.

We did update to Patch11 (ISE2.6P#11) and all works like a charm with custom sponsor group etc. No need to use ALL_ACCOUNTS anymore.

 

So it was really a version specific issue!

 

Glad it is fixed in Patch#11 and hope will work just fine from now on even in next releases like 3.+.

 

Martin

View solution in original post

8 Replies 8

Greg Gibbs
Cisco Employee
Cisco Employee

I don't have an active 2.6 instance, but using the procedure in the following guide work perfectly for me in ISE 3.0 p5.
Configure ISE Guest Accounts with REST API 
It's unclear what user account you are using for the API call, but it's important to understand that manipulating Guest accounts requires using a valid Sponsor account in the relevant Sponsor Group; not an ERS Admin account.
If you are using an AD user account, you need to ensure that relevant AD Group is added as a Member in your Sponsor Group. If you are using a local Network Access User configured in ISE, that user must be a member of a group that is added as a Member in your Sponsor Group.

HI Greg,

 

Thanks for your answer.

I believe all setup is based on guides above. So I do have one local account defined as ERS Admin (given priviliges). This one I used to get sponsor portal ID etc.

And for creation of wireless guest account I do have one AD account with membership in respective Sponsor Group we have (it is not default one as ALL_Accounts etc., it is as custom one), also tried with local account as well but basically results are always the same.

 

I have seen Cisco has release ISE 2.6 Patch#11 just couple days ago, we will try to deploy it to see if that would help. Otherwise not sure what else. Potentially I can raise TAC obviously but thought to ask here first

 

Thank you

Martin

I spun up my 2.6 p10 instance and tested the same API call and it also worked. You might try creating a user/group in the default ALL_ACCOUNTS Sponsor Group to see if that makes any difference.

Hi Greg,

Thanks for testing ISE 2.6P#10, I will give a try with default group ALL_ACCOUNTS, just documentation refers that other custom groups can be used as well. Will give a try with ALL_ACCOUNTS since we still have Patch#9.

 

Let me test.

Thanks!

Hi Greg,

 

Confirmed, when I switch to use ALL_ACCOUNTS (the default group) then all works just fine, easy and simple. However it should be possible to also use a custom sponsor group and NOT only ALL_ACCOUNTS and that seems to be not working at least in ISE 2.6P#9.

 

I will give a try if update to Patch#11 can fix it or not in our LAB environment.

 

So you are right, with default sponsor groups it works like a charm, however not with custom sponsor group. That's an issue.

 

/Martin

Hi Martin,

I tested using a new Sponsor Group with both a local user as well as an AD user group membership and it still works for me, so I'm not able to replicate the issue. There may be some other factor that causing the error.

Could there be an overlapping user group membership with another Sponsor Group that is conflicting?

Have you tried logging into the Sponsor Portal GUI to see if you can create a guest account with the same Sponsor user?

If all else fails, you may need to open a TAC case to investigate further.

Hi Greg,

 

Most likely will give a try first with recent cumulative patch#11 to retest.

I can easily use AD account to log into GUI, create guest accounts etc. So should work just fine with API calls. As noted before it also works just fine with ALL_ACCOUNTS, but we need to use custom Sponsor group ideally. And that is something I have a problem even with local account (where there is no issue with group membership with another Sponsor Group conficts) and same for AD account one...

 

So at the moment I bet to the patch we run and that patch#10+ has it fixed. If not, than will move on with TAC to check with me.

 

Thanks a lot!

 

 

Hi Greg,

 

Just worth to mention, it was a really bug in ISE 2.6P#9, simply wasn't working though I have not search neither explored existing bugs.

We did update to Patch11 (ISE2.6P#11) and all works like a charm with custom sponsor group etc. No need to use ALL_ACCOUNTS anymore.

 

So it was really a version specific issue!

 

Glad it is fixed in Patch#11 and hope will work just fine from now on even in next releases like 3.+.

 

Martin