cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1577
Views
0
Helpful
7
Replies
jan.nielsen
Rising star

Problems with ISE 2.3 REST API for creating authorization profiles

I have been trying to use the new api calls introduced in ISE 2.3, for authorization profile listing, modification, creation and deletion of profiles with not much luck. The SDK documentation specifies which fields need to be included in the XML for a create call, however that does not match with what errors i get when i attempt to create a basic authorization profile that just sends access-accept and a vlan name. The XML example from the docs, includes both macsec, asavpn group, airespace acl name and other things, but these are not required according to the documentation, and i also don't want to use these parameters. If i remove any of those settings from the xml my request fails, referencing that the field is missing, if include the field, but don't put anything in the content it fails. Anyone tried this yet?

Jan

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

Below works for me. However, I did get an error while trying asaVpn.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest3",

    "accessType" : "ACCESS_ACCEPT",

    "webRedirection" : {

      "WebRedirectionType" : "CentralizedWebAuth",

      "acl" : "ACL_WEBAUTH_REDIRECT",

      "portalName" : "Self-Registered Guest Portal (default)",

      "displayCertificatesRenewalMessages" : false

    }

  }

}

-- response --

201 Created

Set-Cookie:  APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 16:07:12 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

View solution in original post

7 REPLIES 7
hslai
Cisco Employee

Below works for me. However, I did get an error while trying asaVpn.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest3",

    "accessType" : "ACCESS_ACCEPT",

    "webRedirection" : {

      "WebRedirectionType" : "CentralizedWebAuth",

      "acl" : "ACL_WEBAUTH_REDIRECT",

      "portalName" : "Self-Registered Guest Portal (default)",

      "displayCertificatesRenewalMessages" : false

    }

  }

}

-- response --

201 Created

Set-Cookie:  APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 16:07:12 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

View solution in original post

jan.nielsen
Rising star

Your example works and also in xml format, but the second you remove the webauth part, it fails. That must be a bug, you wouldn't always have a webauth redirect in your authz profile.

This one works for me, as well.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest2",

    "accessType" : "ACCESS_ACCEPT"

  }

}

-- response --

201 Created

Set-Cookie:  JSESSIONIDSSO=A5D7338F5B6E803E0C0EFC3CD162FEB5; Path=/; Secure; HttpOnly APPSESSIONID=B99CC6430612A3824F3A9DD54556FBF9; Path=/ers; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/d82ecb30-7c51-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 15:54:22 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

jan.nielsen
Rising star

Thanks, that actually works, i also am able to assign a vlan name using json. I think what i found is that the json model is working as expected, However the xml is not. If i add the same settings but in xml it fails.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/xml

Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>

<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="testauthz001">

   <accessType>ACCESS_ACCEPT</accessType>

   <authzProfileType>SWITCH</authzProfileType>

   <vlan>

      <nameID>vlanName</nameID>

      <tagID>1</tagID>

   </vlan>

</ns0:authorizationprofile>

Response from ISE :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<ns3:ersResponse operation="POST-create-authorizationprofile" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">

<link rel="related" href="https://10.121.161.18:9060/ers/config/authorizationprofile" type="application/xml"/><messages>

<message type="ERROR" code="Schema validation exception">

<title>XML Schema Validation Failed :: at line 1, column 356 : cvc-complex-type.2.4.a: Invalid content was found starting with element 'vlan'. One of '{autoSmartPort, avcProfile, daclName, easywiredSessionCandidate}' is expected.</title>

</message>

</messages>

</ns3:ersResponse>

Jan

CSCvf61114 logged to track this issue.

As it's a new bug, it might not be visible externally in next 24 hours.

Just a FYI for all, this bug is still current in ISE 2.6 and 2.7 even though it is not in the Open Caveats of the release notes of either version.

Cisco TAC have reopened this case, which is great.

Content for Community-Ad