Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2604
Views
0
Helpful
7
Replies

Problems with ISE 2.3 REST API for creating authorization profiles

Go to solution
jan.nielsen
Level 7
Level 7

‎08-08-2017 06:44 AM

I have been trying to use the new api calls introduced in ISE 2.3, for authorization profile listing, modification, creation and deletion of profiles with not much luck. The SDK documentation specifies which fields need to be included in the XML for a create call, however that does not match with what errors i get when i attempt to create a basic authorization profile that just sends access-accept and a vlan name. The XML example from the docs, includes both macsec, asavpn group, airespace acl name and other things, but these are not required according to the documentation, and i also don't want to use these parameters. If i remove any of those settings from the xml my request fails, referencing that the field is missing, if include the field, but don't put anything in the content it fails. Anyone tried this yet?

Jan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-08-2017 09:11 AM

Below works for me. However, I did get an error while trying asaVpn.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest3",

    "accessType" : "ACCESS_ACCEPT",

    "webRedirection" : {

      "WebRedirectionType" : "CentralizedWebAuth",

      "acl" : "ACL_WEBAUTH_REDIRECT",

      "portalName" : "Self-Registered Guest Portal (default)",

      "displayCertificatesRenewalMessages" : false

    }

  }

}

-- response --

201 Created

Set-Cookie:  APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 16:07:12 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-08-2017 09:11 AM

Below works for me. However, I did get an error while trying asaVpn.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest3",

    "accessType" : "ACCESS_ACCEPT",

    "webRedirection" : {

      "WebRedirectionType" : "CentralizedWebAuth",

      "acl" : "ACL_WEBAUTH_REDIRECT",

      "portalName" : "Self-Registered Guest Portal (default)",

      "displayCertificatesRenewalMessages" : false

    }

  }

}

-- response --

201 Created

Set-Cookie:  APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 16:07:12 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎08-09-2017 01:07 AM

Your example works and also in xml format, but the second you remove the webauth part, it fails. That must be a bug, you wouldn't always have a webauth redirect in your authz profile.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.nielsen

‎08-10-2017 12:04 PM

This one works for me, as well.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/json

Content-Type: application/json

{

  "AuthorizationProfile" : {

    "id" : "",

    "name" : "demoTest2",

    "accessType" : "ACCESS_ACCEPT"

  }

}

-- response --

201 Created

Set-Cookie:  JSESSIONIDSSO=A5D7338F5B6E803E0C0EFC3CD162FEB5; Path=/; Secure; HttpOnly APPSESSIONID=B99CC6430612A3824F3A9DD54556FBF9; Path=/ers; Secure; HttpOnly

Cache-Control:  no-cache, no-store, must-revalidate

Pragma:  no-cache

Expires:  Thu, 01 Jan 1970 00:00:00 GMT

Location:  https://myISE:9060/ers/config/authorizationprofile/d82ecb30-7c51-11e7-8d8a-005056ab51e1

Date:  Tue, 08 Aug 2017 15:54:22 GMT

Content-Type:  application/json;charset=utf-8

Content-Length:  0

Server: 

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎08-10-2017 12:29 PM

Thanks, that actually works, i also am able to assign a vlan name using json. I think what i found is that the json model is working as expected, However the xml is not. If i add the same settings but in xml it fails.

POST https://myISE:9060/ers/config/authorizationprofile

Accept: application/xml

Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?>

<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="testauthz001">

   <accessType>ACCESS_ACCEPT</accessType>

   <authzProfileType>SWITCH</authzProfileType>

   <vlan>

      <nameID>vlanName</nameID>

      <tagID>1</tagID>

   </vlan>

</ns0:authorizationprofile>

Response from ISE :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<ns3:ersResponse operation="POST-create-authorizationprofile" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">

<link rel="related" href="https://10.121.161.18:9060/ers/config/authorizationprofile" type="application/xml"/><messages>

<message type="ERROR" code="Schema validation exception">

<title>XML Schema Validation Failed :: at line 1, column 356 : cvc-complex-type.2.4.a: Invalid content was found starting with element 'vlan'. One of '{autoSmartPort, avcProfile, daclName, easywiredSessionCandidate}' is expected.</title>

</message>

</messages>

</ns3:ersResponse>

Jan

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to jan.nielsen

‎08-14-2017 02:48 PM

CSCvf61114 logged to track this issue.

As it's a new bug, it might not be visible externally in next 24 hours.

0 Helpful

Go to solution
matthew.shelley
Level 1
Level 1
In response to hslai

‎07-29-2020 11:49 PM

Just a FYI for all, this bug is still current in ISE 2.6 and 2.7 even though it is not in the Open Caveats of the release notes of either version.

0 Helpful

Go to solution
matthew.shelley
Level 1
Level 1
In response to matthew.shelley

‎08-19-2020 08:50 PM

Cisco TAC have reopened this case, which is great.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents