08-08-2017 06:44 AM
I have been trying to use the new api calls introduced in ISE 2.3, for authorization profile listing, modification, creation and deletion of profiles with not much luck. The SDK documentation specifies which fields need to be included in the XML for a create call, however that does not match with what errors i get when i attempt to create a basic authorization profile that just sends access-accept and a vlan name. The XML example from the docs, includes both macsec, asavpn group, airespace acl name and other things, but these are not required according to the documentation, and i also don't want to use these parameters. If i remove any of those settings from the xml my request fails, referencing that the field is missing, if include the field, but don't put anything in the content it fails. Anyone tried this yet?
Jan
Solved! Go to Solution.
08-08-2017 09:11 AM
Below works for me. However, I did get an error while trying asaVpn.
POST https://myISE:9060/ers/config/authorizationprofile
Accept: application/json
Content-Type: application/json
{
"AuthorizationProfile" : {
"id" : "",
"name" : "demoTest3",
"accessType" : "ACCESS_ACCEPT",
"webRedirection" : {
"WebRedirectionType" : "CentralizedWebAuth",
"acl" : "ACL_WEBAUTH_REDIRECT",
"portalName" : "Self-Registered Guest Portal (default)",
"displayCertificatesRenewalMessages" : false
}
}
}
-- response --
201 Created
Set-Cookie: APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1
Date: Tue, 08 Aug 2017 16:07:12 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 0
Server:
08-08-2017 09:11 AM
Below works for me. However, I did get an error while trying asaVpn.
POST https://myISE:9060/ers/config/authorizationprofile
Accept: application/json
Content-Type: application/json
{
"AuthorizationProfile" : {
"id" : "",
"name" : "demoTest3",
"accessType" : "ACCESS_ACCEPT",
"webRedirection" : {
"WebRedirectionType" : "CentralizedWebAuth",
"acl" : "ACL_WEBAUTH_REDIRECT",
"portalName" : "Self-Registered Guest Portal (default)",
"displayCertificatesRenewalMessages" : false
}
}
}
-- response --
201 Created
Set-Cookie: APPSESSIONID=4D3C3B00EEF11FA511C91CC92A68F08D; Path=/ers; Secure; HttpOnly JSESSIONIDSSO=124A4C5EA0895B9617DD3818FE6B8573; Path=/; Secure; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://myISE:9060/ers/config/authorizationprofile/a3180680-7c53-11e7-8d8a-005056ab51e1
Date: Tue, 08 Aug 2017 16:07:12 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 0
Server:
08-09-2017 01:07 AM
Your example works and also in xml format, but the second you remove the webauth part, it fails. That must be a bug, you wouldn't always have a webauth redirect in your authz profile.
08-10-2017 12:04 PM
This one works for me, as well.
POST https://myISE:9060/ers/config/authorizationprofile
Accept: application/json
Content-Type: application/json
{
"AuthorizationProfile" : {
"id" : "",
"name" : "demoTest2",
"accessType" : "ACCESS_ACCEPT"
}
}
-- response --
201 Created
Set-Cookie: JSESSIONIDSSO=A5D7338F5B6E803E0C0EFC3CD162FEB5; Path=/; Secure; HttpOnly APPSESSIONID=B99CC6430612A3824F3A9DD54556FBF9; Path=/ers; Secure; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: https://myISE:9060/ers/config/authorizationprofile/d82ecb30-7c51-11e7-8d8a-005056ab51e1
Date: Tue, 08 Aug 2017 15:54:22 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 0
Server:
08-10-2017 12:29 PM
Thanks, that actually works, i also am able to assign a vlan name using json. I think what i found is that the json model is working as expected, However the xml is not. If i add the same settings but in xml it fails.
POST https://myISE:9060/ers/config/authorizationprofile
Accept: application/xml
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<ns0:authorizationprofile xmlns:ns0="policy.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="testauthz001">
<accessType>ACCESS_ACCEPT</accessType>
<authzProfileType>SWITCH</authzProfileType>
<vlan>
<nameID>vlanName</nameID>
<tagID>1</tagID>
</vlan>
</ns0:authorizationprofile>
Response from ISE :
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:ersResponse operation="POST-create-authorizationprofile" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">
<link rel="related" href="https://10.121.161.18:9060/ers/config/authorizationprofile" type="application/xml"/><messages>
<message type="ERROR" code="Schema validation exception">
<title>XML Schema Validation Failed :: at line 1, column 356 : cvc-complex-type.2.4.a: Invalid content was found starting with element 'vlan'. One of '{autoSmartPort, avcProfile, daclName, easywiredSessionCandidate}' is expected.</title>
</message>
</messages>
</ns3:ersResponse>
Jan
08-14-2017 02:48 PM
CSCvf61114 logged to track this issue.
As it's a new bug, it might not be visible externally in next 24 hours.
07-29-2020 11:49 PM
Just a FYI for all, this bug is still current in ISE 2.6 and 2.7 even though it is not in the Open Caveats of the release notes of either version.
08-19-2020 08:50 PM
Cisco TAC have reopened this case, which is great.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: