04-05-2019 10:10 AM
I don't open TAC cases for REST API issues because I don't have the time. I am just posting to see if this is a known issue on 2.4 patch 6.
The current policy export XML file doesn't contain the contents of the DACLs (another issue that should get fixed) so I am trying to use the REST APIs to pull authorization profiles, tie them to DACL names and get the DACL contents.
I can make the REST call to get all the authorization profiles:
https://<Admin_Node>:9060/ers/config/authorizationprofile
I can then parse through that to get the IDs for each authorization profile and make calls to get the authorization profile contents:
https://<Admin_Node>:9060/ers/config/authorizationprofile/00ec24a0-f2ad-11e8-8505-005056830148
In the results it will have the DACL name;
"daclName": "Vendor_DACL",
The DACL name is useless because you can't do a filter by name when you make a DACL REST query (another problem that should be fixed):
https://<Admin_Node>:9060/ers/config/downloadableacl?filter=name.EQ.Vendor_DAC
So now I am forced to do a Get-All on the DACLs and parse my way through the result. Not a problem except the Get-All is busted and doesn't return all the DACLs. The first indicator of the problem is:
{
"SearchResult": {
"total": 0,
Even though the query returned 20 DACLs to me. Okay so it returned 20 DACLs out of my 110 DACLs maybe it is a paging issue. If that were true there should be an HREF at the bottom of the output to the next page. There is nothing for that.
Is this a known issue?
Solved! Go to Solution.
06-01-2023 03:21 PM
Yes use ?size=pageSize
06-16-2023 02:29 PM
The default ISE ERS REST page size is 20 with a max of 100. See Pagination
You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).
The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.
curl --include --insecure --location \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_HOSTNAME/ers/config/downloadableacl
HTTP/1.1 200
{
"SearchResult" : {
"total" : 4,
"resources" : [ {
"id" : "9825aa40-8c01-11e6-996c-525400b48521",
"name" : "DENY_ALL_IPV4_TRAFFIC",
"description" : "Deny all ipv4 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name" : "DENY_ALL_IPV6_TRAFFIC",
"description" : "Deny all ipv6 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
}, {
"id" : "982498d0-8c01-11e6-996c-525400b48521",
"name" : "PERMIT_ALL_IPV4_TRAFFIC",
"description" : "Allow all ipv4 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name" : "PERMIT_ALL_IPV6_TRAFFIC",
"description" : "Allow all ipv6 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
} ]
}
}
If it helps, I've written an ise_get.py Python script to make this fast and easy for you:
❱ ise_get.py downloadableacl --details
{
"downloadableacl": [
{
"id": "9825aa40-8c01-11e6-996c-525400b48521",
"name": "DENY_ALL_IPV4_TRAFFIC",
"description": "Deny all ipv4 traffic",
"dacl": "deny ip any any",
"daclType": "IPV4"
},
{
"id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name": "DENY_ALL_IPV6_TRAFFIC",
"description": "Deny all ipv6 traffic",
"dacl": "deny ipv6 any any",
"daclType": "IPV6"
},
{
"id": "982498d0-8c01-11e6-996c-525400b48521",
"name": "PERMIT_ALL_IPV4_TRAFFIC",
"description": "Allow all ipv4 Traffic",
"dacl": "permit ip any any",
"daclType": "IPV4"
},
{
"id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name": "PERMIT_ALL_IPV6_TRAFFIC",
"description": "Allow all ipv6 Traffic",
"dacl": "permit ipv6 any any",
"daclType": "IPV6"
}
]
}
04-05-2019 10:16 AM - edited 04-05-2019 10:16 AM
This, sounds painful... And it's unfortunate to hear as I plan to use the API to present things like dacls to other teams since the RBAC controls in ISE GUI are so poor.
04-05-2019 11:32 AM
04-05-2019 11:59 AM
Is there any way to change the default pagination value?
06-01-2023 03:21 PM
Yes use ?size=pageSize
06-16-2023 02:29 PM
The default ISE ERS REST page size is 20 with a max of 100. See Pagination
You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).
The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.
curl --include --insecure --location \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_HOSTNAME/ers/config/downloadableacl
HTTP/1.1 200
{
"SearchResult" : {
"total" : 4,
"resources" : [ {
"id" : "9825aa40-8c01-11e6-996c-525400b48521",
"name" : "DENY_ALL_IPV4_TRAFFIC",
"description" : "Deny all ipv4 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name" : "DENY_ALL_IPV6_TRAFFIC",
"description" : "Deny all ipv6 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
}, {
"id" : "982498d0-8c01-11e6-996c-525400b48521",
"name" : "PERMIT_ALL_IPV4_TRAFFIC",
"description" : "Allow all ipv4 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name" : "PERMIT_ALL_IPV6_TRAFFIC",
"description" : "Allow all ipv6 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
} ]
}
}
If it helps, I've written an ise_get.py Python script to make this fast and easy for you:
❱ ise_get.py downloadableacl --details
{
"downloadableacl": [
{
"id": "9825aa40-8c01-11e6-996c-525400b48521",
"name": "DENY_ALL_IPV4_TRAFFIC",
"description": "Deny all ipv4 traffic",
"dacl": "deny ip any any",
"daclType": "IPV4"
},
{
"id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name": "DENY_ALL_IPV6_TRAFFIC",
"description": "Deny all ipv6 traffic",
"dacl": "deny ipv6 any any",
"daclType": "IPV6"
},
{
"id": "982498d0-8c01-11e6-996c-525400b48521",
"name": "PERMIT_ALL_IPV4_TRAFFIC",
"description": "Allow all ipv4 Traffic",
"dacl": "permit ip any any",
"daclType": "IPV4"
},
{
"id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name": "PERMIT_ALL_IPV6_TRAFFIC",
"description": "Allow all ipv6 Traffic",
"dacl": "permit ipv6 any any",
"daclType": "IPV6"
}
]
}
08-11-2023 12:49 AM
Hello Thomas,
thank you for your script, it seams very useful, but i have question.
I am trying to use your python script "ise_get.py downloadableacl" or "ise_get_ers_resource.py downloadableacl" and it seems it give me 100 of records (we have approx 260 dACLs). How can get all dACLs or page through all pages with these scripts?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide