
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2019 10:10 AM
I don't open TAC cases for REST API issues because I don't have the time. I am just posting to see if this is a known issue on 2.4 patch 6.
The current policy export XML file doesn't contain the contents of the DACLs (another issue that should get fixed) so I am trying to use the REST APIs to pull authorization profiles, tie them to DACL names and get the DACL contents.
I can make the REST call to get all the authorization profiles:
https://<Admin_Node>:9060/ers/config/authorizationprofile
I can then parse through that to get the IDs for each authorization profile and make calls to get the authorization profile contents:
https://<Admin_Node>:9060/ers/config/authorizationprofile/00ec24a0-f2ad-11e8-8505-005056830148
In the results it will have the DACL name;
"daclName": "Vendor_DACL",
The DACL name is useless because you can't do a filter by name when you make a DACL REST query (another problem that should be fixed):
https://<Admin_Node>:9060/ers/config/downloadableacl?filter=name.EQ.Vendor_DAC
So now I am forced to do a Get-All on the DACLs and parse my way through the result. Not a problem except the Get-All is busted and doesn't return all the DACLs. The first indicator of the problem is:
{
"SearchResult": {
"total": 0,
Even though the query returned 20 DACLs to me. Okay so it returned 20 DACLs out of my 110 DACLs maybe it is a paging issue. If that were true there should be an HREF at the bottom of the output to the next page. There is nothing for that.
Is this a known issue?
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2023 03:21 PM
Yes use ?size=pageSize

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2023 02:29 PM
The default ISE ERS REST page size is 20 with a max of 100. See Pagination
You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).
The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.
curl --include --insecure --location \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_HOSTNAME/ers/config/downloadableacl
HTTP/1.1 200
{
"SearchResult" : {
"total" : 4,
"resources" : [ {
"id" : "9825aa40-8c01-11e6-996c-525400b48521",
"name" : "DENY_ALL_IPV4_TRAFFIC",
"description" : "Deny all ipv4 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name" : "DENY_ALL_IPV6_TRAFFIC",
"description" : "Deny all ipv6 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
}, {
"id" : "982498d0-8c01-11e6-996c-525400b48521",
"name" : "PERMIT_ALL_IPV4_TRAFFIC",
"description" : "Allow all ipv4 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name" : "PERMIT_ALL_IPV6_TRAFFIC",
"description" : "Allow all ipv6 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
} ]
}
}
If it helps, I've written an ise_get.py Python script to make this fast and easy for you:
❱ ise_get.py downloadableacl --details
{
"downloadableacl": [
{
"id": "9825aa40-8c01-11e6-996c-525400b48521",
"name": "DENY_ALL_IPV4_TRAFFIC",
"description": "Deny all ipv4 traffic",
"dacl": "deny ip any any",
"daclType": "IPV4"
},
{
"id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name": "DENY_ALL_IPV6_TRAFFIC",
"description": "Deny all ipv6 traffic",
"dacl": "deny ipv6 any any",
"daclType": "IPV6"
},
{
"id": "982498d0-8c01-11e6-996c-525400b48521",
"name": "PERMIT_ALL_IPV4_TRAFFIC",
"description": "Allow all ipv4 Traffic",
"dacl": "permit ip any any",
"daclType": "IPV4"
},
{
"id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name": "PERMIT_ALL_IPV6_TRAFFIC",
"description": "Allow all ipv6 Traffic",
"dacl": "permit ipv6 any any",
"daclType": "IPV6"
}
]
}

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2019 10:16 AM - edited 04-05-2019 10:16 AM
This, sounds painful... And it's unfortunate to hear as I plan to use the API to present things like dacls to other teams since the RBAC controls in ISE GUI are so poor.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2019 11:32 AM
https://
https://
etc.
Because there is no count reported the only way you know you are finished is if you do a search of the result for "id:". If that doesn't exist then no DACLs were in the output. So at 110 DACLS and 20 a page I stopped seeing results on page 7.
Not great but something I can work with.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-05-2019 11:59 AM
Is there any way to change the default pagination value?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2023 03:21 PM
Yes use ?size=pageSize

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-16-2023 02:29 PM
The default ISE ERS REST page size is 20 with a max of 100. See Pagination
You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).
The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.
curl --include --insecure --location \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_HOSTNAME/ers/config/downloadableacl
HTTP/1.1 200
{
"SearchResult" : {
"total" : 4,
"resources" : [ {
"id" : "9825aa40-8c01-11e6-996c-525400b48521",
"name" : "DENY_ALL_IPV4_TRAFFIC",
"description" : "Deny all ipv4 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name" : "DENY_ALL_IPV6_TRAFFIC",
"description" : "Deny all ipv6 traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
}, {
"id" : "982498d0-8c01-11e6-996c-525400b48521",
"name" : "PERMIT_ALL_IPV4_TRAFFIC",
"description" : "Allow all ipv4 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
"type" : "application/json"
}
}, {
"id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name" : "PERMIT_ALL_IPV6_TRAFFIC",
"description" : "Allow all ipv6 Traffic",
"link" : {
"rel" : "self",
"href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
"type" : "application/json"
}
} ]
}
}
If it helps, I've written an ise_get.py Python script to make this fast and easy for you:
❱ ise_get.py downloadableacl --details
{
"downloadableacl": [
{
"id": "9825aa40-8c01-11e6-996c-525400b48521",
"name": "DENY_ALL_IPV4_TRAFFIC",
"description": "Deny all ipv4 traffic",
"dacl": "deny ip any any",
"daclType": "IPV4"
},
{
"id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
"name": "DENY_ALL_IPV6_TRAFFIC",
"description": "Deny all ipv6 traffic",
"dacl": "deny ipv6 any any",
"daclType": "IPV6"
},
{
"id": "982498d0-8c01-11e6-996c-525400b48521",
"name": "PERMIT_ALL_IPV4_TRAFFIC",
"description": "Allow all ipv4 Traffic",
"dacl": "permit ip any any",
"daclType": "IPV4"
},
{
"id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
"name": "PERMIT_ALL_IPV6_TRAFFIC",
"description": "Allow all ipv6 Traffic",
"dacl": "permit ipv6 any any",
"daclType": "IPV6"
}
]
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2023 12:49 AM
Hello Thomas,
thank you for your script, it seams very useful, but i have question.
I am trying to use your python script "ise_get.py downloadableacl" or "ise_get_ers_resource.py downloadableacl" and it seems it give me 100 of records (we have approx 260 dACLs). How can get all dACLs or page through all pages with these scripts?
