Solved: REST API for DACLs Not Accurate

paul · ‎04-05-2019

I don't open TAC cases for REST API issues because I don't have the time. I am just posting to see if this is a known issue on 2.4 patch 6.

The current policy export XML file doesn't contain the contents of the DACLs (another issue that should get fixed) so I am trying to use the REST APIs to pull authorization profiles, tie them to DACL names and get the DACL contents.

I can make the REST call to get all the authorization profiles:

https://<Admin_Node>:9060/ers/config/authorizationprofile

I can then parse through that to get the IDs for each authorization profile and make calls to get the authorization profile contents:

https://<Admin_Node>:9060/ers/config/authorizationprofile/00ec24a0-f2ad-11e8-8505-005056830148

In the results it will have the DACL name;

"daclName": "Vendor_DACL",

The DACL name is useless because you can't do a filter by name when you make a DACL REST query (another problem that should be fixed):

https://<Admin_Node>:9060/ers/config/downloadableacl?filter=name.EQ.Vendor_DAC

So now I am forced to do a Get-All on the DACLs and parse my way through the result. Not a problem except the Get-All is busted and doesn't return all the DACLs. The first indicator of the problem is:

{
"SearchResult": {
"total": 0,

Even though the query returned 20 DACLs to me. Okay so it returned 20 DACLs out of my 110 DACLs maybe it is a paging issue. If that were true there should be an HREF at the bottom of the output to the next page. There is nothing for that.

Is this a known issue?

Jeffrey Ness · ‎06-01-2023

Yes use ?size=pageSize

View solution in original post

thomas · ‎06-16-2023

The default ISE ERS REST page size is 20 with a max of 100. See Pagination

You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).

The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_HOSTNAME/ers/config/downloadableacl

HTTP/1.1 200

{
  "SearchResult" : {
    "total" : 4,
    "resources" : [ {
      "id" : "9825aa40-8c01-11e6-996c-525400b48521",
      "name" : "DENY_ALL_IPV4_TRAFFIC",
      "description" : "Deny all ipv4 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name" : "DENY_ALL_IPV6_TRAFFIC",
      "description" : "Deny all ipv6 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    }, {
      "id" : "982498d0-8c01-11e6-996c-525400b48521",
      "name" : "PERMIT_ALL_IPV4_TRAFFIC",
      "description" : "Allow all ipv4 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name" : "PERMIT_ALL_IPV6_TRAFFIC",
      "description" : "Allow all ipv6 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    } ]
  }
}

If it helps, I've written an ise_get.py Python script to make this fast and easy for you:

❱ ise_get.py downloadableacl --details
{
  "downloadableacl": [
    {
      "id": "9825aa40-8c01-11e6-996c-525400b48521",
      "name": "DENY_ALL_IPV4_TRAFFIC",
      "description": "Deny all ipv4 traffic",
      "dacl": "deny ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name": "DENY_ALL_IPV6_TRAFFIC",
      "description": "Deny all ipv6 traffic",
      "dacl": "deny ipv6 any any",
      "daclType": "IPV6"
    },
    {
      "id": "982498d0-8c01-11e6-996c-525400b48521",
      "name": "PERMIT_ALL_IPV4_TRAFFIC",
      "description": "Allow all ipv4 Traffic",
      "dacl": "permit ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name": "PERMIT_ALL_IPV6_TRAFFIC",
      "description": "Allow all ipv6 Traffic",
      "dacl": "permit ipv6 any any",
      "daclType": "IPV6"
    }
  ]
}

View solution in original post

anthonylofreso · ‎04-05-2019

This, sounds painful... And it's unfortunate to hear as I plan to use the API to present things like dacls to other teams since the RBAC controls in ISE GUI are so poor.

paul · ‎04-05-2019

Okay, I got a little father. Even though the HREF to next page wasn't there in the general call I was able to work my way through the list by doing:

https://:9060/ers/config/downloadableacl?page=1<>

https:// :9060/ers/config/downloadableacl?page=2<>

etc.

Because there is no count reported the only way you know you are finished is if you do a search of the result for "id:". If that doesn't exist then no DACLs were in the output. So at 110 DACLS and 20 a page I stopped seeing results on page 7.

Not great but something I can work with.

anthonylofreso · ‎04-05-2019

Is there any way to change the default pagination value?

Jeffrey Ness · ‎06-01-2023

Yes use ?size=pageSize

thomas · ‎06-16-2023

The default ISE ERS REST page size is 20 with a max of 100. See Pagination

You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).

The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_HOSTNAME/ers/config/downloadableacl

HTTP/1.1 200

{
  "SearchResult" : {
    "total" : 4,
    "resources" : [ {
      "id" : "9825aa40-8c01-11e6-996c-525400b48521",
      "name" : "DENY_ALL_IPV4_TRAFFIC",
      "description" : "Deny all ipv4 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name" : "DENY_ALL_IPV6_TRAFFIC",
      "description" : "Deny all ipv6 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    }, {
      "id" : "982498d0-8c01-11e6-996c-525400b48521",
      "name" : "PERMIT_ALL_IPV4_TRAFFIC",
      "description" : "Allow all ipv4 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name" : "PERMIT_ALL_IPV6_TRAFFIC",
      "description" : "Allow all ipv6 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    } ]
  }
}

If it helps, I've written an ise_get.py Python script to make this fast and easy for you:

❱ ise_get.py downloadableacl --details
{
  "downloadableacl": [
    {
      "id": "9825aa40-8c01-11e6-996c-525400b48521",
      "name": "DENY_ALL_IPV4_TRAFFIC",
      "description": "Deny all ipv4 traffic",
      "dacl": "deny ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name": "DENY_ALL_IPV6_TRAFFIC",
      "description": "Deny all ipv6 traffic",
      "dacl": "deny ipv6 any any",
      "daclType": "IPV6"
    },
    {
      "id": "982498d0-8c01-11e6-996c-525400b48521",
      "name": "PERMIT_ALL_IPV4_TRAFFIC",
      "description": "Allow all ipv4 Traffic",
      "dacl": "permit ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name": "PERMIT_ALL_IPV6_TRAFFIC",
      "description": "Allow all ipv6 Traffic",
      "dacl": "permit ipv6 any any",
      "daclType": "IPV6"
    }
  ]
}

Daniel G. · ‎08-11-2023

Hello Thomas,

thank you for your script, it seams very useful, but i have question.

I am trying to use your python script "ise_get.py downloadableacl" or "ise_get_ers_resource.py downloadableacl" and it seems it give me 100 of records (we have approx 260 dACLs). How can get all dACLs or page through all pages with these scripts?