Solved: REST API for DACLs Not Accurate

paul · ‎04-05-2019

I don't open TAC cases for REST API issues because I don't have the time. I am just posting to see if this is a known issue on 2.4 patch 6.

The current policy export XML file doesn't contain the contents of the DACLs (another issue that should get fixed) so I am trying to use the REST APIs to pull authorization profiles, tie them to DACL names and get the DACL contents.

I can make the REST call to get all the authorization profiles:

https://<Admin_Node>:9060/ers/config/authorizationprofile

I can then parse through that to get the IDs for each authorization profile and make calls to get the authorization profile contents:

https://<Admin_Node>:9060/ers/config/authorizationprofile/00ec24a0-f2ad-11e8-8505-005056830148

In the results it will have the DACL name;

"daclName": "Vendor_DACL",

The DACL name is useless because you can't do a filter by name when you make a DACL REST query (another problem that should be fixed):

https://<Admin_Node>:9060/ers/config/downloadableacl?filter=name.EQ.Vendor_DAC

So now I am forced to do a Get-All on the DACLs and parse my way through the result. Not a problem except the Get-All is busted and doesn't return all the DACLs. The first indicator of the problem is:

{
"SearchResult": {
"total": 0,

Even though the query returned 20 DACLs to me. Okay so it returned 20 DACLs out of my 110 DACLs maybe it is a paging issue. If that were true there should be an HREF at the bottom of the output to the next page. There is nothing for that.

Is this a known issue?

Jeffrey Ness · ‎06-01-2023

Yes use ?size=pageSize

View solution in original post

thomas · ‎06-16-2023

The default ISE ERS REST page size is 20 with a max of 100. See Pagination

You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).

The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_HOSTNAME/ers/config/downloadableacl

HTTP/1.1 200

{
  "SearchResult" : {
    "total" : 4,
    "resources" : [ {
      "id" : "9825aa40-8c01-11e6-996c-525400b48521",
      "name" : "DENY_ALL_IPV4_TRAFFIC",
      "description" : "Deny all ipv4 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name" : "DENY_ALL_IPV6_TRAFFIC",
      "description" : "Deny all ipv6 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    }, {
      "id" : "982498d0-8c01-11e6-996c-525400b48521",
      "name" : "PERMIT_ALL_IPV4_TRAFFIC",
      "description" : "Allow all ipv4 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name" : "PERMIT_ALL_IPV6_TRAFFIC",
      "description" : "Allow all ipv6 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    } ]
  }
}

If it helps, I've written an ise_get.py Python script to make this fast and easy for you:

❱ ise_get.py downloadableacl --details
{
  "downloadableacl": [
    {
      "id": "9825aa40-8c01-11e6-996c-525400b48521",
      "name": "DENY_ALL_IPV4_TRAFFIC",
      "description": "Deny all ipv4 traffic",
      "dacl": "deny ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name": "DENY_ALL_IPV6_TRAFFIC",
      "description": "Deny all ipv6 traffic",
      "dacl": "deny ipv6 any any",
      "daclType": "IPV6"
    },
    {
      "id": "982498d0-8c01-11e6-996c-525400b48521",
      "name": "PERMIT_ALL_IPV4_TRAFFIC",
      "description": "Allow all ipv4 Traffic",
      "dacl": "permit ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name": "PERMIT_ALL_IPV6_TRAFFIC",
      "description": "Allow all ipv6 Traffic",
      "dacl": "permit ipv6 any any",
      "daclType": "IPV6"
    }
  ]
}

View solution in original post

anthonylofreso · ‎04-05-2019

This, sounds painful... And it's unfortunate to hear as I plan to use the API to present things like dacls to other teams since the RBAC controls in ISE GUI are so poor.

paul · ‎04-05-2019

Okay, I got a little father. Even though the HREF to next page wasn't there in the general call I was able to work my way through the list by doing:

https://:9060/ers/config/downloadableacl?page=1<>

https:// :9060/ers/config/downloadableacl?page=2<>

etc.

Because there is no count reported the only way you know you are finished is if you do a search of the result for "id:". If that doesn't exist then no DACLs were in the output. So at 110 DACLS and 20 a page I stopped seeing results on page 7.

Not great but something I can work with.

anthonylofreso · ‎04-05-2019

Is there any way to change the default pagination value?

Jeffrey Ness · ‎06-01-2023

Yes use ?size=pageSize

thomas · ‎06-16-2023

The default ISE ERS REST page size is 20 with a max of 100. See Pagination

You will need to page through all of the pages to get all of the dACL id attributes (UUIDs).

The GET /ers/config/downloadableacl only returns the id, name, and description attributes. To get the dacl attribute (contents), you will need to perform an additional GET /ers/config/downloadableacl/{id} on each and every ACL as listed in the link.href attributes below.

curl  --include  --insecure  --location \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_HOSTNAME/ers/config/downloadableacl

HTTP/1.1 200

{
  "SearchResult" : {
    "total" : 4,
    "resources" : [ {
      "id" : "9825aa40-8c01-11e6-996c-525400b48521",
      "name" : "DENY_ALL_IPV4_TRAFFIC",
      "description" : "Deny all ipv4 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/9825aa40-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name" : "DENY_ALL_IPV6_TRAFFIC",
      "description" : "Deny all ipv6 traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380c6620-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    }, {
      "id" : "982498d0-8c01-11e6-996c-525400b48521",
      "name" : "PERMIT_ALL_IPV4_TRAFFIC",
      "description" : "Allow all ipv4 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/982498d0-8c01-11e6-996c-525400b48521",
        "type" : "application/json"
      }
    }, {
      "id" : "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name" : "PERMIT_ALL_IPV6_TRAFFIC",
      "description" : "Allow all ipv6 Traffic",
      "link" : {
        "rel" : "self",
        "href" : "https://ise.trust0.net/ers/config/downloadableacl/380a4340-f532-11ed-8ed8-0050568fa0ed",
        "type" : "application/json"
      }
    } ]
  }
}

If it helps, I've written an ise_get.py Python script to make this fast and easy for you:

❱ ise_get.py downloadableacl --details
{
  "downloadableacl": [
    {
      "id": "9825aa40-8c01-11e6-996c-525400b48521",
      "name": "DENY_ALL_IPV4_TRAFFIC",
      "description": "Deny all ipv4 traffic",
      "dacl": "deny ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380c6620-f532-11ed-8ed8-0050568fa0ed",
      "name": "DENY_ALL_IPV6_TRAFFIC",
      "description": "Deny all ipv6 traffic",
      "dacl": "deny ipv6 any any",
      "daclType": "IPV6"
    },
    {
      "id": "982498d0-8c01-11e6-996c-525400b48521",
      "name": "PERMIT_ALL_IPV4_TRAFFIC",
      "description": "Allow all ipv4 Traffic",
      "dacl": "permit ip any any",
      "daclType": "IPV4"
    },
    {
      "id": "380a4340-f532-11ed-8ed8-0050568fa0ed",
      "name": "PERMIT_ALL_IPV6_TRAFFIC",
      "description": "Allow all ipv6 Traffic",
      "dacl": "permit ipv6 any any",
      "daclType": "IPV6"
    }
  ]
}

Daniel G. · ‎08-11-2023

Hello Thomas,

thank you for your script, it seams very useful, but i have question.

I am trying to use your python script "ise_get.py downloadableacl" or "ise_get_ers_resource.py downloadableacl" and it seems it give me 100 of records (we have approx 260 dACLs). How can get all dACLs or page through all pages with these scripts?

REST API for DACLs Not Accurate

REST API Basics

RESTful API Essential: Authentication

Webex Meetings REST APIの紹介

Guia REST API para ACI

【原创】ISE REST-API 配置案例