02-05-2019 03:11 PM
Hi,
Trying to create an endpoint using the API while CSRF Check is enabled; everything works if that check is disabled.
Using Python3, sending a GET request first to 'fetch' the token and then feeding that back into the headers for a POST request to /ers/config/endpoint.
Here's my initial GET request and response that works:
GET /ers/config/endpointgroup/name/groupGreen HTTP/1.1 Host: 10.81.127.170:9060 Accept-Encoding: identity accept: application/json content-type: application/json authorization: Basic [redacted] cache-control: no-cache X-CSRF-TOKEN: fetch --------------------- Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONIDSSO=9E81D20C04095E5C0F82668222D54193; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=5AFA8F314D99A5921C61817BCF21997D; Path=/ers; Secure; HttpOnly X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E Pragma: no-cache ETag: "D5755A00DC6F46C650D6B5D8E550DBE0" Date: Tue, 05 Feb 2019 22:59:13 GMT Content-Type: application/json;charset=utf-8 Content-Length: 322
So I have my CSRF token to feed into the POST to add the endpoint:
POST /ers/config/endpoint HTTP/1.1 Host: 10.81.127.170:9060 Accept-Encoding: identity Content-Length: 183 X-CSRF-Token: C883A27FBEA77E4BAAF85028FD0E229E accept: application/json content-type: application/json authorization: Basic [redacted] cache-control: no-cache ------------------ Status: 404 Set-Cookie: JSESSIONIDSSO=C4AF34E0D41D8D0CEBC9309A0F7777E6; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=E45F80818D77D32377B8F3F3C0351B97; Path=/ers; Secure; HttpOnly X-CSRF-Token: Required Content-Length: 0 Date: Tue, 05 Feb 2019 22:59:13 GMT
Why is my token not accepted?
Is this CSCvi80094? Not sure a 403 Forbidden would actually help me here.
Thanks,
Mike.
Solved! Go to Solution.
06-26-2019 04:12 PM
Now it seems requiring the same cookies returned from the fetch request. See the attached example using cURL wrapped in a bash shell script.
02-06-2019 07:49 AM
02-06-2019 09:42 AM
The token is per-session but only good for a few minutes. Thus, we would likely need a fresh token right before an ERS request.
02-06-2019 09:54 AM
02-06-2019 08:11 PM
No need to handle the other cookies. Last I tried this option, I was only able to use the same token for one or two requests.
02-07-2019 01:55 AM - edited 02-07-2019 03:30 AM
Here's my python code:
#!/usr/local/bin/python3 ########################################################################### # # # This script demonstrates how to use the ISE ERS internal users # # API by executing a Python script. # # # # SECURITY WARNING - DO NOT USE THIS SCRIPT IN PRODUCTION! # # The script allows connections to SSL sites without trusting # # the server certificates. # # For production, it is required to add certificate check. # # # # Usage: create-endpoint.py <ise-ip-address> <username> <password> # # <description> <Endpoint MAC Address> <group>' # ########################################################################### import http.client import base64 import ssl import sys import json # host and authentication credentials host = sys.argv[1] # "10.20.30.40" user = sys.argv[2] # "ersad" password = sys.argv[3] # "Password1" #parameters description = sys.argv[4] mac = sys.argv[5] groupName = sys.argv[6] # create BASE64 encoded auth from CLI creds creds = str.encode(':'.join((user, password))) encodedAuth = bytes.decode(base64.b64encode(creds)) # Lookup the group ID by its name headers1 = { 'accept': "application/json", 'content-type': "application/json", 'authorization': " ".join(("Basic",encodedAuth)), 'cache-control': "no-cache", 'X-CSRF-TOKEN': "fetch" }
# This is run through a local proxy on 8080 for testing purposes conn = http.client.HTTPSConnection("localhost",8080, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)) conn.set_tunnel(host, port=9060) #conn.debuglevel = 2 conn.request("GET", "/ers/config/endpointgroup/name/{}".format(groupName), headers=headers1) res1 = conn.getresponse() data1 = res1.read() csrfToken = res1.getheader('X-CSRF-Token') groupJSON = json.loads(data1.decode("utf-8")) groupID = groupJSON['EndPointGroup']['id'] print("=== Group Lookup ===\nStatus: {}".format(res1.status)) print("Header:\n{}".format(res1.headers)) print("CSRF Token: {}".format(csrfToken)) print("Group: {} ➤ {}".format(groupName,groupID)) cookies = res1.getheader('Set-Cookie') print("Cookie\n{}".format(cookies)) # Add endpoint to group headers2 = { 'X-CSRF-Token': csrfToken, 'accept': "application/json", 'content-type': "application/json", 'authorization': " ".join(("Basic",encodedAuth)), 'cache-control': "no-cache", } print("\nHeaders: {}\n\n".format(headers2)) req_body_json = """ {{ "ERSEndPoint" : {{ "description" : "{}", "mac" : "{}", "groupId" : "{}", "staticGroupAssignment" : true }} }} """.format(description,mac,groupID) conn.request("POST", "/ers/config/endpoint", headers=headers2, body=req_body_json) res2 = conn.getresponse() data2 = res2.read() print("\n=== Endpoint Create ===\nStatus: {}".format(res2.status)) print("Header:\n{}".format(res2.headers)) print("Body:\n{}".format(data2.decode("utf-8")))
And the output:
$ ./create-endpoint-csrf.py 10.1.1.1 apiuser ******** csrf-test 00:01:02:03:04:05 groupGreen === Group Lookup === Status: 200 Header: Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: JSESSIONIDSSO=005413EF42E504EFA5BEB4C9023C9CB5; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=EE1CA8DC3F1B1831EAE1E6A714D55619; Path=/ers; Secure; HttpOnly X-CSRF-Token: 87B6304D78217E1620DA519BF1454786 Pragma: no-cache ETag: "D5755A00DC6F46C650D6B5D8E550DBE0" Date: Thu, 07 Feb 2019 09:50:30 GMT Content-Type: application/json;charset=utf-8 Content-Length: 322 Connection: close Server: CSRF Token: 87B6304D78217E1620DA519BF1454786 Group: groupGreen ➤ bb6b38b0-298b-11e9-9d19-005056a47a4e Cookie JSESSIONIDSSO=005413EF42E504EFA5BEB4C9023C9CB5; Path=/; Secure; HttpOnly, APPSESSIONID=EE1CA8DC3F1B1831EAE1E6A714D55619; Path=/ers; Secure; HttpOnly Headers: {'X-CSRF-Token': '87B6304D78217E1620DA519BF1454786', 'accept': 'application/json', 'content-type': 'application/json', 'authorization': 'Basic bGVldDoxMzM3aDRYMHI=', 'cache-control': 'no-cache'} === Endpoint Create === Status: 404 Header: Set-Cookie: JSESSIONIDSSO=DF4C74D1F4AC909D9DE41BA41DDE883A; Path=/; Secure; HttpOnly Set-Cookie: APPSESSIONID=3528AA65F48759B3FA9260DC87707D66; Path=/ers; Secure; HttpOnly X-CSRF-Token: Required Content-Length: 0 Date: Thu, 07 Feb 2019 09:50:31 GMT Connection: close Server: Body:
02-13-2019 09:48 PM
I am also unable to get this to work. Please disable the CSRF validation for now. I will check with our engineering team.
02-14-2019 04:50 AM
03-27-2019 08:58 AM
Hi,
any update on this? I guess this issue is still there in ISE 2.4 Patch 6 - correct?
03-27-2019 09:49 AM
Correct.
04-24-2019 08:03 AM
According to the release notes this bug is fixed with 2.4 Patch 8
(https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_105872)
However, I haven't tested it yet.
05-02-2019 04:26 AM
Patch 8 includes the fix for CSCvi80094 but that is a different issue and does not fix the CSRF issue which is being tracked as CSCvp22075.
06-26-2019 04:12 PM
07-02-2019 04:50 AM - edited 07-02-2019 04:51 AM
Good to know with the cookie.... however, it's still not working as expected, right? The ERS API documentation doesn't say anything about cookies.
07-02-2019 05:51 AM
@Johannes Luther wrote:
... however, it's still not working as expected, right? The ERS API documentation doesn't say anything about cookies.
This is how this feature working in ISE. CSCvp22075 is now used to update the on-box documentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide