Solved: ISE POST Policy Set failure "request has bad input format in the body"

johnpblack · ‎11-19-2024

I have an ISE deployment with a corrupted endpoint groups database that does not have any usable backups to restore from. After working with TAC we have determined that a new deployment will need to be created with my existing configurations. I have been able to move most everything over via API GETs and POSTs but I am unable to create any Policy Sets on the new deployment. I get | { "message": "request has bad input format in the body", "code": 400 }

The body of the request is below. I have tried with/without ID, rank, and condition.id

{
    "name": "Stealthwatch",
    "description": null,
    "hitCounts": 0,
    "state": "enabled",
    "condition": {
        "link": null,
        "conditionType": "ConditionReference",
        "isNegate": false,
        "name": "Stealthwatch",
        "id": "123",
        "description": null
    },
    "serviceName": "Default Device Admin",
    "isProxy": false
}

johnpblack · ‎11-20-2024

Thanks for the reply, I actually ended up figuring it out a few hours after I posted this. The problem was with the ID for the conditionReference. I had tried removing the ID but it rejected it saying that condition.id cannot be empty. The oldISE deployment had a library condition named Stealthwatch and a policy set named Stealthwatch. NewISE already had the conditions imported and has created a new ID for the Stealthwatch condition. So when copying over the Stealthwatch policy set from oldISE to newISE I removed the policyset ID but needed to replace the ID for the Stealthwatch condition with the newISE ID for that condition.

View solution in original post

bigevilbeard · ‎11-20-2024

Not an expert on this by any means, there was a thread on here a while back and saved the code

{
    "default": false,
    "name": "Stealthwatch",
    "description": "",
    "serviceName": "Default Device Admin",
    "state": "enabled",
    "condition": {
        "conditionType": "ConditionReference",
        "isNegate": false,
        "name": "Stealthwatch",
        "description": "",
        "dictionaryName": "ConditionReference",
        "dictionaryValue": null,
        "operator": "equals",
        "children": []
    }
}

A few things are different when i did a quick diff on this, i think you need the required "default" false parameter which is needed for your policy set creation, and also replace null values with empty strings for better compatibility here. The hitCounts is a read-only attribute, so this was removed. In other example i see other things add so this version includes some necessary condition fields for example the dictionaryName set to "ConditionReference", an operator set to "equals", and an empty children array. The idfield is removed, since ISE should handle ID assignment automatically (so i think) and the isProxy parameter since it's not typically needed for basic policy set creation either (again i think).

Might work, but this is sort of glued together by old examples etc.. Please test this!

Please mark this as helpful or solution accepted to help others
Connect with me https://bigevilbeard.github.io

johnpblack · ‎11-20-2024

Thanks for the reply, I actually ended up figuring it out a few hours after I posted this. The problem was with the ID for the conditionReference. I had tried removing the ID but it rejected it saying that condition.id cannot be empty. The oldISE deployment had a library condition named Stealthwatch and a policy set named Stealthwatch. NewISE already had the conditions imported and has created a new ID for the Stealthwatch condition. So when copying over the Stealthwatch policy set from oldISE to newISE I removed the policyset ID but needed to replace the ID for the Stealthwatch condition with the newISE ID for that condition.