Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4462
Views
5
Helpful
8
Replies

ISE API change password

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎12-05-2018 08:20 PM - edited ‎03-11-2019 01:53 AM

Hi Experts,

 

Customer is doing a customzied web page programing for changing ISE internal user password, but they cannot find API to support checking internal user password before this user tried to change the password. Any suggestion realize this code, thank you in advance!

 

 

DL

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎12-05-2018 10:25 PM

You can use Internal User API for this.You can do following operations- 

a sample output of the Get request is as below- 

XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:internaluser xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
   <changePassword>true</changePassword>
   <customAttributes>
      <entry>
         <key>key1</key>
         <value>value1</value>
      </entry>
      <entry>
         <key>key2</key>
         <value>value3</value>
      </entry>
   </customAttributes>
   <email>email@domain.com</email>
   <enablePassword>enablePassword</enablePassword>
   <enabled>true</enabled>
   <expiryDate>2016-12-11</expiryDate>
   <expiryDateEnabled>false</expiryDateEnabled>
   <firstName>firstName</firstName>
   <identityGroups>identityGroups</identityGroups>
   <lastName>lastName</lastName>
   <password>password</password>
   <passwordIDStore>Internal Users</passwordIDStore>
</ns0:internaluser>

JSON
{
  "InternalUser" : {
    "id" : "id",
    "name" : "name",
    "description" : "description",
    "enabled" : true,
    "email" : "email@domain.com",
    "password" : "password",
    "firstName" : "firstName",
    "lastName" : "lastName",
    "changePassword" : true,
    "identityGroups" : "identityGroups",
    "expiryDateEnabled" : false,
    "expiryDate" : "2016-12-11",
    "enablePassword" : "enablePassword",
    "customAttributes" : {
      "key1" : "value1",
      "key2" : "value3"
    },
    "passwordIDStore" : "Internal Users"
  }
}

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎12-05-2018 10:25 PM

You can use Internal User API for this.You can do following operations- 

a sample output of the Get request is as below- 

XML
<?xml version="1.0" encoding="UTF-8"?>
<ns0:internaluser xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
   <changePassword>true</changePassword>
   <customAttributes>
      <entry>
         <key>key1</key>
         <value>value1</value>
      </entry>
      <entry>
         <key>key2</key>
         <value>value3</value>
      </entry>
   </customAttributes>
   <email>email@domain.com</email>
   <enablePassword>enablePassword</enablePassword>
   <enabled>true</enabled>
   <expiryDate>2016-12-11</expiryDate>
   <expiryDateEnabled>false</expiryDateEnabled>
   <firstName>firstName</firstName>
   <identityGroups>identityGroups</identityGroups>
   <lastName>lastName</lastName>
   <password>password</password>
   <passwordIDStore>Internal Users</passwordIDStore>
</ns0:internaluser>

JSON
{
  "InternalUser" : {
    "id" : "id",
    "name" : "name",
    "description" : "description",
    "enabled" : true,
    "email" : "email@domain.com",
    "password" : "password",
    "firstName" : "firstName",
    "lastName" : "lastName",
    "changePassword" : true,
    "identityGroups" : "identityGroups",
    "expiryDateEnabled" : false,
    "expiryDate" : "2016-12-11",
    "enablePassword" : "enablePassword",
    "customAttributes" : {
      "key1" : "value1",
      "key2" : "value3"
    },
    "passwordIDStore" : "Internal Users"
  }
}

 

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to Nidhi

‎12-05-2018 10:32 PM

Customer told us the password showed like this “ ******* ” with GET, so cannot be used for checking password.

DL

-------------------------------------------------------------------------------
GC Security BOX folder:
https://cisco.box.com/s/j38g1c58jom2va76icsap17zr09w1l1c
-------------------------------------------------------------------------------
0 Helpful

Go to solution
MilanArdeshana
Level 1
Level 1
In response to Nidhi

‎08-14-2019 06:03 PM

Hi 
I am trying to solve the same problem but with Java Servlet

any idea how to authorize internal user without creating ERSClient object which requires Admin user name and password? 

// Get an instance of Rest Client
ERSClient ersClient = new ERSClient("admin", "adminpassword", host);
//then
/**
* 
* Use this method to change the password
* @param user
* @param password
* @return
*/
public boolean changeUserPassword(ERSClient ersClient,String userid , String password){
InternalUser user = null;
try {
user = searchUserByName(ersClient, userid);
if(user != null){
user.setPassword(password);
System.out.println("Password Changed Successfully");
}
return true; 
}
catch(Exception e) {
System.out.println("Something went wrong changing the password " + e.getMessage() );
return false;
}
}

 Here I am missing something, I just need to verify the users current password so to make sure user who is changing password is authorized user. 
Is there any api which can verify internal user's password? Thanks

0 Helpful

Go to solution
Michael Weller
Level 1
Level 1
In response to MilanArdeshana

‎10-09-2019 03:43 AM

Well, I don't know of a way to do this through the rest-api,

but thinking out-of-the-box, you can still use a command-line utility, maybe pam / radius enabled webserver checking access to your PW management webtool which issues a radius access request against ISE for the given user.

This will check the password provided you have a policy rule allowing all users for this request.
Depending on the scripting language you use, it may even have a plugin to support issuing radius access requests.

Regards.
0 Helpful

Go to solution
MilanArdeshana
Level 1
Level 1
In response to Michael Weller

‎10-09-2019 05:30 AM

Thanks Michael for your response,
Seems like java lib isnt great help to self service password reset portal.

Later with great help of our network sec. engineer, we used python and used TACACS+ lib to create the web portal for users to change their password as self service and created reminders for users to reset their password before it expires. 

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-07-2018 12:36 PM

This is expected. ISE admin users should not be allowed to read the user password, due to privacy concern, I think. See CSCvk59290.

On the other hand, ISE ERS API for internal users would allow to change the user passwords without knowing the existing ones. Please note CSCvm01627 with the doc bug CSCvn22448.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to hslai

‎12-07-2018 01:03 PM

CSCvk59290 is not public facing. 

While unrelated to the user accounts, I have noticed that LDAP connector credentials are plain text, you can inspect the element in chrome and get the configured password for the username.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-21-2018 08:11 PM

That bug is junked as it expected behavior. The other issue is under investigation.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents