Setting a profile to an endpoint using ERS API

orp · ‎04-23-2018

Hi, I'm trying to use the ERS API to set a specific profile to a newly configured endpoint. Using the URI "/ers/config/endpoint/{id}" I'm able to create the endpoint. However, when I try to assign a profile to it the field "Endpoint Policy" remains blank.

I'm using the attribute "profileId" to set the profile and I've set "staticProfileAssignment" to true.

I'm using ISE 2.4.

Anyone has any experience with that?

In the future I'd like to update the profile of an existing endpoint but I guessed I should be able to perform what I've described above before.

thomas · ‎04-23-2018

If you query an existing endpoint using ERS, you'll notice the profileId and the groupId shown are the IDs and not the names:

$ curl --insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user admin:C1sco12345 --request GET https://198.18.133.27:9060/ers/config/endpoint/64bc07c0-4745-11e8-b11d-005056b84efe

{

"ERSEndPoint" : {

    "id" : "64bc07c0-4745-11e8-b11d-005056b84efe",

    "name" : "D8:EB:97:A2:51:2C",

    "mac" : "D8:EB:97:A2:51:2C",

   "profileId" : "3ab41d70-8c00-11e6-996c-525400b48521",

    "staticProfileAssignment" : true,

    "groupId" : "43ee0260-4744-11e8-b11d-005056b84efe",

    "staticGroupAssignment" : true,

    "portalUser" : "",

    "identityStore" : "",

    "identityStoreId" : "",

    "link" : {

      "rel" : "self",

      "href" : "https://198.18.133.27:9060/ers/config/endpoint/64bc07c0-4745-11e8-b11d-005056b84efe",

      "type" : "application/xml"

    }

}

}

If you want to create a new endpoint with a profile or group, you will need to use these long, ugly IDs. 8-)

Let's assume you want to create a new endpoint that is a Cisco 7975 IP Phone ...

Find your Endpoint Group groupId:

$ curl -insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user admin:C1sco12345 --request GET https://198.18.133.27:9060/ers/config/endpointgroup?filter=name.CONTAINS.Phone

{

"SearchResult" : {

    "total" : 1,

    "resources" : [ {

      "id" : "14f5cac0-8c00-11e6-996c-525400b48521",

      "name" : "Cisco-IP-Phone",

      "description" : "Identity Group for Profile: Cisco-IP-Phone",

      "link" : {

        "rel" : "self",

        "href" : "https://198.18.133.27:9060/ers/config/endpointgroup/14f5cac0-8c00-11e6-996c-525400b48521",

        "type" : "application/xml"

      }

    } ]

}

}

Find your Profiler Profile 'Cisco-IP-Phone-7975' :

$ curl --insecure --header 'Content-Type:applicatin/json' --header 'Accept: application/json' --user admin:C1sco12345 --request GET https://198.18.133.27:9060/ers/config/profilerprofile?filter=name.CONTAINS.7975

{

"SearchResult" : {

    "total" : 1,

    "resources" : [ {

      "id" : "1abef670-8c00-11e6-996c-525400b48521",

      "name" : "Cisco-IP-Phone-7975",

      "description" : "Policy for Cisco IP Phone 7975",

      "link" : {

        "rel" : "self",

        "href" : "https://198.18.133.27:9060/ers/config/profilerprofile/1abef670-8c00-11e6-996c-525400b48521",

        "type" : "application/xml"

      }

    } ]

}

}

Put it all together to create your new Endpoint :

$ curl --include --insecure --header 'Content-Type:applicaton/json' --header 'Accept: application/json' --user admin:C1sco12345 --request POST https://198.18.133.27:9060/ers/config/endpoint --data '

{

"ERSEndPoint" : {

    "description" : "New 7975 IP Phone from ERS API",

    "mac" : "00:11:22:33:44:55",

    "profileId" : "1abef670-8c00-11e6-996c-525400b48521",

    "staticProfileAssignment" : true,

    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",

    "staticGroupAssignment" : true

}

}'

HTTP/1.1 201 Created

Set-Cookie: JSESSIONIDSSO=4D57D1F5D5ECDD34C68B47ED00054D9A; Path=/; Secure; HttpOnly

Set-Cookie: APPSESSIONID=7D66A263CF7A2E8D0A25C7EEE36406BD; Path=/ers; Secure; HttpOnly

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://198.18.133.27:9060/ers/config/endpoint/fe283830-474e-11e8-b11d-005056b84efe

Date: Mon, 23 Apr 2018 23:35:23 GMT

Content-Type: application/json;charset=utf-8

Content-Length: 0

Server:

Verify it was created using the Location header above :

$ curl --insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user admin:C1sco12345 --request GET https://198.18.133.27:9060/ers/config/endpoint/fe283830-474e-11e8-b11d-005056b84efe

{

"ERSEndPoint" : {

    "id" : "fe283830-474e-11e8-b11d-005056b84efe",

    "name" : "00:11:22:33:44:55",

    "description" : "New 7975 IP Phone from ERS API",

    "mac" : "00:11:22:33:44:55",

    "profileId" : "1abef670-8c00-11e6-996c-525400b48521",

    "staticProfileAssignment" : true,

    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",

    "staticGroupAssignment" : true,

    "portalUser" : "",

    "identityStore" : "",

    "identityStoreId" : "",

    "link" : {

      "rel" : "self",

      "href" : "https://198.18.133.27:9060/ers/config/endpoint/fe283830-474e-11e8-b11d-005056b84efe",

      "type" : "application/xml"

    }

}

}

And if you look at it in ISE you should see it created :

orp · ‎04-24-2018

Hi Thomas, thanks for answering. While I'm completely able to run your examples here and get the same results I still can't see the EndPoint Profile in the Identity Management->Groups tab.

I'm going to check now whether it actually matters for enforcing policy. But anyway do you have an idea for why is that?

And again, in the future I'd like to overrun a profile chosen by ISE for a specific device with my of my own profiles. Will it be possible?

(Just for reference for other people who might run these commands, notice that some have little typos and since cURL fails silently it's a bit hard to notice (like "applicaton/json").)

thomas · ‎04-24-2018

You need to explicitly show the command you submitted and the output in order for us to comment.

I don't know if your instance has a different profileId or if you did not send it in your create request at all.

You may create your own profiles in ISE at any time. You may duplicate an existing policy and extend or change it. Or you may create a completely new one. Please see How To Create an Endpoint Profile for how to do this.

orp · ‎04-25-2018

Sure. I actually entered the exact same commands and got the same output but I'll post everything anyway:

Finding Endpoint Group groupId:

$ curl --insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user ers-admin:Password1! --request GET https://10.25.12.91:9060/ers/config/endpointgroup?filter=name.CONTAINS.Phone
{
"SearchResult" : {
    "total" : 1,
    "resources" : [ {
      "id" : "14f5cac0-8c00-11e6-996c-525400b48521",
      "name" : "Cisco-IP-Phone",
      "description" : "Identity Group for Profile: Cisco-IP-Phone",
      "link" : {
        "rel" : "self",
        "href" : "https://10.25.12.91:9060/ers/config/endpointgroup/14f5cac0-8c00-11e6-996c-525400b48521",
        "type" : "application/xml"
      }
    } ]
}
}

Finding profiler profile:

$ curl --insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user ers-admin:Password1! --request GET https://10.25.12.91:9060/ers/config/profilerprofile?filter=name.CONTAINS.7975

{

"SearchResult" : {

    "total" : 1,

    "resources" : [ {

      "id" : "1abef670-8c00-11e6-996c-525400b48521",

      "name" : "Cisco-IP-Phone-7975",

      "description" : "Policy for Cisco IP Phone 7975",

      "link" : {

        "rel" : "self",

        "href" : "https://10.25.12.91:9060/ers/config/profilerprofile/1abef670-8c00-11e6-996c-525400b48521",

        "type" : "application/xml"

      }

    } ]

}

}

Creating the endpoint:

$ curl --include --insecure --header 'Content-Type:application/json' --header 'Accept: applicati

on/json' --user ers-admin:Password1! --request POST https://10.25.12.91:9060/ers/config/endpoint --data '

{

"ERSEndPoint" : {

    "description" : "New 7975 IP Phone from ERS API",

    "mac" : "00:11:22:33:44:55",

    "profileId" : "1abef670-8c00-11e6-996c-525400b48521",

    "staticProfileAssignment" : true,

    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",

    "staticGroupAssignment" : true

}

}'

HTTP/1.1 201 Created

Set-Cookie: JSESSIONIDSSO=30EEB9335B49346EB8FCCA87E909B439; Path=/; Secure; HttpOnly

Set-Cookie: APPSESSIONID=6397C9320A65EE86A78C9C7213322103; Path=/ers; Secure; HttpOnly

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT

Location: https://10.25.12.91:9060/ers/config/endpoint/55162010-485a-11e8-bb06-ae475be17329

Date: Wed, 25 Apr 2018 07:29:04 GMT

Content-Type: application/json;charset=utf-8

Content-Length: 0

Server:

Checking result:

$ curl --insecure --header 'Content-Type:application/json' --header 'Accept: application/json' --user ers-admin:Password1! --request GET https://10.25.12.91:9060/ers/config/endpoint/55162010-485a-11e8-bb06-ae475be17329

{

"ERSEndPoint" : {

    "id" : "55162010-485a-11e8-bb06-ae475be17329",

    "name" : "00:11:22:33:44:55",

    "description" : "New 7975 IP Phone from ERS API",

    "mac" : "00:11:22:33:44:55",

    "profileId" : "1abef670-8c00-11e6-996c-525400b48521",

    "staticProfileAssignment" : true,

    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",

    "staticGroupAssignment" : true,

    "portalUser" : "",

    "identityStore" : "",

    "identityStoreId" : "",

    "link" : {

      "rel" : "self",

      "href" : "https://10.25.12.91:9060/ers/config/endpoint/55162010-485a-11e8-bb06-ae475be17329",

      "type" : "application/xml"

    }

}

}

And still the profile is missing in the Endpoint Identity Group screen, as the picture in the previous comment shows.

Meanwhile I'm continuing assuming it's actually working and there's only some problem with the presentation in the UI.