Note: we require you to have a working ISE setup to be able to look at the SDK. I have been working with the ISE product managers to get this exposed as an online or offline document. There is no ETA on this capability.
Which nodes are used for communication?
Port 9060 against the Primary Admin node, unless against the sponsor portal URL
Known Caveats with ISE Guest API
If you try to do any CRUD operations (Create, Read, Update, Delete) with the ISE REST APIs for guests, you will likely receive an HTTP Status 401 – Unauthorized error message. This is a known issue:
CSCvd48557 - Ability to set the sponsor user with the guest API
The only way to create, read, update or delete Guest users is with a Sponsor account. When you create a guest account it sets the sponsor user to that of the sponsor calling the API. There is no way to override this. We will show you how to workaround this problem below.
You will need 2 different types of accounts to fully work with the Guest APIs. One for sponsor actions and one for changes of portal settings (if needed). To simply look at the SDK you will need an admin account (this has nothing to do with the sponsor account used to query or work with guest accounts).
In order to work with guest accounts you need to setup a Sponsor that is able to use the API.
Sponsor accounts are needed to perform CRUD operations guest accounts.
In ISE, go to Administration > Identity Management > Identities > Users
Click +Add to add a new sponsor-api user for ALL_ACCOUNTS :
This sponsor will have visibility of ALL Guests in the system. If you wanted to limit it then you could use different group.
Click on Submit to save the new account
Give Sponsor group access to the API
Under the sponsor group (ALL_ACCOUNTS) add ERS API access permission
In ISE, go to Work Centers > Guest Access > Portals & Components > Sponsor Groups > ALL_ACCOUNTS
Under Sponsor Can Create, check the box for Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
Scroll to the top and click Save
If you need to setup an admin account that is able to work with the guest portal actions (changing portal settings) or looking at the SDK then follow these steps:
To update guest user, we need to use only updateById.
How do I move from suspended to active account?
Re-instantiate to move suspended guest to active account
Is there a way we can always create a user with the maximum duration without changing the API call?
The maximum duration comes from the guest type and the self-registration portal being used. The way to set an account with max duration is to fill out the three fields ( fromDate, toDate and validDays ) are properly filled. If longer than the “Maximum access duration” then API will throw error.
Create Guest User
Username and password are optional and can be dynamically generated.
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <ns3:searchResult total="4" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"> <resources> <resource description="Default portal used by sponsors to create and manage accounts for authorized visitors to securely access the network" id="a6f50970-2230-11e6-99ab-005056bf55e0" name="sponsor"> <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a6f50970-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> <resource description="Guests are allowed to create their own accounts and access the network using their assigned username and password" id="a692c530-2230-11e6-99ab-005056bf55e0" name="Self-Registered Guest Portal (default)"> <link rel="self" href="https://10.0.0.121:9060/ers/config/portal/a692c530-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> <resource description="Sponsors create guest accounts, and guests access the network using their assigned username and password" id="a65b8890-2230-11e6-99ab-005056bf55e0" name="Sponsored Guest Portal (default)"> <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a65b8890-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> </resources> </ns3:searchResult>
Create the Guest user using the guest API query. Obtain Guest ID from the POST response “Location”:
as I see in the datasheet of Cisco ESA. C195 support Small to midsize businesses or branch offices. I can not see any information that this model support how many users (employee). Does anyone have this information? Please help me.
Thank you very ...
We've setup a temporary FMC on Google cloud to migrate from 5525 ASA to Firepower FTD, the configuration has been migrated successfully via the migration tool. However, we are unable to deploy the policies onto the FTD. Please see the atta...
I've been asked to gather documentation that proves that automatic snort downloads that are scheduled are checked via FMC prior to being downloaded. They are asking to see if the hash is checked prior to installing the new .vrt file into FMC. Can anyone p...
Hello little bit of a newbie when it comes to Cisco ASA and setting up the VPN but I have it configured but not able to ping anything internally. Please advise if you need to see my config I will be happy to provide it.