cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ISE Guest Sponsor API Tips & Tricks

18090
Views
4
Helpful
4
Comments

 

This guide will list Tips and Tricks around using Guest API calls working with Sponsors and guests

 

ISE REST API Information

For other related API information, see 

To access the

https://<ISE-ADMIN-NODE>:9060/ers/sdk

 

Note: we require you to have a working ISE setup to be able to look at the SDK. I have been working with the ISE product managers to get this exposed as an online or offline document. There is no ETA on this capability.

 

Known Caveats with ISE Guest API

If you try to do any CRUD operations (Create, Read, Update, Delete) with the ISE REST APIs for guests, you will likely receive an HTTP Status 401 – Unauthorized error message. This is a known issue:

CSCvd48557 - Ability to set the sponsor user with the guest API

The only way to create, read, update or delete Guest users is with a Sponsor account. When you create a guest account it sets the sponsor user to that of the sponsor calling the API. There is no way to override this. We will show you how to workaround this problem below.

 

Enable ISE REST APIs

  1. In ISE, navigtat to Administration > System > Settings > ERS Settings
  2. Check Enable ERS for Read/Write
  3. You may optionally check Enable ERS for Read if you will be doing REST APIs actions beyond the guest functions
  4. Disable CSRF
  5. Save the settings

    Screen Shot 2018-04-12 at 4.33.23 PM.png

  6. You should now be able to login to the SDK using the link https://YOUR-PAN-NAME:9060/ers/sdk :

    Screen Shot 2018-04-12 at 5.10.18 PM.png

 

Access Permissions

You will need 2 different types of accounts to fully work with the Guest APIs. One for sponsor actions and one for changes of portal settings (if needed). To simply look at the SDK you will need an admin account (this has nothing to do with the sponsor account used to query or work with guest accounts).

 

In order to work with guest accounts you need to setup a Sponsor that is able to use the API. 

Sponsor accounts are needed to perform CRUD operations guest accounts.

  1. In ISE, go to Administration > Identity Management > Identities > Users
  2. Click +Add to add a new sponsor-api user for ALL_ACCOUNTS :

    Screen Shot 2018-04-12 at 4.36.14 PM.png

    This sponsor will have visibility of ALL Guests in the system.  If you wanted to limit it then you could use different group.
  3. Click on Submit to save the new account

 

Give Sponsor group access to the API

Under the sponsor group (ALL_ACCOUNTS) add ERS API access permission

  1. In ISE, go to Work Centers > Guest Access > Portals & Components > Sponsor Groups > ALL_ACCOUNTS
  2. Under Sponsor Can Create, check the box for Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
  3. Scroll to the top and click Save

 

If you need to setup an admin account that is able to work with the guest portal actions (changing portal settings) or looking at the SDK then follow these steps:

  1. Cisco Identity Services Engine API Reference Guide, Release 2.x - Introduction to External RESTful Services API [Cisco I…
  2. Administration > System > Admin Access > Administrators > Admin Users
  3. Make sure you give them access to ERS admin and operator
    api.png

 

Guest types

Its recommend to create a new guest for your API interactions. Also use FromFirstLogin type accounts (unless needing to activate accounts at a certain time/date)

ISE Guest Types do i really need locations and timezones?

 

Misc Setup Details

Query ERS API for Portal ID

(A PortalId is necessary to create user)

GET /ers/config/portal HTTP/1.1
Host: <ise_admin_ip>:9060
Authorization: Basic XXXXX
Content-Type: application/vnd.com.cisco.ise.identity.portal.2.0+xml
Accept: application/vnd.com.cisco.ise.identity.portal.2.0+xml

 

How can I validate that a sponsor is valid?

When I am setting up my systems (example visitor management) and configuring a sponsor account to use. I want to send a call to ISE Guest API to validate this.

https://<ISE-ADMIN-NODE>:9060/ers/config/guestuser/versioninfo

Validate 401 or not

 

Common Operations

Finding guest based off email-address

https://<ISE-ADMIN-NODE>:9060/ers/config/guestuser?filter=emailAddress.EQ.vpetla@cisco.com

How do I update guest user info?

To update guest user, we need to use only updateById.

How do I move from suspended to active account?

Re-instantiate to move suspended guest to active account

 

Is there a way we can always create a user with the maximum duration without changing the API call?

The maximum duration comes from the guest type and the self-registration portal being used. The way to set an account with max duration is to fill out the three fields ( fromDate, toDate and validDays ) are properly filled. If longer than the “Maximum access duration” then API will throw error.

Create Guest User

Username and password are optional and can be dynamically generated.

POST /ers/config/guestuser HTTP/1.1
Host: <ise_admin_ip>:9060
Authorization: Basic XXXXX
Content-Type: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml
Accept: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml

<?xml version="1.0" encoding="UTF-8"?>
<ns2:guestuser xmlns:ns2="identity.ers.ise.cisco.com">
<guestAccessInfo>
<fromDate>06/01/2016 00:01</fromDate>
<toDate>06/02/2016 23:59</toDate>
<validDays>1</validDays>
<location>San Jose</location>
  </guestAccessInfo>
  <guestInfo>
<firstName>John</firstName>
<lastName>Jones</lastName>
    <userName>john</userName>
  </guestInfo>
<guestType>Daily</guestType>
<personBeingVisited>john@cisco.com</personBeingVisited>
  <portalId>76c18c50-2a34-11e5-82cb-005056bf2f0a</portalId>
</ns2:guestuser>

 

Creating user without username and password

{
   "GuestUser": {
       "guestType": "Contractor (default)",
       "portalId": "6b93b3f0-26dd-11e8-a836-005056872c7f",
       "guestAccessInfo": {
           "validDays": 91,
           "fromDate": "03/19/2018 17:47",
           "toDate": "06/17/2018 17:47",
           "location": "San Jose"
       },
       "customFields": {}
   }
}

 

Bulk operations

At present, please use XML instead of JSON for bulk operations, as JSON not supported for bulk.

List bulk users

Create Bulk Users

https://psnip:9060/ers/config/guestuser/bulk/submit

 

Note: portalId needs to be replaced with one found on your ISE using ERS API for “portal”

Required: fromDate, location, toDate, validDays, and portalId

 

Submit the XML file above using cURL :

 

curl -v --tlsv1 -d @add_guest_user.xml -k -H "Content-Type: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml; charset=utf-8" 'https://ers-admin:ers-password@ise-pan.domain.com:9060/ers/config/guestuserers-password@ise-pan.domain.com:9060/ers/config/guestuser'

 

Delete bulk users

TBD

 

List Guest Users

Get generated password and maybe username – filters in green optional)

GET /ers/config/guestuser/?filter=firstName.EQ.Vish&filter=lastName.EQ.JonesHTTP/1.1
Host: <ise_admin_ip>:9060
Authorization: Basic XXXXX
Content-Type: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml
Accept: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml

 

 

Examples

Get Sponsor Portal ID using the portal API query

Use non-sponsor admin that has access to the ERS APIs

Headers:

GET /ers/config/portal
Host: <ise_admin_ip>:9060
Accept: application/vnd.com.cisco.ise.identity.portal.2.0+xml
Authorization: Basic YXBpOkFwcGxlMTIz

 

Response:

Content-Type: application/vnd.com.cisco.ise.ers.searchresult.2.0+xml;charset=utf-8

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:searchResult total="4" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com">
  <resources>
    <resource description="Default portal used by sponsors to create and manage accounts for authorized visitors to securely access the network" id="a6f50970-2230-11e6-99ab-005056bf55e0" name="sponsor">
      <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a6f50970-2230-11e6-99ab-005056bf55e0" type="application/xml"/>
    </resource>
    <resource description="Guests are allowed to create their own accounts and access the network using their assigned username and password" id="a692c530-2230-11e6-99ab-005056bf55e0" name="Self-Registered Guest Portal (default)">
      <link rel="self" href="https://10.0.0.121:9060/ers/config/portal/a692c530-2230-11e6-99ab-005056bf55e0" type="application/xml"/>
    </resource>
    <resource description="Sponsors create guest accounts, and guests access the network using their assigned username and password" id="a65b8890-2230-11e6-99ab-005056bf55e0" name="Sponsored Guest Portal (default)">
      <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a65b8890-2230-11e6-99ab-005056bf55e0" type="application/xml"/>
    </resource>
  </resources>
</ns3:searchResult>

 

Create the Guest user using the guest API query. Obtain Guest ID from the POST response “Location”:

Headers:

POST /ers/config/guestuser
Host: <ise_admin_ip>:9060
Content-Type: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml
Accept: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml
Authorization: Basic YXBpOkFwcGxlMTIz

 

Payload - must follow this template, changing only the parameters in yellow:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<ns4:guestuser xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
    <customFields>
        <entry>
<key>ui_sponsorname_text_label</key>
            <value>John Jones</value>
        </entry>
    </customFields>
    <guestAccessInfo>
        <fromDate>09/01/2016 09:49</fromDate>
        <location>San Jose</location>
        <toDate>09/01/2016 17:48</toDate>
        <validDays>1</validDays>
    </guestAccessInfo>
    <guestInfo>
        <enabled>true</enabled>
        <firstName>Susan</firstName>
        <lastName>Storm</lastName>
        <notificationLanguage>English</notificationLanguage>
    </guestInfo>
    <guestType>APIGuestType</guestType>
<portalId>72317030-5a8d-11e6-87e1-000c292eb29b</portalId>
</ns4:guestuser>

 

Response:

Content-Type: application/xml;charset=utf-8
Location: https://10.0.0.121:9060/ers/config/guestuser/f4705ee2-748b-11e6-9e5e-000c2958a9f6

 

Obtain the Guest username and password using the Guest API query with the ID generated for the Guest account:

Headers:

GET /ers/config/guestuser/f4705ee2-748b-11e6-9e5e-000c2958a9f6
Host: <ise_admin_ip>:9060
Accept: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml
Authorization: Basic YXBpOkFwcGxlMTIz

 

Response:

Content-Type: application/vnd.com.cisco.ise.identity.guestuser.2.0+xml;charset=utf-8

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns4:guestuser id="f4705ee2-748b-11e6-9e5e-000c2958a9f6" name="gsharma377" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
  <link rel="self" href="https://10.0.0.121:9060/ers/config/guestuser/f4705ee2-748b-11e6-9e5e-000c2958a9f6" type="application/xml"/>
  <customFields>
    <entry>
      <key>ui_sponsorname_text_label</key>
      <value>Victor Value</value>
    </entry>
  </customFields>
  <guestAccessInfo>
    <fromDate>09/06/2016 16:23</fromDate>
    <location>San Jose</location><toDate>09/07/2016 00:42</toDate>
    <validDays>1</validDays>
  </guestAccessInfo>
  <guestInfo>
    <creationTime>09/06/2016 23:45</creationTime>
    <enabled>false</enabled>
    <firstName>Gaurva</firstName>
    <lastName>Sharma</lastName>
    <notificationLanguage>English</notificationLanguage>
    <password>2063</password>
    <userName>vvalue123</userName>
  </guestInfo>
  <guestType>Daily (default)</guestType>
  <sponsorUserName>MasterSponsor</sponsorUserName>
  <status>AWAITING_INITIAL_LOGIN</status>
</ns4:guestuser>

 

Send an Email to the Guest

This uses the sponsor portal.

curl -X PUT -k -H 'Content-Type: application/json' -H 'Accept: application/json' -i 'https://mySponsor:mySponsorPassword@myISE:9060/ers/config/guestuser/email/11c276c0-05b4-11e9-a436-005056abd9c7/portalId/40963c00-2e02-11e8-ba71-005056872c7f' --data '{
  "OperationAdditionalData" : {
    "additionalData" : [ {
      "name" : "senderEmail",
      "value" : "sponsor@demo.local"
    } ]
  }
}'

 

Comments

anyone else getting 401 Unauthorized for guest user/sponsor api calls? I followed all the steps but when i run the following, get a 401: 

https://<ISE-ADMIN-NODE>:9060/ers/config/guestuser/versioninfo

 

ERSAdmin account works fine when getting portal ID. 

 

Here is a screenshot of postman:

401postman.jpg

Thanks,

Rey

Cisco Employee
Are you doing the calls as a sponsors account like the community page says?
Yes I created "sponsor-api' and added him to all accounts group(this group has checkbox for allowing API). Doing sponsor calls using it. I tested my credentials by logging into sponsor portal successfully. Im still getting 401.
Beginner

Hi ,

I need help for creating on REST API-  Guest account - daily change username /password, and publish to Intranet.