Use the Primary Policy Administration Node (PAN) on port 9060 for ISE < 3.1 unless using the sponsor portal URL.
ISE 3.1 and later may use the ISE API Gateway feature and use HTTPS on port 443 normally
Known Caveats with ISE Guest API
If you try to do any CRUD operations (Create, Read, Update, Delete) with the ISE REST APIs for guests, you will likely receive an HTTP Status 401 – Unauthorized error message. This is a known issue:
CSCvd48557 - Ability to set the sponsor user with the guest API
The only way to create, read, update or delete Guest users is with a Sponsor account. When you create a guest account it sets the sponsor user to that of the sponsor calling the API. There is no way to override this. We will show you how to workaround this problem below. See the related TechZone article How to create guest accounts with API .
Enable ISE REST APIs
In ISE, navigtat to Administration > System > Settings > ERS Settings
Check Enable ERS for Read/Write
You may optionally check Enable ERS for Read if you will be doing REST APIs actions beyond the guest functions
You will need 2 different types of accounts to fully work with the Guest APIs. One for sponsor actions and one for changes of portal settings (if needed). To simply look at the SDK you will need an admin account (this has nothing to do with the sponsor account used to query or work with guest accounts).
In order to work with guest accounts you need to setup a Sponsor that is able to use the API.
Sponsor accounts are needed to perform CRUD operations guest accounts.
In ISE, go to Administration > Identity Management > Identities > Users
Click +Add to add a new sponsor-api user for ALL_ACCOUNTS :
This sponsor will have visibility of ALL Guests in the system. If you wanted to limit it then you could use different group.
Click on Submit to save the new account
Give Sponsor Group Access to the API
Under the sponsor group (ALL_ACCOUNTS) add ERS API access permission
In ISE, go to Work Centers > Guest Access > Portals & Components > Sponsor Groups > ALL_ACCOUNTS
Under Sponsor Can Create, check the box for Access Cisco ISE guest accounts using the programmatic interface (Guest REST API)
Scroll to the top and click Save
If you need to setup an admin account that is able to work with the guest portal actions (changing portal settings) or looking at the SDK then follow these steps:
To update guest user, we need to use only updateById.
How do I move from suspended to active account?
Re-instantiate to move suspended guest to active account
Is there a way we can always create a user with the maximum duration without changing the API call?
The maximum duration comes from the guest type and the self-registration portal being used. The way to set an account with max duration is to fill out the three fields ( fromDate, toDate and validDays ) are properly filled. If longer than the “Maximum access duration” then API will throw error.
Create a Guest User
Username and password are optional and can be dynamically generated.
<?xml version="1.0" encoding="utf-8" standalone="yes"?> <ns3:searchResult total="4" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"> <resources> <resource description="Default portal used by sponsors to create and manage accounts for authorized visitors to securely access the network" id="a6f50970-2230-11e6-99ab-005056bf55e0" name="sponsor"> <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a6f50970-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> <resource description="Guests are allowed to create their own accounts and access the network using their assigned username and password" id="a692c530-2230-11e6-99ab-005056bf55e0" name="Self-Registered Guest Portal (default)"> <link rel="self" href="https://10.0.0.121:9060/ers/config/portal/a692c530-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> <resource description="Sponsors create guest accounts, and guests access the network using their assigned username and password" id="a65b8890-2230-11e6-99ab-005056bf55e0" name="Sponsored Guest Portal (default)"> <link rel="self" href="https://<ise_admin_ip>:9060/ers/config/portal/a65b8890-2230-11e6-99ab-005056bf55e0" type="application/xml"/> </resource> </resources> </ns3:searchResult>
Create the Guest user using the guest API query. Obtain Guest ID from the POST response “Location”: