Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE with API

Hi, I'm testing ISE API call with getting all endpoints.

When I try it with POSTMAN on chrome, I got this error.

This seems to be like an error connecting to

https://10.10.10.50:9060/ers/config/internaluser

. The response status was 0.

Check out the

W3C XMLHttpRequest Level 2 spec for more details about when this happens.

I enabled ERS services, created ERS admin and I do not know what I should do more.

has anyone tried and succeed to use API ?

ISE version is 1.2.0.899 with patch 4

Everyone's tags (2)
19 REPLIES

ISE with API

Hi,

I just turned this on and I had some issues  authenticating with an external (AD) account. Did you try authenticating  the the sdk portal? https://ise:9060/ers/sdk? I checked there first  before trying the chrome plugin. Also for that operation are you setting  the following header?

Accept: application/vnd.com.cisco.ise.identity.internaluser.1.0+xml

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE with API

Hi, I was able to get into sdk portal, and I used right accept header.

When u log into sdk portal, you should use ers admin account in ise internal identity store. I created one and used it.

Sent from Cisco Technical Support iPhone App

Re: ISE with API

Do you have any internal user accounts in ISE? I got the same response but once I added a user account I then got the record, I was also able to delete the record also. I am stuck on trying to create the user account and hope to get that completed once I get around to it.

What I noticed was that when I tried to point to the external active directory group for ERS admin it didnt seem like it was using it, however I only tried a couple times.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE with API

I will try with a new internal account.

Sent from Cisco Technical Support iPhone App

New Member

Re: ISE with API

I found out that I had to use FQDN for http request header.

What I ultamately wanted to use is get all endpoints, but it seems like it's not supported.

I could get endpoint ID and URL for something I dont know, but could not get mac-addresses.

Re: ISE with API

You should be able to pull all the endpoints, did you try these params?

Method: GET
URI: https://ISEFQDN:9060/ers/config/endpoint
HTTP Accept header:
application/vnd.com.cisco.ise.identity.endpoint.1.0+xml                                                                                                                                                              
Request Content:

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: ISE with API

I tried it.

and in the API Guide, get all endpoints does not present mac address.

I dont know if its going to be or not...

Re: ISE with API

I see what you are running into. I am going to open a tac case but in the meantime I am going to install patch 5 on my lab and see if anything changes.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE with API

I have applied patch 5. I hope you can hear something from cisco tac.

Thank you.

Cisco Employee

ISE with API

Hi,

Seems like trust was not established.

Postman client dosnt know to handle SSL.
you should open a session with ISE GUI first in another tab. this will force chrome to download and trust the server certificate.

Thanks

Amir

ISE with API

Amir,

The issue is not with the trust, since my postman pops up a display asking if I want to deny or allow. The issue is with the API SDK documentation which shows the query for all endpoints should retreive the mac addresses along with the ID. It seems as if the documentation or API needs further explanation. I have a tac case open and the engineer I am working with is working with the BU.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

Re:ISE with API

Hi,

Cisco engineer has confirmes with the BU that this is a bug. Once I get more details I will have them up.

Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
New Member

Re: Re:ISE with API

You mean the mac address supposed to pop up when I call the API ?!

That would make my life so easy !

Sent from Cisco Technical Support iPhone App

Cisco Employee

Re:ISE with API

Hi Jiyoung,

As per the document it should populate the name of the end point i.e. Mac Address, description and id of end point.

Currently there is a defect  CSCum49249 for this issue.

As a workaround you can make use of "Get by ID" method to get the name of the end point from the id retrieved from method "list".

New Member

Re: Re:ISE with API

Hi, It does populate description, id of end point, and name.

document says these are only popuated attributes at this time.

I dont know if they will make it popluate mac address ever or not.

Cisco Employee

Re: Re:ISE with API

Hi Jiyoung,

currently the output of the list all end points is populating only id of the end point as follows:

Name and descrption is not being displayed in the out put as per the document.

Here Name should be MAC address of the end point.

Re:ISE with API

Naresh,

Do you think we cam also have the name and ID of the identity group also populated so we can see how the devices are profiled?


Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
Cisco Employee

Re:ISE with API

Tarik,

Do you mean in the same call of list end point API. This may not be possible. Let me check and update

But we do have another call to get list of all end point Identity Groups.

application/vnd.com.cisco.ise.identity.identitygroup.1.0+xml'

'https://ers:Cisco123@10.105.170.61:9060/ers/config/identitygroup'

ISE with API

Yes,

The reason I was asking is that if we can query the endpoint identity group was to see how the devices are profiled.

I think the endpoint group id is sent in the endpoint query, I meant to ask if we can include the ip address or if possible could we generate an API call for a specific ip addresses?

This could help when relying on reporting from other applications that may generate security alerts.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
955
Views
0
Helpful
19
Replies