Solved: Re: AAP2.4 and ISE3.1_7. Create Network Group Playbook Not Working

8uck5nort · ‎04-01-2024

I am very new to both Ansible and ISE APIs. I have read through the Cisco Dev site and utilized the playbooks to view and list the groups. However, I am getting an "Unexpected failure during module execution: Unknown API version, known versions are 3.1.0, 3.1.1, 3.1.Patch.1 and 3.2_beta.",

The playbook is relatively simple so not sure why it is not working. Is this an error due to the fact our ISE PAN runs patch 7? I tried the ise_version set to 3.1.Patch1 but that did not work. Does the account I am using require authorization of some kind to create via API?

---

- hosts: My PAN server name
gather_facts: false

tasks:

- name: Create Site Group Under "Location#All Locations"
cisco.ise.network_device_group:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
state: present
description: GroupDesc
name: "Location#All Locations#GroupDesc"
ndgtype: Location

I admit this may be a simple problem as I am still ramping up skills. But I have not had any luck finding an answer or a path to research.

Greg Gibbs · ‎04-02-2024

Here is an example of using Ansible to create the Network Device Group by calling the API directly using the ansible.builtin.uri module.
I tested this against my ISE 3.1 patch 7 instance.

---
- name: Create NDG using API calls 
  hosts: localhost
  gather_facts: no
  vars_files:
  - variables.yaml

  tasks:
  - name: Create NDG -- GroupDesc
    ansible.builtin.uri:
      url: https://{{ ise_hostname }}:9060/ers/config/networkdevicegroup
      return_content: true
      method: POST
      validate_certs: false
      headers:
        Content-Type: application/json
        Accept: application/json
        Authorization: Basic {{ ers_username_password | b64encode }}
      body_format: json
      status_code: 201
      body:
        NetworkDeviceGroup:
          name: Location#All Locations#GroupDesc
          description: GroupDesc
          othername: Location

View solution in original post

8uck5nort · ‎04-02-2024

I believe this is the issue. It appears to be related to this https://github.com/CiscoISE/ansible-ise/issues/56

Has anyone found a work around?

Greg Gibbs · ‎04-02-2024

Those Ansible modules are only community supported and there is currently no development being done on that code.

The only workaround would be using Ansible to call the APIs themselves similar to this example:
https://opensource.com/article/21/9/ansible-rest-apis

You can find all of the relevant ISE API documentation to use in your Ansible code at https://cs.co/ise-api

Greg Gibbs · ‎04-02-2024

Here is an example of using Ansible to create the Network Device Group by calling the API directly using the ansible.builtin.uri module.
I tested this against my ISE 3.1 patch 7 instance.

---
- name: Create NDG using API calls 
  hosts: localhost
  gather_facts: no
  vars_files:
  - variables.yaml

  tasks:
  - name: Create NDG -- GroupDesc
    ansible.builtin.uri:
      url: https://{{ ise_hostname }}:9060/ers/config/networkdevicegroup
      return_content: true
      method: POST
      validate_certs: false
      headers:
        Content-Type: application/json
        Accept: application/json
        Authorization: Basic {{ ers_username_password | b64encode }}
      body_format: json
      status_code: 201
      body:
        NetworkDeviceGroup:
          name: Location#All Locations#GroupDesc
          description: GroupDesc
          othername: Location

8uck5nort · ‎04-04-2024

Thank You will give this a try.

thomas · ‎04-02-2024

Correct - the problem is the breaking ISE change introduced by renaming the othername attribute to ndgtype.

According to my ise_network_device_groups role:

#  ISE 3.1 Patch 4 and 3.2 `networkdevicegroup` create fails.
#  It expects an `ndgtype` attribute instead of `othername`.
#  This should be fixed in ISE 3.1 Patch 5 and ISE 3.2 Patch 1

You best option is to upgrade to the latest patch and just use the othername attribute.

8uck5nort · ‎04-04-2024

Thank you for the reply.

The ISE instance is on patch 3.1 patch 7 and I have tried othername as suggested, but the play still fails, it is saying othername is not a valid parameter.

The full traceback is:
NoneType: None
fatal: [localhost]: FAILED! => {
"changed": false,
"msg": ["othername. Supported parameters include: description, id, ise_debug, ise_hostname, ise_password, ise_single_request_timeout, ise_username, ise_uses_api_gateway, ise_uses_csrf_token, ise_verify, ise_version, ise_wait_on_rate_limit, name, ndgtype, state."]}
When I try using ndgtype it fails, but then tells me that othername is required.

"msg": "An error occurred when executing operation. The error was: [400] - Validation Error - Mandatory fields missing: [othername]

Now I am definitely no expert and it is very possible I could have something else incorrectly configured or missed a pre-req. I am continuing to develop, test and troubleshoot ISE playbooks.

I can manually create the Device Group in ISE and create a network group device with all the appropriate settings with out issue.

Greg Gibbs · ‎04-04-2024

Correct. I get the same behaviour when using the Ansible ISE module. This is due to the breaking changes in the API that where later reversed. The Ansible module developers updated the module to resolve the initial breaking change, but there was no more development done on the module after the API change was reversed.

You might be able to use an older version of the API (check the changelog and closed issues) before this change was made in the module, but there could be other issues in that version.
I would suggest either using the ansible.builtin.uri module option I provided an example for or look into using Terraform as per this example.

8uck5nort · ‎04-29-2024

Thank you to all who replied.

I just now was able to get back to this project. Using the ansible.builtin.uri module worked.