Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1027
Views
0
Helpful
2
Replies

ISE APIs

Go to solution
nloverin
Cisco Employee
Cisco Employee

‎11-28-2018 12:57 PM

I have a customer who is converting from ACS to ISE.  He is looking for API calls into ISE to allow for:

 

Creating and deleting authorization profiles
Creating and deleting policy set auth rules 

 

Does anyone know if these already exist somewhere or if there is a road map to have them added? 

Thanks.

 

Neil

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎11-28-2018 02:18 PM

This is the big dream we all have and are waiting for (maybe?).  

 

In latest 2.4 the closest you can get is to create Authorization Profiles via REST API. 

"Authorization Profile API allows the client to add, delete, update, search and perform actions on authorization profiles. In this documentation, for each available API you will find the request syntax including the required headers and a response example of a successful flow. "

e.g. a POST to https://<PAN_NODE>:9060/ers/config/authorizationprofile

Log into an ISE node and check the built in API documentation for more specifics.

 

But the Policy Sets etc. are only possible via GUI.

In ISE the REST API is a bolt-on (afterthought).  If done right then any GUI action should be possible via an API call.  And this is because the application itself uses its own API!!!  If you don't like the GUI then you have the choice to write your own app.  Maybe there are plans to expand this.  DevNet is a big thing at Cisco but it should not have to take years to accomplish this.  I suspect that it would be tricky to retrofit ISE to be completely API driven.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎11-28-2018 02:18 PM

This is the big dream we all have and are waiting for (maybe?).  

 

In latest 2.4 the closest you can get is to create Authorization Profiles via REST API. 

"Authorization Profile API allows the client to add, delete, update, search and perform actions on authorization profiles. In this documentation, for each available API you will find the request syntax including the required headers and a response example of a successful flow. "

e.g. a POST to https://<PAN_NODE>:9060/ers/config/authorizationprofile

Log into an ISE node and check the built in API documentation for more specifics.

 

But the Policy Sets etc. are only possible via GUI.

In ISE the REST API is a bolt-on (afterthought).  If done right then any GUI action should be possible via an API call.  And this is because the application itself uses its own API!!!  If you don't like the GUI then you have the choice to write your own app.  Maybe there are plans to expand this.  DevNet is a big thing at Cisco but it should not have to take years to accomplish this.  I suspect that it would be tricky to retrofit ISE to be completely API driven.

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-29-2018 02:54 AM - edited ‎11-29-2018 06:40 AM

Well said Arne. If you do have requirements please reach out through the ise feedback mechanism via the menus in the upper right of the ise UI

 

Also check the following documentation

https://community.cisco.com/t5/security-documents/ise-ers-api-examples/ta-p/3622623#toc-hId--1994416749

0 Helpful
Customers Also Viewed These Support Documents