11-28-2018 12:57 PM
I have a customer who is converting from ACS to ISE. He is looking for API calls into ISE to allow for:
Creating and deleting authorization profiles
Creating and deleting policy set auth rules
Does anyone know if these already exist somewhere or if there is a road map to have them added?
Thanks.
Neil
Solved! Go to Solution.
11-28-2018 02:18 PM
This is the big dream we all have and are waiting for (maybe?).
In latest 2.4 the closest you can get is to create Authorization Profiles via REST API.
"Authorization Profile API allows the client to add, delete, update, search and perform actions on authorization profiles. In this documentation, for each available API you will find the request syntax including the required headers and a response example of a successful flow. "
e.g. a POST to https://<PAN_NODE>:9060/ers/config/authorizationprofile
Log into an ISE node and check the built in API documentation for more specifics.
But the Policy Sets etc. are only possible via GUI.
In ISE the REST API is a bolt-on (afterthought). If done right then any GUI action should be possible via an API call. And this is because the application itself uses its own API!!! If you don't like the GUI then you have the choice to write your own app. Maybe there are plans to expand this. DevNet is a big thing at Cisco but it should not have to take years to accomplish this. I suspect that it would be tricky to retrofit ISE to be completely API driven.
11-28-2018 02:18 PM
This is the big dream we all have and are waiting for (maybe?).
In latest 2.4 the closest you can get is to create Authorization Profiles via REST API.
"Authorization Profile API allows the client to add, delete, update, search and perform actions on authorization profiles. In this documentation, for each available API you will find the request syntax including the required headers and a response example of a successful flow. "
e.g. a POST to https://<PAN_NODE>:9060/ers/config/authorizationprofile
Log into an ISE node and check the built in API documentation for more specifics.
But the Policy Sets etc. are only possible via GUI.
In ISE the REST API is a bolt-on (afterthought). If done right then any GUI action should be possible via an API call. And this is because the application itself uses its own API!!! If you don't like the GUI then you have the choice to write your own app. Maybe there are plans to expand this. DevNet is a big thing at Cisco but it should not have to take years to accomplish this. I suspect that it would be tricky to retrofit ISE to be completely API driven.
11-29-2018 02:54 AM - edited 11-29-2018 06:40 AM
Well said Arne. If you do have requirements please reach out through the ise feedback mechanism via the menus in the upper right of the ise UI
Also check the following documentation
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide