ISE ERS API can't update guest user after they changed their password

rodredrejo · ‎04-17-2023

Hello,

Trying to extend a guest account:

PUT https://ise.lab.com:443/ers/config/guestuser/f93d080d-adb3-425f-a647-6b0463c46b66

{
"GuestUser": {
"portalId" : "ac6b8399-ef91-4ef3-97d2-46eeaab82d42",
"guestType": "Contractor (default)",
"guestInfo": {
},
"guestAccessInfo": {
"validDays": 10,
"fromDate": "04/17/2023 09:10",
"toDate": "04/27/2023 09:10"
},
"customFields": {}
}
}

I get this error:

{
"ERSResponse": {
"operation": "PUT-update-guestuser",
"messages": [
{
"title": "Updating GuestUser By ID (f93d080d-adb3-425f-a647-6b0463c46b66) failed due to com.cisco.cpm.guestaccess.apiservices.exception.PortalValidationException: Your password does not meet the password policy requirements.",
"type": "ERROR",
"code": "CRUD operation exception"
}

I know the guest's password is valid. The same PUT request works on a guest that has been created by the system ("Created" / AWAITING_INITIAL_LOGIN state) but not after the guest has logged in for the first time and changed their password ("Active" state).

Any suggestion?

Thanks

Zhicheng Lun · ‎05-04-2023

Hi rodredrejo,

I can update guest user thru API(PUT https://{ise host}:9060/ers/config/guestuser/{id}) even after guest user change the login password.

here is how i form body data, you might use it as a template to test on your environment, just to change values accordingly. Most of these data can be retrieved from "Get-by-id" API, just to add "password" and "portalId":

===================================================

{

"GuestUser": {

"id": "4f6563ea-3eae-4a7a-82af-80ffdd275044",

"name": "gui_randome9rg37",

"guestType": "Contractor (default)",

"sponsorUserName": "ers_sponsor",

"sponsorUserId": "691892fa-9a64-4cae-a437-d7f3e3ade0f1",

"guestInfo": {

"userName": "gui_randome9rg37",

"password":"C1sco12345",

"creationTime": "05/04/2023 00:42",

"enabled": true,

"notificationLanguage": "ChineseSimplified"

},

"guestAccessInfo": {

"validDays": 93,

"fromDate": "05/04/2023 15:41",

"toDate": "08/05/2023 15:41",

"location": "San Jose"

},

"portalId": "b2fea183-da44-4cdb-923c-3abc1b854ff0"

}

===================================================

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

rodredrejo · ‎05-05-2023

Hi,

Thanks for your suggestion. It works but the user password gets reset with this operation. The thing is, I just want to increase "valid days" for the user while leaving the password as it is. After a user has changed their password, the new password is not retrieved with "Get-by-id" anymore which is a good thing for security I guess but that means I can't even re-apply the same password. That's why I didn't include it in the PUT hoping it would keep the existing value.

Zhicheng Lun · ‎05-05-2023

Hi rodredrejo,

Since password is a required attribute for user update API, I don't think there is a way to bypass it until feature/API update on the product end. You might want to try the "Make a wish" feature to let Cisco development team know your request.

Aside from that, maybe you can put a disclaimer on login portal such as, "If you can not login with your current password, your account might be updated, please try {new password}." And tick the "Allow guests to change password after login" under login page settings.

rodredrejo · ‎05-08-2023

Cisco ISE now supports PATCH request for ERS APIs as of version 3.2, so that only the attributes sent as part of the request are updated. Unfortunately it's still not working for me for "guestuser" (405 Method Not Allowed error) but hopefully it will get added soon.