ERS Authorization Profiles

Synopsis

netapi ise get-authz-profiles [OPTIONS]
netapi ise get-authz-profile <NAME> [OPTIONS]
netapi ise create-authz-profiles-from-file <YAML_FILE>
netapi ise update-authz-profiles-from-file <YAML_FILE>

Description

Manage ISE authorization profiles. These define what network access is granted after successful authentication.

Commands

get-authz-profiles

List all authorization profiles.

netapi ise get-authz-profiles
netapi ise get-authz-profiles --size 50 --page 2

Options

--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

get-authz-profile

Get specific profile details.

netapi ise get-authz-profile Domus_Secure_Profile

create-authz-profile

Create a single authorization profile.

# Basic profile with VLAN
netapi ise create-authz-profile Domus_Admin_Profile --vlan ADMIN_VLAN

# Profile with VLAN and DACL
netapi ise create-authz-profile Domus_Secure_Profile --vlan DATA_VLAN --dacl DACL_SECURE_FULL

# With description
netapi ise create-authz-profile Domus_Guest --vlan GUEST_VLAN --descr "Guest internet only"

update-authz-profile

Update an existing authorization profile.

# Update VLAN
netapi ise update-authz-profile Domus_Secure_Profile --vlan NEW_VLAN

# Update DACL
netapi ise update-authz-profile Domus_Secure_Profile --dacl DACL_NEW

# Remove DACL
netapi ise update-authz-profile Domus_Secure_Profile --no-dacl

# Update reauth timer (8 hours)
netapi ise update-authz-profile Domus_Secure_Profile --reauth-timer 28800

Sample Output

{
  "id": "2e165c10-f5ad-11f0-b76e-52c54a1d1f56",
  "name": "Domus_Secure_Profile",
  "description": "Trusted users - deny management subnet",
  "accessType": "ACCESS_ACCEPT",
  "authzProfileType": "SWITCH",
  "vlan": {
    "nameID": "DATA_VLAN",
    "tagID": 1
  },
  "daclName": "DACL_SECURE_FULL",
  "reauth": {
    "timer": 28800,
    "connectivity": "DEFAULT"
  }
}

create-authz-profiles-from-file

Create profiles from YAML definition.

netapi ise create-authz-profiles-from-file profiles.yaml

profiles.yaml

profiles:
  - name: Domus_Secure_Profile
    description: "Trusted users - full network access"
    access_type: ACCESS_ACCEPT
    vlan:
      name: DATA_VLAN
      tag: 1
    dacl_name: DACL_SECURE_FULL
    reauth_timer: 28800

  - name: Domus_IoT_Profile
    description: "IoT devices - restricted access"
    access_type: ACCESS_ACCEPT
    vlan:
      name: IOT_VLAN
      tag: 1
    dacl_name: DACL_IOT_RESTRICTED
    reauth_timer: 3600

  - name: Domus_Guest_Profile
    description: "Guest users - internet only"
    access_type: ACCESS_ACCEPT
    vlan:
      name: GUEST_VLAN
      tag: 1
    dacl_name: DACL_GUEST_INTERNET

Profile Attributes

Attribute Description Example

Attribute	Description	Example
`access_type`	Accept or reject	`ACCESS_ACCEPT`, `ACCESS_REJECT`
`vlan.name`	VLAN name (must exist on switch)	`DATA_VLAN`
`dacl_name`	Downloadable ACL name	`DACL_SECURE_FULL`
`reauth_timer`	Re-authentication interval (seconds)	`28800` (8 hours)
`airespace_acl`	WLC ACL name (wireless)	`ACL_WIFI_SECURE`

access_type

Accept or reject

ACCESS_ACCEPT, ACCESS_REJECT

vlan.name

VLAN name (must exist on switch)

DATA_VLAN

dacl_name

Downloadable ACL name

DACL_SECURE_FULL

reauth_timer

Re-authentication interval (seconds)

28800 (8 hours)

airespace_acl

WLC ACL name (wireless)

ACL_WIFI_SECURE

CI/CD Pipeline Example

# GitOps: Profile changes trigger ISE update
name: Update ISE Authz Profiles

on:
  push:
    paths:
      - 'ise/profiles/*.yaml'

jobs:
  deploy:
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4

      - name: Load credentials
        run: eval "$(dsource d000 dev/network)"

      - name: Update profiles
        run: |
          for file in ise/profiles/*.yaml; do
            netapi ise update-authz-profiles-from-file "$file"
          done