Authorization Profiles API
Overview
Authorization Profiles define what access an endpoint receives after successful authentication. They can assign VLANs, dACLs, SGTs, and other attributes.
Base URL |
|
Methods |
GET, POST, PUT, DELETE |
Key Fields |
accessType, daclName, vlan, advancedAttributes |
Setup
dsource d000 dev/network
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_HOST}:9060/ers/config"List All Profiles
netapi
netapi ise get-authz-profilescurl
# List all authorization profiles
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'Get Profile by Name
netapi
netapi ise get-authz-profile "Linux-EAP-TLS-Access"curl
# Get profile by name
PROFILE_NAME="Linux-EAP-TLS-Access"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/name/${PROFILE_NAME}" \
-H "Accept: application/json" | jq '.AuthorizationProfile'Create Profile
Basic Permit Profile
# Create basic permit profile
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"AuthorizationProfile": {
"name": "Linux-Permit-All",
"description": "Full network access for Linux workstations",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"vlan": {
"nameID": "DATA",
"tagID": 10
}
}
}'Profile with dACL
# Create profile with dACL
# First get dACL ID
DACL_NAME="Linux-Permit-AD-Only"
DACL_ID=$(curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/downloadableacl/name/${DACL_NAME}" \
-H "Accept: application/json" | jq -r '.DownloadableAcl.id')
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"AuthorizationProfile": {
"name": "Linux-EAP-TLS-Access",
"description": "EAP-TLS authenticated Linux with AD-only dACL",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"daclName": "'"${DACL_NAME}"'",
"vlan": {
"nameID": "DATA",
"tagID": 10
}
}
}'Profile with SGT (TrustSec)
# Create profile with SGT (TrustSec)
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"AuthorizationProfile": {
"name": "Linux-TrustSec-Profile",
"description": "Linux with TrustSec SGT assignment",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"daclName": "Linux-Permit-All",
"vlan": {
"nameID": "DATA",
"tagID": 10
},
"advancedAttributes": [
{
"leftHandSideDictionaryAttribue": {
"AdvancedAttributeValueType": "AdvancedDictionaryAttribute",
"dictionaryName": "Cisco",
"attributeName": "cisco-av-pair"
},
"rightHandSideAttribueValue": {
"AdvancedAttributeValueType": "AttributeValue",
"value": "cts:security-group-tag=0010-00"
}
}
]
}
}'MAB Onboarding Profile
# Create MAB onboarding profile (limited access)
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"AuthorizationProfile": {
"name": "MAB-Onboarding",
"description": "Limited access for MAB onboarding",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"daclName": "MAB-Onboard-DACL",
"vlan": {
"nameID": "ONBOARD",
"tagID": 999
},
"reauth": {
"timer": 3600,
"connectivity": "RADIUS_REQUEST"
}
}
}'Deny Profile
# Create deny profile
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d '{
"AuthorizationProfile": {
"name": "Deny-Access",
"description": "Explicit deny for unauthorized devices",
"accessType": "ACCESS_REJECT"
}
}'Update Profile
# Update profile to use different dACL
PROFILE_NAME="Linux-EAP-TLS-Access"
NEW_DACL="Linux-Hardened-DACL"
# Get profile
PROFILE=$(curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/name/${PROFILE_NAME}" \
-H "Accept: application/json")
PROFILE_ID=$(echo "$PROFILE" | jq -r '.AuthorizationProfile.id')
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/${PROFILE_ID}" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X PUT \
-d '{
"AuthorizationProfile": {
"id": "'"${PROFILE_ID}"'",
"name": "'"${PROFILE_NAME}"'",
"accessType": "ACCESS_ACCEPT",
"authzProfileType": "SWITCH",
"daclName": "'"${NEW_DACL}"'"
}
}'Delete Profile
netapi
netapi ise delete-authz-profile "Test-Profile"curl
# Delete authorization profile
PROFILE_ID="abc123-def456"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/${PROFILE_ID}" \
-X DELETECommon Patterns
Find Profiles Using dACL
# List profiles that use a specific dACL
DACL_NAME="Linux-Permit-AD-Only"
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Accept: application/json" | \
jq -r '.SearchResult.resources[].id' | while read ID; do
PROFILE=$(curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/${ID}" \
-H "Accept: application/json")
PROFILE_DACL=$(echo "$PROFILE" | jq -r '.AuthorizationProfile.daclName // empty')
if [ "$PROFILE_DACL" = "$DACL_NAME" ]; then
echo "$PROFILE" | jq -r '.AuthorizationProfile.name'
fi
doneClone Profile
# Clone existing profile with new name
SOURCE_PROFILE="Linux-EAP-TLS-Access"
NEW_PROFILE="Linux-EAP-TLS-Access-v2"
# Get source profile
PROFILE=$(curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/name/${SOURCE_PROFILE}" \
-H "Accept: application/json")
# Remove ID and update name
NEW_PROFILE_JSON=$(echo "$PROFILE" | jq '.AuthorizationProfile | del(.id) | del(.link) | .name = "'"${NEW_PROFILE}"'" | .description = "Cloned from '"${SOURCE_PROFILE}"'"')
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-X POST \
-d "{\"AuthorizationProfile\": ${NEW_PROFILE_JSON}}"Export All Profiles
# Export all profiles to JSON
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile" \
-H "Accept: application/json" | \
jq -r '.SearchResult.resources[].id' | while read ID; do
curl -sk -u "${ISE_AUTH}" \
"${BASE_URL}/authorizationprofile/${ID}" \
-H "Accept: application/json"
done | jq -s '.' > authz-profiles-backup.json