PDF(2.4 MB) View with Adobe Reader on a variety of devices
ePub(2.4 MB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(1.8 MB) View on Kindle device or Kindle app on multiple devices
Updated:October 12, 2023
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Cisco Identity Service Engine 3.3 pxGrid Context-in using Open API.
Cisco recommends that you have knowledge of these topics:
Cisco Identity Service Engine (ISE) 3.3
Advance REST API
The information in this document is based on these software and hardware versions:
Cisco ISE 3.3
Insomnia REST API client
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
pxGrid Context-In solution through REST APIs. This is because the Context-In pubsub model has some limitations with respect to using custom attributes in profiling and authorization policies.
Custom attributes are user-defined attributes that do not come in as endpoint data through regular network probes. Prior to ISE 3.3, there were mainly two ways to input custom attribute values as endpoint data.
pxGrid Context-In asset topic, where ISE acts as a consumer and consumes endpoint data published by an external third-party product.
Both these channels have limitations for using custom attributes in profiling and authorization policies.
Enable Open API on ISE
Open API is disabled by default on ISE. In order to enable it, navigate to Administration > System > API Settings > API Service Settings. Toggle the Open API options and click Save.
Enable Open API
Enable Custom Attribute for Profiling Enforcement on ISE
Custom Attribute for Profiling Enforcement is disabled by default on ISE. In order to enable it, navigate to Work Centers > Profiler > Settings > Profiler Settings. Enable Custom Attribute for Profiling Enforcement. Click Save.
Enable Custom Attribute for Profiling Enforcement
Note: The Custom Attribute for Profiling Enforcement flag indicates that an automatic re-profiling action takes place if any custom attribute is modified.
In order to access all Open API definitions on ISE, navigate to Administration > System > Settings > API Settingsand click 'For more information on ISE Open API, please visit:'.
The URLs for the definitions used in this document are:
From ISE, navigate to Administration > Identity Management > Settings > Endpoint Custom Attributes. Verify that the attribute was created.
Endpoint Custom Attribute GUI
Note: The Endpoint Custom Attributes can be added manually. From ISE, navigate to Administration > Identity Management > Settings > Endpoint Custom Attributes. Click +, then enter the Attribute Name, and choose the Type.
Context-In API for Single Endpoint
Profiling Policy for Custom Attribute
From ISE, navigate to Work Centers > Profiler > Profiling Policies. Click Add.
Enter Nameof the profiling policy.
Under Rules, navigate to Attributes > Create New Condition > CUSTOMATTRIBUTE. Choose the custom attribute created, choose Operator, and enter the value to be matched. Click Submit.
In this example, the DevicTypeA profiling policy is defined with CUSTOMATTRIBUTE_DeviceType.
In this example, an endpoint with the mac address 94:DA:5F:96:74:63and DeviceType set to A is created.