No eap_fast_use_pacs_server_returns parameter available in ciscoise_allowed_protocols resource in eap-fast block

[AgnieszkaChudy]

Prerequisites

• [X] Have you tested the operation in the API directly?
• [X] Do you have the latest Terraform provider version?
• [X] Review the compatibility matrix before opening an issue.

Describe the bug Following TF code is not working:

resource "ciscoise_allowed_protocols" "PreprodProtocols" {
  provider = ciscoise
  parameters {
    name        = "Preprod Protocols"
    description = "Allowed protocols for Preprod HF"

    eap_tls_l_bit = "false"
    eap_tls {

      allow_eap_tls_auth_of_expired_certs     = "false"
      eap_tls_enable_stateless_session_resume = "false"
    }

    eap_fast {

      allow_eap_fast_eap_ms_chap_v2                                           = "true"
      allow_eap_fast_eap_ms_chap_v2_pwd_change                                = "true"
      allow_eap_fast_eap_ms_chap_v2_pwd_change_retries                        = 3
      allow_eap_fast_eap_gtc                                                  = "true"
      allow_eap_fast_eap_gtc_pwd_change                                       = "true"
      allow_eap_fast_eap_gtc_pwd_change_retries                               = 3
      allow_eap_fast_eap_tls                                                  = "true"
      allow_eap_fast_eap_tls_auth_of_expired_certs                            = "false"
      eap_fast_use_pacs                                                       = "true"
      eap_fast_use_pacs_tunnel_pac_ttl                                        = 90
      eap_fast_use_pacs_tunnel_pac_ttl_units                                  = "DAYS"
      eap_fast_use_pacs_use_proactive_pac_update_precentage                   = 90
      eap_fast_use_pacs_allow_anonym_provisioning                             = "true"
      eap_fast_use_pacs_allow_authen_provisioning                             = "true"
      eap_fast_use_pacs_accept_client_cert                                    = "false"
      eap_fast_use_pacs_allow_machine_authentication                          = "true"
      eap_fast_use_pacs_machine_pac_ttl                                       = 1
      eap_fast_use_pacs_machine_pac_ttl_units                                 = "WEEKS"
      eap_fast_use_pacs_stateless_session_resume                              = "true"
      eap_fast_use_pacs_authorization_pac_ttl                                 = 1
      eap_fast_use_pacs_authorization_pac_ttl_units                           = "HOURS"
      eap_fast_enable_eap_chaining                                            = "false"
      eap_fast_use_pacs_server_returns                                        = "true"
    }

    eap_ttls {

      eap_ttls_chap                              = "true"
      eap_ttls_eap_md5                           = "true"
      eap_ttls_eap_ms_chap_v2                    = "true"
      eap_ttls_eap_ms_chap_v2_pwd_change         = "true"
      eap_ttls_eap_ms_chap_v2_pwd_change_retries = 1
      eap_ttls_ms_chap_v1                        = "true"
      eap_ttls_ms_chap_v2                        = "true"
      eap_ttls_pap_ascii                         = "true"
    }

    process_host_lookup          = "true"
    require_message_auth         = "false"
    allow_chap                   = "false"
    allow_eap_fast               = "true"
    allow_eap_md5                = "true"
    allow_eap_tls                = "true"
    allow_eap_ttls               = "true"
    allow_leap                   = "false"
    allow_ms_chap_v1             = "false"
    allow_ms_chap_v2             = "false"
    allow_pap_ascii              = "true"
    allow_peap                   = "false"
    allow_preferred_eap_protocol = "false"
    allow_teap                   = "false"
    allow_weak_ciphers_for_eap   = "false"

  }
} 

I'm getting error:

✗ terraform apply

│ Error: Unsupported argument
│ 
│   on main.tf line 38, in resource "ciscoise_allowed_protocols" "PreprodProtocols":
│   38:       eap_fast_use_pacs_server_returns                                        = "true"
│ 
│ An argument named "eap_fast_use_pacs_server_returns" is not expected here.

Looks like this parameter is mandatory, cause when I try following code (without this parameter) im getting this error:

code:

resource "ciscoise_allowed_protocols" "PreprodProtocols" {
  provider = ciscoise
  parameters {
    name        = "Preprod Protocols"
    description = "Allowed protocols for Preprod HF"

    eap_tls_l_bit = "false"
    eap_tls {

      allow_eap_tls_auth_of_expired_certs     = "false"
      eap_tls_enable_stateless_session_resume = "false"
    }

    eap_fast {

      allow_eap_fast_eap_ms_chap_v2                                           = "true"
      allow_eap_fast_eap_ms_chap_v2_pwd_change                                = "true"
      allow_eap_fast_eap_ms_chap_v2_pwd_change_retries                        = 3
      allow_eap_fast_eap_gtc                                                  = "true"
      allow_eap_fast_eap_gtc_pwd_change                                       = "true"
      allow_eap_fast_eap_gtc_pwd_change_retries                               = 3
      allow_eap_fast_eap_tls                                                  = "true"
      allow_eap_fast_eap_tls_auth_of_expired_certs                            = "false"
      eap_fast_use_pacs                                                       = "true"
      eap_fast_use_pacs_tunnel_pac_ttl                                        = 90
      eap_fast_use_pacs_tunnel_pac_ttl_units                                  = "DAYS"
      eap_fast_use_pacs_use_proactive_pac_update_precentage                   = 90
      eap_fast_use_pacs_allow_anonym_provisioning                             = "true"
      eap_fast_use_pacs_allow_authen_provisioning                             = "true"
      eap_fast_use_pacs_accept_client_cert                                    = "false"
      eap_fast_use_pacs_allow_machine_authentication                          = "true"
      eap_fast_use_pacs_machine_pac_ttl                                       = 1
      eap_fast_use_pacs_machine_pac_ttl_units                                 = "WEEKS"
      eap_fast_use_pacs_stateless_session_resume                              = "true"
      eap_fast_use_pacs_authorization_pac_ttl                                 = 1
      eap_fast_use_pacs_authorization_pac_ttl_units                           = "HOURS"
      eap_fast_enable_eap_chaining                                            = "false"
      #eap_fast_use_pacs_server_returns                                        = "true"
    }

    eap_ttls {

      eap_ttls_chap                              = "true"
      eap_ttls_eap_md5                           = "true"
      eap_ttls_eap_ms_chap_v2                    = "true"
      eap_ttls_eap_ms_chap_v2_pwd_change         = "true"
      eap_ttls_eap_ms_chap_v2_pwd_change_retries = 1
      eap_ttls_ms_chap_v1                        = "true"
      eap_ttls_ms_chap_v2                        = "true"
      eap_ttls_pap_ascii                         = "true"
    }

    process_host_lookup          = "true"
    require_message_auth         = "false"
    allow_chap                   = "false"
    allow_eap_fast               = "true"
    allow_eap_md5                = "true"
    allow_eap_tls                = "true"
    allow_eap_ttls               = "true"
    allow_leap                   = "false"
    allow_ms_chap_v1             = "false"
    allow_ms_chap_v2             = "false"
    allow_pap_ascii              = "true"
    allow_peap                   = "false"
    allow_preferred_eap_protocol = "false"
    allow_teap                   = "false"
    allow_weak_ciphers_for_eap   = "false"

  }
} 

error:

✗ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # ciscoise_allowed_protocols.PreprodProtocols will be created
  + resource "ciscoise_allowed_protocols" "PreprodProtocols" {
      + id           = (known after apply)
      + item         = (known after apply)
      + last_updated = (known after apply)

      + parameters {
          + allow_chap                   = "false"
          + allow_eap_fast               = "true"
          + allow_eap_md5                = "true"
          + allow_eap_tls                = "true"
          + allow_eap_ttls               = "true"
          + allow_leap                   = "false"
          + allow_ms_chap_v1             = "false"
          + allow_ms_chap_v2             = "false"
          + allow_pap_ascii              = "true"
          + allow_peap                   = "false"
          + allow_preferred_eap_protocol = "false"
          + allow_teap                   = "false"
          + allow_weak_ciphers_for_eap   = "false"
          + description                  = "Allowed protocols for Preprod HF"
          + eap_tls_l_bit                = "false"
          + id                           = (known after apply)
          + link                         = (known after apply)
          + name                         = "Preprod Protocols"
          + preferred_eap_protocol       = (known after apply)
          + process_host_lookup          = "true"
          + require_message_auth         = "false"

          + eap_fast {
              + allow_eap_fast_eap_gtc                                                  = "true"
              + allow_eap_fast_eap_gtc_pwd_change                                       = "true"
              + allow_eap_fast_eap_gtc_pwd_change_retries                               = 3
              + allow_eap_fast_eap_ms_chap_v2                                           = "true"
              + allow_eap_fast_eap_ms_chap_v2_pwd_change                                = "true"
              + allow_eap_fast_eap_ms_chap_v2_pwd_change_retries                        = 3
              + allow_eap_fast_eap_tls                                                  = "true"
              + allow_eap_fast_eap_tls_auth_of_expired_certs                            = "false"
              + eap_fast_dont_use_pacs_accept_client_cert                               = (known after apply)
              + eap_fast_dont_use_pacs_allow_machine_authentication                     = (known after apply)
              + eap_fast_enable_eap_chaining                                            = "false"
              + eap_fast_use_pacs                                                       = "true"
              + eap_fast_use_pacs_accept_client_cert                                    = "false"
              + eap_fast_use_pacs_allow_anonym_provisioning                             = "true"
              + eap_fast_use_pacs_allow_authen_provisioning                             = "true"
              + eap_fast_use_pacs_allow_machine_authentication                          = "true"
              + eap_fast_use_pacs_authorization_pac_ttl                                 = 1
              + eap_fast_use_pacs_authorization_pac_ttl_units                           = "HOURS"
              + eap_fast_use_pacs_machine_pac_ttl                                       = 1
              + eap_fast_use_pacs_machine_pac_ttl_units                                 = "WEEKS"
              + eap_fast_use_pacs_return_access_accept_after_authenticated_provisioning = (known after apply)
              + eap_fast_use_pacs_stateless_session_resume                              = "true"
              + eap_fast_use_pacs_tunnel_pac_ttl                                        = 90
              + eap_fast_use_pacs_tunnel_pac_ttl_units                                  = "DAYS"
              + eap_fast_use_pacs_use_proactive_pac_update_precentage                   = 90
            }

          + eap_tls {
              + allow_eap_tls_auth_of_expired_certs     = "false"
              + eap_tls_enable_stateless_session_resume = "false"
              + eap_tls_session_ticket_precentage       = (known after apply)
              + eap_tls_session_ticket_ttl              = (known after apply)
              + eap_tls_session_ticket_ttl_units        = (known after apply)
            }

          + eap_ttls {
              + eap_ttls_chap                              = "true"
              + eap_ttls_eap_md5                           = "true"
              + eap_ttls_eap_ms_chap_v2                    = "true"
              + eap_ttls_eap_ms_chap_v2_pwd_change         = "true"
              + eap_ttls_eap_ms_chap_v2_pwd_change_retries = 1
              + eap_ttls_ms_chap_v1                        = "true"
              + eap_ttls_ms_chap_v2                        = "true"
              + eap_ttls_pap_ascii                         = "true"
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

ciscoise_allowed_protocols.PreprodProtocols: Creating...
╷
│ Error: Failure when executing CreateAllowedProtocol
│ 
│   with ciscoise_allowed_protocols.PreprodProtocols,
│   on main.tf line 1, in resource "ciscoise_allowed_protocols" "PreprodProtocols":
│    1: resource "ciscoise_allowed_protocols" "PreprodProtocols" {
│ 
│ error with operation CreateAllowedProtocol
│ {
│   "ERSResponse" : {
│     "operation" : "POST-create-allowedprotocols",
│     "messages" : [ {
│       "title" : "Validation Error - Mandatory fields missing: [EapFastUsePacsAllowAuthenProvisioning is allowed but the following field is missing: EapFastUsePacsServerReturns]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://10.48.190.181:9060/ers/config/allowedprotocols",
│       "type" : "application/xml"
│     }
│   }
│ }

Expected behavior In ERS API I can create allowed_protocols with eapFastUsePacsServerReturns in eapFast

POST: https://10.48.190.181/ers/config/allowedprotocols

Body:

{
    "AllowedProtocols": {
        "name": "Preprod Protocols",
        "description": "Allowed protocols for Preprod HF",
        "eapTls": {
            "allowEapTlsAuthOfExpiredCerts": false,
            "eapTlsEnableStatelessSessionResume": false
        },

        "eapFast": {
            "allowEapFastEapMsChapV2": true,
            "allowEapFastEapMsChapV2PwdChange": true,
            "allowEapFastEapMsChapV2PwdChangeRetries": 3,
            "allowEapFastEapGtc": true,
            "allowEapFastEapGtcPwdChange": true,
            "allowEapFastEapGtcPwdChangeRetries": 3,
            "allowEapFastEapTls": true,
            "allowEapFastEapTlsAuthOfExpiredCerts": false,
            "eapFastUsePacs": true,
            "eapFastUsePacsTunnelPacTtl": 90,
            "eapFastUsePacsTunnelPacTtlUnits": "DAYS",
            "eapFastUsePacsUseProactivePacUpdatePrecentage": 90,
            "eapFastUsePacsAllowAnonymProvisioning": true,
            "eapFastUsePacsAllowAuthenProvisioning": true,
            "eapFastUsePacsAcceptClientCert": false,
            "eapFastUsePacsAllowMachineAuthentication": true,
            "eapFastUsePacsMachinePacTtl": 1,
            "eapFastUsePacsMachinePacTtlUnits": "WEEKS",
            "eapFastUsePacsStatelessSessionResume": true,
            "eapFastUsePacsAuthorizationPacTtl": 1,
            "eapFastUsePacsAuthorizationPacTtlUnits": "HOURS",
            "eapFastEnableEAPChaining": false,
            "eapFastUsePacsServerReturns": true
        },
        "eapTtls": {
            "eapTtlsPapAscii": true,
            "eapTtlsChap": true,
            "eapTtlsMsChapV1": true,
            "eapTtlsMsChapV2": true,
            "eapTtlsEapMd5": true,
            "eapTtlsEapMsChapV2": true,
            "eapTtlsEapMsChapV2PwdChange": true,
            "eapTtlsEapMsChapV2PwdChangeRetries": 1
        },

        "processHostLookup": true,
        "allowPapAscii": true,
        "allowChap": false,
        "allowMsChapV1": false,
        "allowMsChapV2": false,
        "allowEapMd5": true,
        "allowLeap": false,
        "allowEapTls": true,
        "allowEapTtls": true,
        "allowEapFast": true,
        "allowPeap": false,
        "allowTeap": false,
        "allowPreferredEapProtocol": false,
        "eapTlsLBit": false,
        "allowWeakCiphersForEap": false,
        "requireMessageAuth": false
    }
}

Results 201

Environment (please complete the following information):

• ISE version and patch: 3.1.0.518 patch 7
• Terraform version: v1.5.3
• ISE provider version: 0.6.22-beta
• OS version: MacOS 13.5 darwin_arm64

[fmunozmiranda]

Hi @AgnieszkaChudy could you please retry it with last version of ISE provider and update us if bug still there?

[fmunozmiranda]

If we don´t get answer, this issue will be closed in next 24 hours.