ISE ERS API

External RESTful Services. The original ISE REST API for managing identity and policy objects.

Overview

Base URL

https://ise-01.inside.domusdigitalis.dev:9060/ers/config/

Auth

Basic Auth (ERS Admin role required)

Format

JSON or XML (Accept/Content-Type headers)

Docs

Administration > System > Settings > ERS Settings

Enable ERS

# Must be enabled in ISE GUI first
# Administration > System > Settings > ERS Settings > Enable ERS for Read/Write

Common Endpoints

Resource Path netapi Command

Endpoints

/endpoint

netapi ise ers endpoints

Endpoint Groups

/endpointgroup

netapi ise ers endpoint-groups

Identity Groups

/identitygroup

netapi ise ers identity-groups

Network Devices

/networkdevice

netapi ise ers network-devices

Network Device Groups

/networkdevicegroup

netapi ise get-ndgs

Authorization Profiles

/authorizationprofile

netapi ise get-authz-profiles

Downloadable ACLs

/downloadableacl

netapi ise list-dacls

SGTs

/sgt

netapi ise ers sgts

ANC Policies

/ancpolicy

netapi ise anc list-policies

Examples

List Endpoints

# netapi
netapi ise ers endpoints

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST:9060/ers/config/endpoint" | jq '.SearchResult.resources'

Get Endpoint by MAC

# netapi
netapi ise ers endpoint --mac 14:F6:D8:7B:31:80

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST:9060/ers/config/endpoint?filter=mac.EQ.14:F6:D8:7B:31:80" | jq

Create dACL

# netapi
netapi ise create-dacl "Linux-Research-Hardened" --file /tmp/dacl-content.txt

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST "https://$ISE_HOST:9060/ers/config/downloadableacl" \
  -d '{
    "DownloadableAcl": {
      "name": "Linux-Research-Hardened",
      "dacl": "permit tcp any host 10.50.1.50 eq 88\npermit tcp any host 10.50.1.50 eq 389\ndeny ip any any"
    }
  }'

List Authorization Profiles

# netapi
netapi ise get-authz-profiles

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST:9060/ers/config/authorizationprofile" | \
  jq '.SearchResult.resources[] | {name, id: .id}'

Pagination

ERS uses page and size parameters:

# First 100 endpoints
curl -ks -u "$ISE_USER:$ISE_PASS" \
  "https://$ISE_HOST:9060/ers/config/endpoint?size=100&page=1"

# Loop all pages
page=1
while true; do
  response=$(curl -ks -u "$ISE_USER:$ISE_PASS" \
    "https://$ISE_HOST:9060/ers/config/endpoint?size=100&page=$page")

  count=$(echo "$response" | jq '.SearchResult.resources | length')
  [[ "$count" -eq 0 ]] && break

  echo "$response" | jq '.SearchResult.resources[]'
  ((page++))
done

Filtering

# Filter by name
curl -ks -u "$ISE_USER:$ISE_PASS" \
  "https://$ISE_HOST:9060/ers/config/endpoint?filter=name.CONTAINS.Linux"

# Filter by MAC
curl -ks -u "$ISE_USER:$ISE_PASS" \
  "https://$ISE_HOST:9060/ers/config/endpoint?filter=mac.EQ.14:F6:D8:7B:31:80"

# Multiple filters (AND)
curl -ks -u "$ISE_USER:$ISE_PASS" \
  "https://$ISE_HOST:9060/ers/config/endpoint?filter=name.CONTAINS.Linux&filter=staticGroupAssignment.EQ.true"

Environment Setup

Before running examples, set up credentials:

# Load from dsec
dsource d000 dev/network

# Or set manually
export ISE_HOST="ise-01.inside.domusdigitalis.dev"
export ISE_USER="ersadmin"
export ISE_PASS="<from gopass>"

Learnings

ERS Gotchas

  • ERS must be enabled in ISE GUI first (Administration > System > Settings)

  • Requires separate ERS Admin credentials (not ISE admin GUI account)

  • XML is default - always specify Accept: application/json

  • Rate limiting: 10 requests/second default

  • Pagination starts at page 1, not 0