ISE API Overview

Cisco ISE exposes 5 distinct APIs, each serving different use cases. Understanding which API to use is critical.

API Comparison

API Port Auth Best For

ERS

9060

Basic Auth

CRUD operations on endpoints, groups, profiles, dACLs

OpenAPI

443

Basic Auth

Policy sets, rules, deployment, modern operations

MnT

443

Basic Auth

Active sessions, CoA (reauth/disconnect)

DataConnect

2484

JDBC

SQL queries, reports, analytics, historical data

pxGrid

8910

mTLS

Real-time events, pub/sub, ANC actions

Base URLs

All on ise-01.inside.domusdigitalis.dev:

ERS:         https://ise-01.inside.domusdigitalis.dev:9060/ers/config/
OpenAPI:     https://ise-01.inside.domusdigitalis.dev:443/api/v1/
MnT:         https://ise-01.inside.domusdigitalis.dev:443/admin/API/mnt/
DataConnect: jdbc:oracle:thin:@ise-01.inside.domusdigitalis.dev:2484/cpm10
pxGrid:      https://ise-01.inside.domusdigitalis.dev:8910/

Decision Tree

Need to...
├── Create/update/delete ISE objects?
│   ├── Endpoints, groups, profiles → ERS
│   └── Policy sets, rules → OpenAPI
├── Query current sessions?
│   └── MnT (Session API)
├── Force re-authentication or disconnect?
│   └── MnT (CoA API)
├── Run reports or analytics?
│   └── DataConnect (SQL)
├── React to real-time events?
│   └── pxGrid (WebSocket)
└── Bulk operations with ANC?
    └── pxGrid (ANC API)

Quick Examples

List Endpoints (ERS)

# netapi
netapi ise ers endpoints

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST:9060/ers/config/endpoint" | jq '.SearchResult.resources'

Get Policy Sets (OpenAPI)

# netapi
netapi ise list-policy-sets

# curl
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST/api/v1/policy/network-access/policy-set" | jq '.response[]'

Active Sessions (MnT)

# netapi
netapi ise mnt sessions

# curl (returns XML by default)
curl -ks -u "$ISE_USER:$ISE_PASS" \
  "https://$ISE_HOST/admin/API/mnt/Session/ActiveList"

# curl with JSON
curl -ks -u "$ISE_USER:$ISE_PASS" \
  -H "Accept: application/json" \
  "https://$ISE_HOST/admin/API/mnt/Session/ActiveList" | jq

Auth Stats (DataConnect)

netapi ise dc query "SELECT * FROM RADIUS_AUTHENTICATIONS FETCH FIRST 10 ROWS ONLY"

netapi Coverage

Most ISE operations are wrapped in netapi CLI:

# ERS
netapi ise ers endpoints
netapi ise list-dacls
netapi ise get-authz-profiles

# OpenAPI
netapi ise get-policy-sets
netapi ise api-call openapi GET '/api/v1/deployment/node'

# MnT
netapi ise mnt sessions
netapi ise coa reauth --mac 14:F6:D8:7B:31:80

# DataConnect
netapi ise dc query "SELECT USERNAME FROM RADIUS_AUTHENTICATIONS FETCH FIRST 10 ROWS ONLY"

Credential Setup

# Load all ISE credentials
dsource d000 dev/network

# Verify
echo "ISE Host: $ISE_HOST"
echo "ISE User: $ISE_USER"