INC-2026-03-16: Resolution

# Export current endpoint data
netapi ise -f json endpoints > /tmp/endpoints-$(date +%Y%m%d).json

# Create CSV with correct format:
# MACAddress,IdentityGroup
# AA:BB:CC:DD:EE:FF,Strongline_Gateways

# Import via GUI:
# Administration > Identity Management > Identities > Endpoints > Import

# Get the identity group ID for the target group
TARGET_GROUP_ID=$(netapi ise -f json identity-groups | jq -r '.[] | select(.name == "STRONGLINE_GROUP_NAME") | .id')

# Update each endpoint (requires endpoint ID)
# For each MAC address:
ENDPOINT_ID=$(netapi ise -f json endpoints | jq -r '.[] | select(.mac == "AA:BB:CC:DD:EE:FF") | .id')

# Update endpoint's identity group
netapi ise api-call openapi PUT "/api/v1/endpoint/$ENDPOINT_ID" --data "{\"groupId\": \"$TARGET_GROUP_ID\"}"

# List endpoints to find the 8 affected devices
curl -s -k -u admin:$ISE_PASSWORD \
  -H "Accept: application/json" \
  "https://ppan.ise.chla.org:9060/ers/config/endpoint?filter=mac.CONTAINS.STRONGLINE_MAC_PREFIX" | jq

# Update endpoint identity group
curl -s -k -u admin:$ISE_PASSWORD \
  -H "Content-Type: application/json" \
  -X PUT "https://ppan.ise.chla.org:9060/ers/config/endpoint/{id}" \
  -d '{
    "ERSEndPoint": {
      "groupId": "TARGET_GROUP_ID",
      "staticGroupAssignment": true
    }
  }'

# Verify all 8 devices now in correct group
netapi ise -f json endpoints | jq -r '.[] | select(.description // "" | test("strongline"; "i")) | [.mac, .identityGroup] | @tsv' | column -t

# Verify count
netapi ise -f json endpoints | jq '[.[] | select(.identityGroup == "Strongline_Gateways")] | length'

# Check session logs for VLAN assignment
netapi ise -f json mnt sessions | jq '.[] | select(.calling_station_id | test("STRONGLINE_MAC_PREFIX")) | {mac: .calling_station_id, vlan: .vlan_id}'

# CoA (Change of Authorization) to force device re-auth
# This requires NAD CoA configuration

# Or physically disconnect/reconnect device
# Or wait for session timeout