ISE ERS — Bulk Onboard Workflow
Complete workflow: Teams message with MAC list → heredoc to file → ise-batch-onboard.sh (create or update) → DataConnect validation. Replaces manual CSV import through the ISE GUI.
When to Use This
Someone sends you a list of MAC addresses (Teams, email, spreadsheet) and says "add these to ISE in group X." This workflow replaces the manual CSV import through the ISE GUI.
-
Auditable — every step in your terminal history
-
Verify-before/apply/verify-after — you see state changes
-
Repeatable — heredoc the MACs, run the script, done
-
DataConnect validation — confirm group assignment hit the auth pipeline
Prerequisites
dsource d001 dev/network/ise (1)
# Verify
for var in ISE_API_USER ISE_API_PASS ISE_PAN_FQDN ISE_ERS_PORT ISE_CA_CERT; do
[[ -v "$var" ]] && printf "%-20s SET\n" "$var" || printf "%-20s MISSING\n" "$var"
done| 1 | Use d000 for lab, d001 for production. |
type ise-batch-onboard.sh
# Should resolve to scripts/ise-batch-onboard.sh or be on PATHStep 1: Heredoc the MACs to a File
Paste the MACs directly from the Teams message or spreadsheet.
Any format accepted — raw (C0EE40F1A72F), colon (C0:EE:40:F1:A7:2F), or dash (C0-EE-40-F1-A7-2F).
The script normalizes automatically.
cat > /tmp/batch-macs.txt << 'EOF'
# BD Alaris pumps — 2026-05-28
# Request from: Urasaki, Alexander (PM)
# Engineers: Evan R, Arin K
C0EE40F1A72F
C0EE40F1CDCD
C0EE40F202EA
C0EE40F23322
C0EE40F2482C
C0EE40F25198
C0EE40F28139
C0EE40F28209
C0EE40F2926C
C0EE40F2AE99
C0EE40F2B62D
C0EE40F3E86D
C0EE40F48718
C0EE40F4A74E
C0EE40F5DF71
C0EE40F61585
C0EE40F61767
EOFgrep -cvE '^\s*$|^\s*#' /tmp/batch-macs.txt
# Expected: 17
Comments (#) and blank lines are skipped by the script. Use them for context — who requested, ticket number, date. This metadata travels with the MAC file.
|
Step 2: Run the Script
ise-batch-onboard.sh /tmp/batch-macs.txt Medical_Onboard \
"2026-05-28 ER - BD Alaris pumps add to medical device onboard"1. Resolves "Medical_Onboard" → group UUID (one API call) 2. BEFORE: loops each MAC, normalizes, checks ISE - NEW endpoints: ○ C0:EE:40:F1:A7:2F — NEW (will create) - EXISTING endpoints: ● C0:EE:40:F1:A7:2F — EXISTS group: ... desc: ... 3. Summary: N new + N update + N invalid 4. Prompts [y/N] 5. APPLY: POST (create) or PUT (update) per device 6. AFTER: verifies group assignment matches target
| Argument | Value |
|---|---|
|
Path to the MAC file (one per line, any format) |
|
ISE identity group name (exact match) |
|
Audit trail — follows |
Step 3: Validate with DataConnect
After the script completes, confirm the endpoints are authenticating with the correct group.
This catches cases where the profiler overrides staticGroupAssignment during the next auth event.
dc_query "
SELECT
calling_station_id AS mac,
endpoint_profile,
identity_group,
device_name,
COUNT(*) AS auth_count,
MAX(timestamp) AS last_seen
FROM radius_authentications
WHERE REPLACE(REPLACE(LOWER(calling_station_id),':',''),'-','') LIKE 'c0ee40%'
AND timestamp > SYSTIMESTAMP - INTERVAL '30' DAY
GROUP BY
calling_station_id,
endpoint_profile,
identity_group,
device_name
ORDER BY last_seen DESC
"| Field | Expected |
|---|---|
|
|
|
Profiler-assigned (e.g. |
|
> 0 — device has authenticated since the change |
|
WLC or switch — confirms the access point |
If identity_group shows the OLD group, the profiler overrode staticGroupAssignment. This is a known ISE behavior — see ISE ERS Endpoints gotchas.
|
dc_query "
SELECT
calling_station_id AS mac,
identity_group,
endpoint_profile,
MAX(timestamp) AS last_seen
FROM radius_authentications
WHERE calling_station_id IN (
'C0:EE:40:F1:A7:2F',
'C0:EE:40:F1:CD:CD',
'C0:EE:40:F2:02:EA'
)
AND timestamp > SYSTIMESTAMP - INTERVAL '7' DAY
GROUP BY calling_station_id, identity_group, endpoint_profile
ORDER BY last_seen DESC
"Step 4: Verify via ERS (Optional)
If DataConnect hasn’t caught the auth events yet (devices not online, haven’t re-authenticated), verify the static assignment directly via ERS.
while read -r RAW_MAC; do
[[ -z "$RAW_MAC" || "$RAW_MAC" == \#* ]] && continue
# Normalize: strip delimiters, insert colons
mac=$(echo "$RAW_MAC" | tr -d ':-' | sed 's/../&:/g;s/:$//' | tr '[:lower:]' '[:upper:]')
eid=$(ers "/endpoint?filter=mac.EQ.${mac}" | jq -r '.SearchResult.resources[0].id // empty')
[[ -z "$eid" ]] && echo "✗ ${mac} — NOT FOUND" && continue
ers "/endpoint/${eid}" | jq --arg mac "$mac" '{
mac: $mac,
group: .ERSEndPoint.groupId,
static: .ERSEndPoint.staticGroupAssignment,
desc: .ERSEndPoint.description
}'
done < /tmp/batch-macs.txt | jq -s '.'
Requires the ers() helper function loaded. See ISE ERS Endpoints prerequisites.
|
Step 5: Respond to Requestor
Once DataConnect confirms identity_group matches, close the loop:
Alaris pumps (17 devices, OUI C0:EE:40) added to Medical_Onboard. Verified via DataConnect — all authenticating with correct identity group. If any device isn't connecting, bounce the port or check wireless association.
Workflow Summary
1. Heredoc MACs → /tmp/batch-macs.txt (any format — raw, colon, dash) 2. dsource d001 dev/network/ise (load creds) 3. ise-batch-onboard.sh <file> <group> <desc> (create or update) 4. dc_query ... WHERE OUI LIKE 'prefix%' (confirm auth pipeline) 5. Respond to requestor (close the loop)
Real-World Example: BD Alaris Pumps (2026-05-28)
| Field | Value |
|---|---|
Request |
BD Alaris pumps — add to medical device onboard |
MACs |
17 devices, OUI |
Group |
|
Description |
|
Engineers |
Evan R, Arin K |
PM |
Urasaki, Alexander |
Method used |
CSV import (manual) + DataConnect validation |
Method preferred |
This workflow — heredoc → |
Related
-
ISE ERS Endpoints — full CRUD reference, gotchas, description standard
-
ISE — general ISE codex