netapi Patterns

netapi CLI patterns from daily network automation. Every entry has a date and context.

2026-04-02: Endpoint Lifecycle — Register, Verify, Monitor

Problem: New machine deployment requires endpoint registration, verification, and ongoing monitoring through a consistent workflow.

Context: P16g deployment, full endpoint lifecycle via netapi. Machine needs iPSK WiFi access first (MAC registration), then verification through DataConnect and MnT, then eventual migration to EAP-TLS.

The Fix:

# 1. Source credentials
dsource d000 dev/ise
# 2. Register endpoint (ERS API, port 9060)
netapi ise endpoint create --mac "E0:D5:5D:6C:E1:66" --group "DOMUS-IoT"
# 3. Verify registration (DataConnect, port 2484)
netapi ise dc endpoint E0:D5:5D:6C:E1:66
# 4. Check authentication timeline (DataConnect)
netapi ise dc auth-history E0:D5:5D:6C:E1:66 --hours 1
# 5. Check active session (MnT API, port 443)
netapi ise mnt session E0:D5:5D:6C:E1:66
# 6. Check auth status (MnT)
netapi ise mnt auth-status E0:D5:5D:6C:E1:66

Rule: netapi unifies ISE’s 5 APIs into one CLI. Registration (ERS) → Verification (DataConnect) → Monitoring (MnT) is the standard endpoint lifecycle. Each step hits a different ISE API on a different port.

Worklog: WRKLOG-2026-04-02

2026-03-16: Multi-Vendor Command Consistency

Problem: Each vendor has different API conventions but netapi provides a consistent interface.

Context: Daily operations across ISE, Vault, Synology, WLC, pfSense, Cloudflare

The Fix:

# Same pattern: netapi <vendor> <resource> <action>
netapi ise mnt sessions          # ISE MnT — active RADIUS sessions
netapi ise dc auth-methods       # ISE DataConnect — auth method distribution
netapi ise list-policy-sets      # ISE ERS — policy set list
netapi ise get-dacl <name>       # ISE ERS — dACL content
# Other vendors follow the same pattern
netapi pfsense dns list          # pfSense — DNS overrides
netapi synology system-info      # Synology — NAS system info
netapi wlc get-clients           # WLC 9800 — associated clients
netapi cloudflare dns list       # Cloudflare — DNS records
# ISE-specific: 5 APIs unified under one vendor
# ERS (port 9060)      — CRUD on endpoints, policies, profiles, SGTs
# MnT (port 443)       — Active sessions, auth status, CoA
# DataConnect (2484)    — SQL analytics on Oracle JDBC
# pxGrid (port 8910)   — Real-time event subscriptions
# OpenAPI v1            — Newer ISE 3.x operations

Rule: netapi’s 5-layer architecture (Primitives → Protocols → Capabilities → Vendors → Workflows) means you learn the pattern once, apply it across 18 vendors. ISE alone has 5 APIs — netapi abstracts that away.

Worklog: WRKLOG-2026-03-16

Template for New Entries