API Discovery & Health

Overview

Check ISE API connectivity and discover available endpoints.

Commands

netapi ise [COMMAND]

Command Description

Command	Description
`list-api-modules`	List all available ISE SDK API modules (ERS, OpenAPI, pxGrid, MnT)
`inspect-module`	Inspect methods available in a specific SDK module
`check`	Check ISE API connectivity (ERS and OpenAPI)
`ers-resources`	List available ERS API resources
`openapi-endpoints`	List available OpenAPI v1 endpoints
`mnt-endpoints`	List available MnT (Monitoring & Troubleshooting) API endpoints
`pxgrid-services`	List available pxGrid 2.0 services and capabilities
`info`	Get ISE deployment and version info

list-api-modules

List all available ISE SDK API modules (ERS, OpenAPI, pxGrid, MnT)

inspect-module

Inspect methods available in a specific SDK module

check

Check ISE API connectivity (ERS and OpenAPI)

ers-resources

List available ERS API resources

openapi-endpoints

List available OpenAPI v1 endpoints

mnt-endpoints

List available MnT (Monitoring & Troubleshooting) API endpoints

pxgrid-services

List available pxGrid 2.0 services and capabilities

info

Get ISE deployment and version info

SDK API Module Discovery

List All Available Modules

List all ISE SDK API modules to discover what’s available beyond the standard ERS API:

# List all modules (200+ modules available)
netapi ise list-api-modules

# Filter by endpoint-related modules
netapi ise list-api-modules --filter endpoint

# Filter by group modules
netapi ise list-api-modules -f group

# Filter by network access
netapi ise list-api-modules -f network_access

Sample Output:

                    ISE SDK API Modules (filtered by 'endpoint')
Category              Modules
anc                   anc_endpoint
endpoint              endpoint
                      endpoint_certificate
                      endpoint_identity_group
                      endpoint_stop_replication_service
                      endpoints

Use Case: This command is invaluable when you need to:

Discover if OpenAPI endpoints exist for a feature (vs just ERS)
Check if pxGrid modules are available
Verify which API surfaces support a specific feature
Troubleshoot why certain operations aren’t available

Inspect Module Methods

Once you’ve found a module, inspect it to see what CRUD operations it supports:

# Inspect endpoint identity group module
netapi ise inspect-module endpoint_identity_group

# Inspect network access policy module
netapi ise inspect-module network_access_policy_set

# Get JSON output for scripting
netapi ise inspect-module downloadable_acl --format json

Sample Output:

                           Module: endpoint_identity_group
Method                             Category
create_endpoint_group              Create
delete_by_id                       Delete
get_all                            Read
get_by_id                          Read
update_endpoint_group_by_id        Update

Use Case - Troubleshooting Parent Groups:

This was critical for debugging endpoint identity group parent hierarchy:

# Check what parameters update_endpoint_group_by_id accepts
netapi ise inspect-module endpoint_identity_group --format json | \
  jq '.methods[] | select(. == "update_endpoint_group_by_id")'

We discovered:

The SDK method exists: update_endpoint_group_by_id
The SDK accepts parent_id parameter (snake_case)
However, ISE silently ignores parentId in the ERS API
The GUI uses a completely different Admin UI API that DOES support parents

Endpoint Identity Group Parent Hierarchy Limitation

After extensive testing, we confirmed:

ERS API: Cannot set parent groups (even though parentId appears in GET responses)
OpenAPI: No separate endpoint group module exists
GUI Admin API: Uses /admin/idMgmtEndpointGroupAction.do with endpointGroup.parentGroupID

The only way to set parent hierarchy is via the ISE GUI or by directly calling the Admin UI API (not recommended for automation).

Check API Connectivity

netapi ise api check

Tests connectivity to:

ERS API (port 9060)
OpenAPI v1 (port 443)
MnT API (port 443)

Sample output:

       ISE API Health Check
 api       status    latency
 ERS       OK        45ms
 OpenAPI   OK        32ms
 MnT       OK        28ms

List ERS Resources

netapi ise api ers-resources

Shows all available ERS API endpoints like:

/ers/config/endpoint
/ers/config/networkdevice
/ers/config/authorizationprofile
etc.

List OpenAPI Endpoints

netapi ise api openapi-endpoints

Tests 27 known OpenAPI v1 paths and reports which are available on your ISE deployment.

Endpoints Checked

Deployment & System:

/api/v1/deployment/node - Deployment Nodes
/api/v1/deployment/pan-ha - PAN HA Status
/api/v1/license/system/register - License Status
/api/v1/patch - Patch Status
/api/v1/hotpatch - Hotpatch Status

Certificates:

/api/v1/certs/system-certificate - System Certificates
/api/v1/certs/trusted-certificate - Trusted Certificates
/api/v1/certs/certificate-signing-request - CSRs

Backup & Repository:

/api/v1/backup-restore/config/backup-status - Backup Status
/api/v1/backup-restore/config/last-backup-status - Last Backup Status
/api/v1/repository - Repositories

Node Services:

/api/v1/node-services/profiler - Profiler Service
/api/v1/node-services/sxp - SXP Service
/api/v1/node-services/mdm - MDM Service

Endpoint Management (Critical):

/api/v1/endpoint - Endpoint Management
/api/v1/endpoint-cert - Endpoint Certificates

Policy:

/api/v1/policy/network-access/network-condition - Network Conditions
/api/v1/policy/network-access/time-condition - Time Conditions
/api/v1/policy/network-access/dictionary - Policy Dictionaries

Portals:

/api/v1/portal/guest-portal - Guest Portals
/api/v1/portal/hotspot-portal - Hotspot Portals
/api/v1/portal/sponsor-portal - Sponsor Portals

Other:

/api/v1/telemetry-info - Telemetry Info
/api/v1/active-directory - Active Directory

The /api/v1/endpoint path is used by netapi ise update-endpoint-group to properly set staticGroupAssignment, which the ERS API cannot do correctly.

List MnT API Endpoints

netapi ise api mnt-endpoints

Shows all available MnT (Monitoring & Troubleshooting) API endpoints:

Session Management: Active sessions, session by MAC/IP/username
Authentication Logs: Auth status, failure reasons, auth history
CoA: Change of Authorization (disconnect, reauthentication)
Profiling: Profiler session counts
Account Activity: User account activity logs

Sample output:

                    MnT API Endpoints
Endpoint                                              Description                Status
/admin/API/mnt/Version                                ISE Version                Available
/admin/API/mnt/Session/ActiveList                     Active RADIUS Sessions     Available
/admin/API/mnt/Session/MACAddress/{mac}               Session by MAC Address     Requires Params
/admin/API/mnt/AuthStatus/MACAddress/{mac}            Auth Status by MAC         Requires Params
/admin/API/mnt/FailureReasons                         Failure Reasons            Available

Endpoints with {parameters} require actual values (e.g., MACAddress/AA:BB:CC:DD:EE:FF)

List pxGrid Services

netapi ise api pxgrid-services

Shows available pxGrid 2.0 services and capabilities:

Session Directory: Real-time RADIUS session data
Adaptive Network Control: Quarantine and remediation
TrustSec: SGT and SXP bindings
Profiler: Endpoint profiling data
System Health: ISE node health and performance

Sample output:

                    pxGrid 2.0 Services
Service Name                    Common Name               Description
com.cisco.ise.session           Session Directory         Real-time RADIUS session data
com.cisco.ise.config.anc        Adaptive Network Control  Apply quarantine policies
com.cisco.ise.config.trustsec   TrustSec                  SGT and SXP bindings

pxGrid requires separate account activation and credentials. Use netapi ise pxgrid activate to set up.

Get ISE Info

netapi ise api info

Returns deployment and version information:

{
  "version": "3.2.0.542",
  "deployment": "Standalone",
  "fipsMode": false,
  "nodes": 1
}

Use Cases

Pre-flight Check

#!/bin/bash
# Verify ISE connectivity before running scripts

echo "Checking ISE API connectivity..."
netapi ise api check

echo "Proceeding with ISE operations..."

Discover Available APIs

#!/bin/bash
# Document all available API endpoints
DATE=$(date +%Y-%m-%d)

echo "# ISE API Inventory - $DATE" > api-inventory.md
echo "" >> api-inventory.md

echo "## ERS Resources" >> api-inventory.md
netapi ise api ers-resources >> api-inventory.md

echo "" >> api-inventory.md
echo "## OpenAPI Endpoints" >> api-inventory.md
netapi ise api openapi-endpoints >> api-inventory.md

Version Check for Automation

#!/bin/bash
# Check ISE version before running scripts
netapi ise api info

# Also check MnT version for detailed info
netapi ise mnt version

Related Commands

mnt version - Detailed version info
get-nodes - Deployment topology