ISE Complete Command Reference

Overview

Complete reference of all ISE commands organized by API type and resource. Each section includes Create, Read, Update, and Delete examples.

API Discovery & Health

Check Connectivity

# Test all APIs (ERS, OpenAPI, MnT)
netapi ise api check

# Get ISE version and deployment info
netapi ise api info
netapi ise mnt version

Discover Available Endpoints

# List ERS resources
netapi ise api ers-resources

# List OpenAPI endpoints (27 paths checked)
netapi ise api openapi-endpoints

# List MnT API endpoints
netapi ise api mnt-endpoints

# List pxGrid 2.0 services
netapi ise api pxgrid-services

ERS API Commands

Network Access Devices (NADs)

Create

# Basic NAD (switch/WLC)
netapi ise create-nad SRT-9-9300 10.101.2.253 MyRadiusSecret123 \
  --descr "South Research Tower - Catalyst 9300"

# With TACACS
netapi ise create-nad ADMIN-WLC 10.101.2.100 RadiusSecret \
  --tacacs-secret TacacsSecret \
  --descr "Admin WLC"

# Custom RADIUS ports
netapi ise create-nad IoT-Switch 10.101.3.50 Secret123 \
  --auth-port 11812 \
  --acct-port 11813

Read

# List all NADs
netapi ise get-nads

# Pagination
netapi ise get-nads --size 50 --page 2

# Get specific NAD
netapi ise get-nad SRT-9-9300

Update

# Update description
netapi ise update-nad SRT-9-9300 --descr "Updated description"

# Change RADIUS secret
netapi ise update-nad SRT-9-9300 --radius-secret NewSecret456

# Update IP address
netapi ise update-nad SRT-9-9300 --ip-address 10.101.2.254

Delete

# Delete by name
netapi ise delete-nad SRT-9-9300

# Delete with force (no confirmation)
netapi ise delete-nad IoT-Switch --force

Security Group Tags (SGTs)

Create

# Basic SGT
netapi ise create-sgt Research_Workstations 10 \
  --descr "Linux research workstations"

# Custom value
netapi ise create-sgt Guest_Devices 100 \
  --descr "Guest BYOD devices"

# High-security SGT
netapi ise create-sgt Critical_Infrastructure 5 \
  --descr "Critical systems - no lateral movement"

Read

# List all SGTs
netapi ise get-sgts

# Pagination
netapi ise get-sgts --size 50 --page 1

# Get specific SGT
netapi ise get-sgt Research_Workstations

Update

# Update description
netapi ise update-sgt Research_Workstations \
  --descr "Linux research workstations - EAP-TLS"

# Change tag value
netapi ise update-sgt Guest_Devices --value 101

Delete

# Delete by name
netapi ise delete-sgt Research_Workstations

# Delete with force
netapi ise delete-sgt Guest_Devices --force

Endpoint Identity Groups

Create

# Basic endpoint group under Profiled
netapi ise create-endpoint-group "Linux-Research-Workstations" \
  --description "Linux workstations with 802.1X EAP-TLS" \
  --parent "Profiled"

# Hierarchical structure (parent → child)
netapi ise create-endpoint-group "Linux-Workstations" \
  --description "All Linux workstations" \
  --parent "Profiled"

netapi ise create-endpoint-group "Linux-Research-Workstations" \
  --description "Linux research workstations with 802.1X EAP-TLS" \
  --parent "Linux-Workstations"

# IoT device group
netapi ise create-endpoint-group "Research-IoT-Devices" \
  --description "Lab IoT sensors and cameras" \
  --parent "Profiled"

Common ISE parent groups:

  • Profiled - For profiled endpoints

  • RegisteredDevices - For BYOD registered devices

  • Unknown - For unknown endpoints

  • Blacklist - For blacklisted devices

Read

# List all endpoint groups
netapi ise get-endpoint-groups

# Pagination
netapi ise get-endpoint-groups --size 50 --page 1

# Get specific group
netapi ise get-endpoint-group "Linux-Research-Workstations"

Update (Endpoint Group Assignment)

# Move endpoint to different group
netapi ise update-endpoint-group b4:e9:b8:f6:c8:17 "Linux-Research-Workstations"

# Move with static assignment (prevents profiling override)
netapi ise update-endpoint-group b4:e9:b8:f6:c8:17 "Linux-Research-Workstations" --static

# Allow dynamic profiling
netapi ise update-endpoint-group b4:e9:b8:f6:c8:17 "Profiled" --no-static

update-endpoint-group moves an endpoint (by MAC) to a different group. There is no command to update the group’s properties (description, parent) after creation.

Delete

# Delete by name
netapi ise delete-endpoint-group "Linux-Research-Workstations"

# Delete with force
netapi ise delete-endpoint-group "Research-IoT-Devices" --force

User Identity Groups

Create

# Basic user group
netapi ise create-identity-group "Research_Staff" \
  --descr "Research department staff" \
  --parent "User Identity Groups"

# Nested group
netapi ise create-identity-group "Research_Admins" \
  --descr "Research administrators" \
  --parent "Research_Staff"

Read

# List all user identity groups
netapi ise get-identity-groups

# Pagination
netapi ise get-identity-groups --size 50 --page 1

# Get specific group
netapi ise get-identity-group "Research_Staff"

Update

# Update description
netapi ise update-identity-group "Research_Staff" \
  --description "Updated description"

# Change parent
netapi ise update-identity-group "Research_Admins" \
  --parent "User Identity Groups"

# Rename
netapi ise update-identity-group "Research_Staff" \
  --name "Research_Department_Staff"

Delete

# Delete by name
netapi ise delete-identity-group "Research_Staff"

# Delete with force
netapi ise delete-identity-group "Research_Admins" --force

Endpoints

Create

# Basic endpoint
netapi ise create-endpoint b4:e9:b8:f6:c8:17 \
  --group "Linux-Research-Workstations" \
  --descr "Dr. Shahab Linux workstation"

# With static IP
netapi ise create-endpoint 00:11:22:33:44:55 \
  --group "Research-IoT-Devices" \
  --static-ip 10.101.3.100 \
  --descr "IoT sensor 001"

Read

# List all endpoints
netapi ise get-endpoints

# Pagination
netapi ise get-endpoints --size 100 --page 1

# Get specific endpoint
netapi ise get-endpoint b4:e9:b8:f6:c8:17

Update

# Update group assignment
netapi ise update-endpoint-group b4:e9:b8:f6:c8:17 "Linux-Research-Workstations"

# Update description
netapi ise update-endpoint b4:e9:b8:f6:c8:17 \
  --descr "Updated description"

# Update static IP
netapi ise update-endpoint 00:11:22:33:44:55 \
  --static-ip 10.101.3.101

Delete

# Delete by MAC
netapi ise delete-endpoint b4:e9:b8:f6:c8:17

# Delete with force
netapi ise delete-endpoint 00:11:22:33:44:55 --force

Downloadable ACLs (dACLs)

Create

# From inline ACL
netapi ise create-dacl DACL_Research_Onboard \
  --acl "permit ip any host 10.101.2.131
permit ip any host 10.101.2.132
deny ip any 10.101.0.0 0.0.255.255
permit ip any any" \
  --descr "MAB onboarding - ISE access only"

# From file
netapi ise create-dacl DACL_Research_Full \
  --file research-full.acl \
  --descr "Full network access - deny management"

Read

# List all dACLs
netapi ise get-dacls

# Pagination
netapi ise get-dacls --size 50 --page 1

# Get specific dACL
netapi ise get-dacl DACL_Research_Onboard

Update

# Update ACL rules
netapi ise update-dacl DACL_Research_Onboard \
  --acl "permit ip any host 10.101.2.131
permit ip any host 10.101.2.132
permit udp any eq bootpc any eq bootps
deny ip any 10.101.0.0 0.0.255.255
permit ip any any"

# Update from file
netapi ise update-dacl DACL_Research_Full \
  --file updated-rules.acl \
  --descr "Updated full access policy"

Delete

# Delete by name
netapi ise delete-dacl DACL_Research_Onboard

# Delete with force
netapi ise delete-dacl DACL_Research_Full --force

Authorization Profiles

Create

# Basic profile with VLAN
netapi ise create-authz-profile Linux_Research_Full \
  --vlan DATA_VLAN \
  --descr "Full network access"

# Profile with VLAN and dACL
netapi ise create-authz-profile Linux_Research_Posture_Pending \
  --vlan RESEARCH_VLAN \
  --dacl DACL_Research_Onboard \
  --descr "MAB onboarding profile"

# With reauth timer (8 hours)
netapi ise create-authz-profile Linux_Research_Full \
  --vlan DATA_VLAN \
  --dacl DACL_Research_Full \
  --reauth-timer 28800 \
  --descr "Full access with periodic reauth"

Read

# List all authorization profiles
netapi ise get-authz-profiles

# Pagination
netapi ise get-authz-profiles --size 50 --page 1

# Get specific profile
netapi ise get-authz-profile Linux_Research_Full

Update

# Update VLAN
netapi ise update-authz-profile Linux_Research_Full \
  --vlan NEW_VLAN

# Update dACL
netapi ise update-authz-profile Linux_Research_Posture_Pending \
  --dacl DACL_Research_Updated

# Remove dACL
netapi ise update-authz-profile Linux_Research_Full \
  --no-dacl

# Update reauth timer
netapi ise update-authz-profile Linux_Research_Full \
  --reauth-timer 14400

Delete

# Delete by name
netapi ise delete-authz-profile Linux_Research_Posture_Pending

# Delete with force
netapi ise delete-authz-profile Linux_Research_Full --force

Internal Users

Create

# Basic user
netapi ise create-internal-user jdoe \
  --password SecurePass123! \
  --first-name John \
  --last-name Doe

# With identity group
netapi ise create-internal-user research_admin \
  --password AdminPass456! \
  --identity-group Research_Admins \
  --email admin@research.org

Read

# List all internal users
netapi ise get-internal-users

# Pagination
netapi ise get-internal-users --size 50 --page 1

# Get specific user
netapi ise get-internal-user jdoe

Update

# Update password
netapi ise update-internal-user jdoe \
  --password NewPass789!

# Update email
netapi ise update-internal-user jdoe \
  --email newemail@research.org

# Change identity group
netapi ise update-internal-user jdoe \
  --identity-group Research_Staff

Delete

# Delete by username
netapi ise delete-internal-user jdoe

# Delete with force
netapi ise delete-internal-user research_admin --force

Adaptive Network Control (ANC)

Apply Policy

# Quarantine endpoint
netapi ise anc-apply C8:5B:76:C6:59:62 Quarantine

# Port bounce (force reauth)
netapi ise anc-apply b4:e9:b8:f6:c8:17 Port_Bounce

# Shut down port
netapi ise anc-apply 00:11:22:33:44:55 Shut_Down

List Policies

# List available ANC policies
netapi ise get-anc-policies

# Pagination
netapi ise get-anc-policies --size 50 --page 1

# List endpoints with ANC applied
netapi ise get-anc-endpoints
netapi ise get-anc-endpoints --size 100 --page 1

Clear Policy

# Remove ANC from endpoint
netapi ise anc-clear C8:5B:76:C6:59:62

# Release from quarantine
netapi ise anc-clear b4:e9:b8:f6:c8:17

OpenAPI Commands

Policy Sets

Read

# List all policy sets
netapi ise get-policy-sets

# Pagination
netapi ise get-policy-sets --size 50 --page 1

# Get specific policy set
netapi ise get-policy-set "Wired Dot1X Closed"

# List authentication rules
netapi ise get-auth-rules "Wired Dot1X Closed"

# List authorization rules
netapi ise get-authz-rules "Wired Dot1X Closed"

Add Rules

# Add authentication rule
netapi ise add-auth-rule "Wired Dot1X Closed" "EAP_TLS_Auth" "AD_Cert_Profile"

# Add authorization rule
netapi ise add-authz-rule "Wired Dot1X Closed" "Linux_Research" "Linux_Research_Full"

# Add authz rule with condition
netapi ise add-authz-rule "Wired Dot1X Closed" "AD_Users" "PermitAccess" \
  --dict "AD" \
  --attr "ExternalGroups" \
  --value "domain.com/Users" \
  --operator contains

# Add at specific position
netapi ise add-authz-rule "Wired Dot1X Closed" "New_Rule" "Profile" --rank 0

Add/Replace Conditions

# Add condition (safe - preserves existing)
netapi ise add-policy-set-condition "Corp WIFI" "Domus-Secure"

# Add with custom attribute
netapi ise add-policy-set-condition "IoT WIFI" "IoT_" --operator startsWith

# Replace all conditions (destructive)
netapi ise replace-policy-set-condition "Corp WIFI" "CorpNet-Secure"

Delete Rules

# Delete authentication rule
netapi ise delete-auth-rule "Wired Dot1X Closed" "EAP_TLS_Auth"

# Delete authorization rule
netapi ise delete-authz-rule "Wired Dot1X Closed" "Linux_Research"

Full Audit

# Display audit to terminal
netapi ise audit

# Save to file
netapi ise audit --output ise-policy-audit.txt

MnT API Commands

Session Management

Read

# Get active session by MAC
netapi ise mnt session b4:e9:b8:f6:c8:17

# Get auth status
netapi ise mnt auth-status b4:e9:b8:f6:c8:17

# List all active sessions
netapi ise mnt active-sessions

# Get session details (JSON)
netapi ise mnt session b4:e9:b8:f6:c8:17 --format json

Version Info

# Get detailed ISE version
netapi ise mnt version

Bulk Operations

Create Multiple Resources

Endpoints from File

# endpoints.csv
# mac,group,description
# b4:e9:b8:f6:c8:17,Linux-Research-Workstations,Dr. Shahab workstation
# 00:11:22:33:44:55,Research-IoT-Devices,IoT sensor 001

while IFS=, read -r mac group descr; do
  netapi ise create-endpoint "$mac" --group "$group" --descr "$descr"
done < endpoints.csv

Authorization Profiles from YAML

# profiles.yaml
# profiles:
#   - name: Linux_Research_Full
#     vlan: DATA_VLAN
#     dacl: DACL_Research_Full
#     reauth_timer: 28800

netapi ise create-authz-profiles-from-file profiles.yaml

dACLs from Directory

#!/bin/bash
# Create dACLs from all .acl files in directory

for file in dacls/*.acl; do
  name=$(basename "$file" .acl)
  netapi ise create-dacl "$name" --file "$file" --descr "Auto-created from $file"
done

Update Multiple Resources

Bulk Update Endpoint Groups

#!/bin/bash
# Move all MACs to new group

while read mac; do
  netapi ise update-endpoint-group "$mac" "Linux-Research-Workstations"
done < mac-list.txt

Update Authorization Profiles from YAML

netapi ise update-authz-profiles-from-file updated-profiles.yaml

Delete Multiple Resources

Cleanup Stale Endpoints

#!/bin/bash
# Delete endpoints from list

while read mac; do
  netapi ise delete-endpoint "$mac" --force
done < stale-endpoints.txt

Remove Test dACLs

#!/bin/bash
# Delete all TEST_ dACLs

netapi ise get-dacls | grep "TEST_" | while read dacl; do
  netapi ise delete-dacl "$dacl" --force
done

Common Workflows

Complete Linux 802.1X Deployment

#!/bin/bash
# Full ISE configuration for Linux workstation deployment

# 1. Create identity group
netapi ise create-endpoint-group "Linux-Research-Workstations" \
  --descr "Linux research workstations with 802.1X EAP-TLS"

# 2. Create dACLs
netapi ise create-dacl DACL_Research_Onboard \
  --file dacls/research-onboard.acl \
  --descr "MAB onboarding - ISE access only"

netapi ise create-dacl DACL_Research_Full \
  --file dacls/research-full.acl \
  --descr "Full access - deny management"

# 3. Create authorization profiles
netapi ise create-authz-profile Linux_Research_Posture_Pending \
  --vlan RESEARCH_VLAN \
  --dacl DACL_Research_Onboard \
  --reauth-timer 28800

netapi ise create-authz-profile Linux_Research_Full \
  --vlan DATA_VLAN \
  --dacl DACL_Research_Full

# 4. Add endpoint
netapi ise create-endpoint b4:e9:b8:f6:c8:17 \
  --group "Linux-Research-Workstations" \
  --descr "Dr. Shahab Linux workstation"

# 5. Add authorization rules (manual - requires policy set name)
echo "Add authorization rules via ISE GUI or add-authz-rule command"

Incident Response Quarantine

#!/bin/bash
# Quarantine compromised endpoint

MAC="$1"
TICKET="$2"

echo "Quarantining $MAC for incident $TICKET"

# Apply quarantine
netapi ise anc-apply "$MAC" Quarantine

# Log action
echo "$(date) - Quarantined $MAC - Ticket: $TICKET" >> /var/log/ir-actions.log

# Get session details
netapi ise mnt session "$MAC" > "/tmp/session-${MAC}-${TICKET}.json"

Post-Remediation Release

#!/bin/bash
# Release endpoint after remediation

MAC="$1"

echo "Releasing $MAC from quarantine"

# Clear ANC
netapi ise anc-clear "$MAC"

# Force re-authentication
netapi ise anc-apply "$MAC" Port_Bounce
sleep 5
netapi ise anc-clear "$MAC"

# Verify new session
netapi ise mnt auth-status "$MAC"

Daily ISE Audit

#!/bin/bash
# Daily ISE configuration audit

DATE=$(date +%Y-%m-%d)
AUDIT_DIR="/var/log/ise-audits"
mkdir -p "$AUDIT_DIR"

# Full policy audit
netapi ise audit --output "$AUDIT_DIR/policy-audit-${DATE}.txt"

# Resource counts
{
  echo "ISE Resource Inventory - $DATE"
  echo "================================"
  echo ""
  echo "Network Devices: $(netapi ise get-nads | wc -l)"
  echo "Endpoints: $(netapi ise get-endpoints | wc -l)"
  echo "Endpoint Groups: $(netapi ise get-endpoint-groups | wc -l)"
  echo "dACLs: $(netapi ise get-dacls | wc -l)"
  echo "Authz Profiles: $(netapi ise get-authz-profiles | wc -l)"
  echo "SGTs: $(netapi ise get-sgts | wc -l)"
  echo "Active Sessions: $(netapi ise mnt active-sessions | wc -l)"
} > "$AUDIT_DIR/inventory-${DATE}.txt"

echo "Audit complete: $AUDIT_DIR"

Environment Setup

Credentials

# Using dsec
eval "$(dsource d000 dev/ise)"

# Manual export
export ISE_PAN_IP="10.101.2.21"
export ISE_API_USER="ers_admin"
export ISE_API_PASS="SecurePassword"

Pagination Defaults

All list commands support:

--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

Examples:

# First 50 endpoints
netapi ise get-endpoints --size 50 --page 1

# Second page of 100 dACLs
netapi ise get-dacls --size 100 --page 2

# All NADs (no pagination)
netapi ise get-nads

Related Documentation