ERS Endpoints Commands

Synopsis

netapi ise get-endpoints [OPTIONS]
netapi ise get-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise create-endpoint <MAC> [OPTIONS]
netapi ise update-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise delete-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise update-endpoint-group <MAC> <GROUP>
netapi ise get-endpoint-groups

Description

Manage ISE endpoint database entries. Endpoints are devices identified by MAC address.

Commands

get-endpoints

List all endpoints in ISE database.

# First 100 endpoints (default)
netapi ise get-endpoints

# All endpoints (fetches all pages)
netapi ise get-endpoints --all

# Limit results
netapi ise get-endpoints --limit 50

# Filter by identity group
netapi ise get-endpoints --group Blacklist

# Filter by profile (contains match)
netapi ise get-endpoints --profile iPhone

# Filter by logical profile (server-side, fast)
netapi ise get-endpoints --logical-profile IP-Phone
netapi ise get-endpoints --logical-profile Mobile-Devices

Option Description

Option	Description
`--all`, `-a`	Fetch all pages (default: first page only)
`--size`	Results per page (max 100, default 100)
`--limit`, `-l`	Limit number of results
`--group`, `-g`	Filter by identity group name
`--profile`, `-p`	Filter by profile name (contains match)
`--logical-profile`, `-L`	Filter by logical profile (server-side filter)

--all, -a

Fetch all pages (default: first page only)

--size

Results per page (max 100, default 100)

--limit, -l

Limit number of results

--group, -g

Filter by identity group name

--profile, -p

Filter by profile name (contains match)

--logical-profile, -L

Filter by logical profile (server-side filter)

get-endpoint

Get details for specific endpoint by MAC address or UUID.

# By MAC
netapi ise get-endpoint 70:15:FB:F8:47:EC

# By UUID
netapi ise get-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a

# Full view with session + auth history (requires DataConnect)
netapi ise get-endpoint 70:15:FB:F8:47:EC --full

Option Description

Option	Description
`--full`, `-f`	Include active session and auth history via DataConnect

--full, -f

Include active session and auth history via DataConnect

Sample Output

╭──────────────────────────────────────╮
│        Endpoint Details              │
│        70:15:FB:F8:47:EC             │
╰──────────────────────────────────────╯

Identity
  MAC Address          70:15:FB:F8:47:EC
  Endpoint ID          68206ac0-a7cb-11f0-ac46-968ccf16ea3a
  Portal User          -
  Identity Store       -

Profiling
  Profile              Microsoft-Workstation
  Static Assignment    False

Identity Group
  Group                Trusted_Users
  Static Assignment    True

Full Output (--full)

Active Session (DataConnect)
  Username             jsmith@corp.com
  NAS                  10.193.144.124
  Port                 GigabitEthernet1/0/15
  Auth Method          dot1x
  VLAN                 100
  Status               PASSED

Auth History (Last 5)
Time                    Method  Result  Failure Reason
2026-01-23 08:15:32     dot1x   PASS    -
2026-01-23 06:02:11     dot1x   PASS    -
2026-01-22 18:45:03     dot1x   PASS    -

create-endpoint

Create new endpoint entry.

netapi ise create-endpoint 00:11:22:33:44:55 \
  --group "Medical-Devices" \
  --profile "Insensix-Device" \
  --description "Temperature sensor - Room 101"

delete-endpoint

Delete endpoint from ISE database.

# With confirmation prompt
netapi ise delete-endpoint 70:15:FB:F8:47:EC

# By UUID
netapi ise delete-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a

# Skip confirmation
netapi ise delete-endpoint 70:15:FB:F8:47:EC --force

Option Description

Option	Description
`--force`, `-f`	Skip confirmation prompt

--force, -f

Skip confirmation prompt

update-endpoint

Update endpoint fields (description, group, static assignments).

# Set description
netapi ise update-endpoint 70:15:FB:F8:47:EC --description "John's laptop"

# Change identity group
netapi ise update-endpoint 70:15:FB:F8:47:EC --group Trusted_Users

# Multiple updates at once
netapi ise update-endpoint 70:15:FB:F8:47:EC --description "IoT sensor" --group IoT_Devices

# Lock profiler assignments
netapi ise update-endpoint 70:15:FB:F8:47:EC --static-profile --static-group

# By UUID
netapi ise update-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a --description "Server NIC"

Option Description

Option	Description
`--description`, `-d`	Set endpoint description
`--group`, `-g`	Set identity group name
`--static-group/--no-static-group`	Lock/unlock group assignment (prevent profiler override)
`--static-profile/--no-static-profile`	Lock/unlock profile assignment (prevent profiler override)

--description, -d

Set endpoint description

--group, -g

Set identity group name

--static-group/--no-static-group

Lock/unlock group assignment (prevent profiler override)

--static-profile/--no-static-profile

Lock/unlock profile assignment (prevent profiler override)

Sample Output

Updated endpoint: 70:15:FB:F8:47:EC
  Description: John's laptop
  Group: Trusted_Users

update-endpoint-group

Move endpoint to a different identity group.

This command uses the OpenAPI v1 endpoint (/api/v1/endpoint) instead of the ERS API. This is critical because the ERS API has a bug that prevents staticGroupAssignment from being set correctly, which allows ISE Profiling to override your group assignments.

# Move to Blacklist (static assignment - PREVENTS profiler override)
netapi ise update-endpoint-group C8:5B:76:C6:59:62 Blacklist

# Move to Profiled group (allow profiler to re-assign)
netapi ise update-endpoint-group 00:11:22:33:44:55 Profiled --no-static

# Move to trusted users group
netapi ise update-endpoint-group 70:15:FB:F8:47:EC Trusted_Users

Option Description

Option	Description
`--static` (default)	Static group assignment - ISE Profiling will NOT change the group. This sets `staticGroupAssignment=true` via OpenAPI.
`--no-static`	Allow ISE Profiling to automatically re-assign group based on profiling policy

--static (default)

Static group assignment - ISE Profiling will NOT change the group. This sets staticGroupAssignment=true via OpenAPI.

--no-static

Allow ISE Profiling to automatically re-assign group based on profiling policy

Why OpenAPI Instead of ERS?

The ISE ERS API (via ciscoisesdk library) has a known bug where it fails to properly set the staticGroupAssignment parameter. When you use ERS to move an endpoint to a group, ISE Profiling can still override your assignment and move the device back to a system group like "Unknown" or "Profiled".

The OpenAPI v1 endpoint (PUT /api/v1/endpoint/{id}) works correctly and properly sets staticGroupAssignment=true, preventing ISE Profiling from overriding your group assignment.

This command automatically:

Looks up endpoint ID using MAC address (via ERS)
Looks up group ID using group name (via ERS)
Updates the endpoint using OpenAPI PUT (properly sets staticGroupAssignment)

For production Linux workstation deployments using 802.1X: Always use --static (the default) to prevent ISE Profiling from moving Linux workstations out of their correct identity groups.

get-endpoint-groups

List all endpoint identity groups.

netapi ise get-endpoint-groups
netapi ise get-endpoint-groups --size 50 --page 2

Options

--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

ANC (Adaptive Network Control)

Quarantine or restrict endpoints using ANC policies.

anc-apply

Apply ANC policy to endpoint (quarantine, port bounce, etc.).

# Quarantine an endpoint
netapi ise anc-apply C8:5B:76:C6:59:62 Quarantine

# Shut down port
netapi ise anc-apply 00:11:22:33:44:55 Shut_Down

# Port bounce (re-auth)
netapi ise anc-apply 70:15:FB:F8:47:EC Port_Bounce

anc-clear

Remove ANC policy from endpoint.

netapi ise anc-clear C8:5B:76:C6:59:62

get-anc-endpoints

List endpoints with ANC policies applied.

netapi ise get-anc-endpoints

Rejected Endpoints

Manage endpoints blocked by anti-RADIUS-spray protection.

get-rejected-endpoints

List all rejected endpoints with MAC addresses and rejection reason.

netapi ise get-rejected-endpoints

Sample Output

✓ Found 2 rejected endpoint(s)
       Rejected Endpoints
┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ MAC Address       ┃ Reason   ┃
┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ 44:1B:88:75:CF:74 │ EndPoint │
│ 3C:EC:EF:43:4D:49 │ EndPoint │
└───────────────────┴──────────┘

release-rejected

Release a rejected endpoint to allow new authentication attempts.

netapi ise release-rejected 14:F6:D8:7B:31:80

Use Cases

Audit: Who Added Device to Identity Group

Find out who moved an endpoint to a specific identity group and when.

#!/bin/bash
MAC="$1"

echo "=== Endpoint Modification History ==="
netapi ise get-endpoint "$MAC" --format json | jq '{
  mac,
  current_group: ._group_name,
  modified_by: .modifiedBy,
  modified_date: .modifiedDate,
  created_by: .createdBy,
  created_date: .createdDate,
  static_group_assignment: .staticGroupAssignment
}'

echo ""
echo "=== Recent Configuration Changes (Last 7 Days) ==="
echo "Checking DataConnect for endpoint modifications..."
netapi ise dc config-changes --type "Endpoint" --hours 168 --limit 100 | grep -i "$MAC" || echo "No recent changes found in config audit"

echo ""
echo "=== Authentication History (Shows Group at Auth Time) ==="
netapi ise dc auth-history "$MAC" --limit 10

Alternative: GUI Path for Full Audit Trail

If programmatic access isn’t sufficient:

Navigate to: Operations > Reports > Reports > Audit > Change Configuration Audit
Filter by:
- Object Type: "Endpoint" or "Endpoint Identity Group"
- Time Range: Last 7 days (or custom)
Search for the MAC address in results

This shows the full audit trail including: - Who made the change (admin username) - What was changed (group assignment) - When it was changed (timestamp) - Source IP of the admin

Investigate Endpoint

#!/bin/bash
MAC="$1"

echo "=== Endpoint Details ==="
netapi ise get-endpoint "$MAC" --full

echo ""
echo "=== Current Session (MnT) ==="
netapi ise mnt session "$MAC"

Quarantine Compromised Device

#!/bin/bash
MAC="$1"
echo "Quarantining: $MAC"

# Apply quarantine policy
netapi ise anc-apply "$MAC" Quarantine

# Verify
netapi ise get-anc-endpoints | grep "$MAC"

Cleanup Old Endpoints

#!/bin/bash
# Find and remove endpoints from a specific group
for mac in $(netapi ise get-endpoints --group "Old_Devices" | grep -oE '([0-9A-F]{2}:){5}[0-9A-F]{2}'); do
  echo "Deleting: $mac"
  netapi ise delete-endpoint "$mac" --force
done

Blacklist a Device

#!/bin/bash
MAC="$1"
REASON="$2"

# Move to Blacklist group
netapi ise update-endpoint-group "$MAC" Blacklist

# Apply quarantine immediately
netapi ise anc-apply "$MAC" Quarantine

echo "Blacklisted: $MAC - $REASON"

Force Fresh Authentication (iPSK Troubleshooting)

When an iPSK device fails to connect despite correct PSK, cached endpoint data in ISE may cause issues. Delete and re-authenticate:

#!/bin/bash
MAC="$1"

# Check current state
echo "=== Current Endpoint State ==="
netapi ise get-endpoint "$MAC" 2>/dev/null || echo "Not in ISE"

# Check recent auth attempts
echo ""
echo "=== Recent Auth History ==="
netapi ise dc auth-history "$MAC" --hours 1

# Delete cached endpoint to force fresh auth
echo ""
echo "Deleting endpoint to force fresh authentication..."
netapi ise delete-endpoint "$MAC" --force

# Verify deleted
echo ""
echo "=== Verification ==="
netapi ise get-endpoint "$MAC" 2>&1 | grep -q "not found" && echo "✓ Endpoint deleted - ready for fresh auth"

echo ""
echo "Now reconnect device to WLAN. Then verify:"
echo "  netapi ise dc auth-history $MAC --hours 1"
echo "  netapi ise mnt session $MAC"

Related Commands

dc session - Comprehensive session view
mnt session - Active session lookup
anc - ANC policy management
identity-groups - Endpoint groups