ERS Identity Groups

Overview

Identity groups are static user/certificate-based groups used in authorization policies. These are different from endpoint identity groups which group devices by MAC address for MAB authorization.

Key Differences:

  • Identity Groups (this page): Group users/certificates for EAP-TLS authorization (e.g., Employee, Workstation, Servers)

  • Endpoint Groups: Group devices by MAC address for MAB authorization (e.g., Android, Blacklist, GuestEndpoints)

Synopsis

netapi ise get-identity-groups [OPTIONS]
netapi ise create-identity-group <NAME> [OPTIONS]
netapi ise delete-identity-group <NAME> [OPTIONS]

Commands

get-identity-groups

List all user/certificate identity groups.

# List all identity groups
netapi ise get-identity-groups

# With pagination
netapi ise get-identity-groups --size 50 --page 2

# JSON output
netapi ise get-identity-groups --format json

# Table format
netapi ise get-identity-groups --format table
Options
--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)
Sample Output
Name                          ID                                     Description
----                          --                                     -----------
ALL_ACCOUNTS (default)        a176c430-8c01-11e6-996c-525400b48521   Default ALL_ACCOUNTS
Employee                      a1740510-8c01-11e6-996c-525400b48521   Default Employee User Group
GuestType_Weekly              9efe2310-8c01-11e6-996c-525400b48521   Identity group mirroring guest type
Linux-Research-Workstations   e1b145c0-fcef-11f0-9bb2-fafc6167f873   Linux research workstations

create-identity-group

Create a new identity group for certificate-based or user-based authorization.

# Basic identity group
netapi ise create-identity-group "Linux-Research-Workstations"

# With description (recommended)
netapi ise create-identity-group "Linux-Research-Workstations" \
    --description "Linux research workstations - certificate-based identity for EAP-TLS"

# With parent group
netapi ise create-identity-group "Research-Linux" \
    --parent "User Identity Groups" \
    --description "Research Linux machines"

# Short flag
netapi ise create-identity-group "Contractors" -d "External contractor accounts"
Table 1. Parameters
Parameter Required Description

NAME

Yes

Identity group name (e.g., "Linux-Research-Workstations")

--description, -d

No

Human-readable description of the group’s purpose

--parent, -p

No

Parent identity group name (for nested groups)

delete-identity-group

Delete an identity group. Requires confirmation unless --force is used.

# Delete with confirmation prompt
netapi ise delete-identity-group "Test-Group"

# Force delete (no confirmation)
netapi ise delete-identity-group "Test-Group" --force

Deleting an identity group will affect all authorization policies using it. Ensure the group is not referenced in active policies before deletion.

Use Cases

EAP-TLS Workstation Deployment

Create identity groups for certificate-based authentication:

# Create identity group for Linux workstations
netapi ise create-identity-group "Linux-Research-Workstations" \
    --description "Linux research workstations - certificate-based identity for EAP-TLS"

# Create identity group for Windows workstations
netapi ise create-identity-group "Windows-Corporate-Workstations" \
    --description "Windows domain-joined workstations"

# Verify creation
netapi ise get-identity-groups | grep -i workstation

User-Based Authorization

Create identity groups for role-based access:

# Create groups for different user roles
netapi ise create-identity-group "IT-Administrators" \
    --description "IT staff with elevated privileges"

netapi ise create-identity-group "Guest-Users" \
    --description "Temporary guest access"

netapi ise create-identity-group "Contractors" \
    --description "External contractor accounts"

CI/CD Usage

- name: Ensure identity groups exist
  run: |
    # Create identity groups for EAP-TLS deployment
    netapi ise create-identity-group "Linux-Research-Workstations" \
        --description "Linux research workstations - certificate-based identity for EAP-TLS"

    netapi ise create-identity-group "Medical-Devices" \
        --description "Medical equipment with device certificates"

    netapi ise create-identity-group "IoT-Sensors" \
        --description "IoT temperature sensors with mutual TLS"

Integration with Authorization Policies

Identity groups are used in authorization policy conditions to match authenticated users/certificates:

# Create the identity group first
netapi ise create-identity-group "Linux-Research-Workstations" \
    --description "Linux research workstations - certificate-based identity for EAP-TLS"

# Then reference it in an authorization rule
netapi ise add-authz-rule "Wired Dot1X Closed" \
    "Linux_Research_EAP-TLS" \
    "Linux_Research_Profile" \
    --dict "IdentityGroup" \
    --attr "Name" \
    --value "Linux-Research-Workstations" \
    --operator "equals"

See Also