ERS API Commands

Overview

The ERS (External RESTful Services) API provides CRUD operations for ISE configuration objects.

ERS API runs on port 9060 and uses JSON/XML format. Must be enabled in ISE: Administration > System > Settings > API Settings

Command Categories

Category Commands

Category	Commands
Endpoints	`get-endpoints`, `get-endpoint`, `create-endpoint`
Identity Groups	`get-identity-groups`, `get-identity-group`
Authentication Rules	`get-auth-rules`, `add-auth-rule`, `delete-auth-rule`
Authorization Profiles	`get-authz-profiles`, `create-authz-profile`, `update-authz-profile`
Authorization Rules	`get-authz-rules`, `add-authz-rule`, `delete-authz-rule`
dACLs	`get-dacls`, `get-dacl`, `create-dacl`
Network Devices	`get-nads`, `get-nad`, `create-nad`
Certificate Profiles	`get-cert-profiles`, `create-cert-profile`
Profiler Profiles	`get-profiler-profiles`, `get-profiler-profile`
Portals	`list-all-portals`, `get-sponsor-portals`, `get-sponsored-guest-portals`, `get-ise-portal`, `set-ise-portal-cert-group`

Endpoints

get-endpoints, get-endpoint, create-endpoint

Identity Groups

get-identity-groups, get-identity-group

Authentication Rules

get-auth-rules, add-auth-rule, delete-auth-rule

Authorization Profiles

get-authz-profiles, create-authz-profile, update-authz-profile

Authorization Rules

get-authz-rules, add-authz-rule, delete-authz-rule

dACLs

get-dacls, get-dacl, create-dacl

Network Devices

get-nads, get-nad, create-nad

Certificate Profiles

get-cert-profiles, create-cert-profile

Profiler Profiles

get-profiler-profiles, get-profiler-profile

Portals

list-all-portals, get-sponsor-portals, get-sponsored-guest-portals, get-ise-portal, set-ise-portal-cert-group

Quick Examples

# Endpoints
netapi ise get-endpoints
netapi ise get-endpoint 00:11:22:33:44:55

# Authentication rules
netapi ise get-auth-rules "Corp WIFI"
netapi ise add-auth-rule "Corp WIFI" "BYOD_Cert_Auth" "BYOD_Cert_Profile"
netapi ise delete-auth-rule "Corp WIFI" "BYOD_Cert_Auth" --force

# Authorization profiles
netapi ise get-authz-profiles
netapi ise get-authz-profile Domus_Secure_Profile

# Authorization rules
netapi ise get-authz-rules "Wired Dot1X Closed"
netapi ise add-authz-rule "Wired Dot1X Closed" "MyRule" "MyProfile"
netapi ise delete-authz-rule "Wired Dot1X Closed" "MyRule" --force

# dACLs (Downloadable ACLs)
netapi ise get-dacls
netapi ise get-dacl PERMIT_ALL

# Network Access Devices
netapi ise get-nads

YAML-Based Bulk Operations

# Create multiple authz profiles from YAML
netapi ise create-authz-profiles-from-file profiles.yaml

# Update existing profiles
netapi ise update-authz-profiles-from-file profiles.yaml

Example profiles.yaml

profiles:
  - name: Domus_Secure_Profile
    description: "Trusted users - full access"
    access_type: ACCESS_ACCEPT
    vlan:
      name: DATA_VLAN
      tag: 1
    dacl_name: DACL_SECURE_FULL
    reauth_timer: 28800

  - name: Domus_IoT_Profile
    description: "IoT devices - restricted"
    access_type: ACCESS_ACCEPT
    vlan:
      name: IOT_VLAN
      tag: 1
    dacl_name: DACL_IOT_RESTRICTED

API Endpoint Reference

Resource Endpoint Methods

Resource	Endpoint	Methods
Endpoints	`/ers/config/endpoint`	GET, POST, PUT, DELETE
Identity Groups	`/ers/config/endpointgroup`	GET, POST, PUT, DELETE
Authorization Profiles	`/ers/config/authorizationprofile`	GET, POST, PUT, DELETE
dACLs	`/ers/config/downloadableacl`	GET, POST, PUT, DELETE
Network Devices	`/ers/config/networkdevice`	GET, POST, PUT, DELETE
Profiler Profiles	`/ers/config/profilerprofile`	GET (read-only)
Sponsor Portals	`/ers/config/sponsorportal`	GET, POST, PUT, DELETE
Sponsored Guest Portals	`/ers/config/sponsoredguestportal`	GET, POST, PUT, DELETE

Endpoints

/ers/config/endpoint

GET, POST, PUT, DELETE

Identity Groups

/ers/config/endpointgroup

GET, POST, PUT, DELETE

Authorization Profiles

/ers/config/authorizationprofile

GET, POST, PUT, DELETE

dACLs

/ers/config/downloadableacl

GET, POST, PUT, DELETE

Network Devices

/ers/config/networkdevice

GET, POST, PUT, DELETE

Profiler Profiles

/ers/config/profilerprofile

GET (read-only)

Sponsor Portals

/ers/config/sponsorportal

GET, POST, PUT, DELETE