ERS Internal Users
Synopsis
netapi ise get-internal-users [OPTIONS]
netapi ise get-internal-user <USERNAME>
netapi ise create-internal-user <USERNAME> [OPTIONS]
netapi ise update-internal-user <USERNAME> [OPTIONS]
netapi ise delete-internal-user <USERNAME> [OPTIONS]Description
Manage ISE internal users for local authentication. Internal users are stored in ISE’s local database and can be used for:
-
Guest access (sponsor portal, guest portal)
-
Admin access (GUI, CLI, ERS API)
-
RADIUS authentication (when AD is unavailable)
-
Testing and troubleshooting
Commands
get-internal-users
List all internal users.
netapi ise get-internal-users
netapi ise get-internal-users --size 50 --page 2--size, -s INTEGER Results per page (default: 100)
--page, -p INTEGER Page number (default: 1)get-internal-user
Get specific user details.
netapi ise get-internal-user jdoe
netapi ise get-internal-user admincreate-internal-user
Create a new internal user.
# Basic user
netapi ise create-internal-user jdoe \
--password SecurePass123! \
--first-name John \
--last-name Doe
# With identity group
netapi ise create-internal-user research_admin \
--password AdminPass456! \
--identity-group Research_Admins \
--email admin@research.org
# Guest user
netapi ise create-internal-user guest001 \
--password GuestPass! \
--identity-group Guest \
--enabled false--password TEXT User password (required)
--first-name TEXT First name
--last-name TEXT Last name
--email TEXT Email address
--identity-group TEXT Identity group name
--enabled / --disabled Account status (default: enabled)update-internal-user
Update an existing internal user.
# Update password
netapi ise update-internal-user jdoe \
--password NewPass789!
# Update email
netapi ise update-internal-user jdoe \
--email newemail@research.org
# Change identity group
netapi ise update-internal-user jdoe \
--identity-group Research_Staff
# Disable account
netapi ise update-internal-user guest001 --disabled--password TEXT New password
--first-name TEXT New first name
--last-name TEXT New last name
--email TEXT New email address
--identity-group TEXT New identity group
--enabled / --disabled Enable or disable accountUse Cases
Create Guest Users
#!/bin/bash
# Create temporary guest users for conference
for i in {1..10}; do
netapi ise create-internal-user "guest$(printf %03d $i)" \
--password "Conference2026!" \
--identity-group Guest \
--email "guest${i}@conference.org"
doneBulk Import from CSV
#!/bin/bash
# Import users from CSV file
# Format: username,password,first_name,last_name,email,group
while IFS=, read -r user pass fname lname email group; do
netapi ise create-internal-user "$user" \
--password "$pass" \
--first-name "$fname" \
--last-name "$lname" \
--email "$email" \
--identity-group "$group"
done < users.csvPassword Reset for Multiple Users
#!/bin/bash
# Reset passwords for all guest users
NEW_PASS="NewGuest2026!"
netapi ise get-internal-users | grep "guest" | while read user; do
echo "Resetting password for: $user"
netapi ise update-internal-user "$user" --password "$NEW_PASS"
donePassword Requirements
ISE enforces password complexity by default:
-
Minimum 8 characters
-
At least 1 uppercase letter
-
At least 1 lowercase letter
-
At least 1 digit
-
At least 1 special character
-
Cannot contain username
Example valid passwords:
SecurePass123!
Admin@2026Lab
Guest#Temp456Identity Groups
Internal users must be assigned to an identity group. Common groups:
| Group | Purpose | Use Case |
|---|---|---|
Guest |
Guest portal access |
Temporary users, visitors |
Sponsor |
Guest sponsor access |
Create/manage guest accounts |
ERS Admin |
ERS API access |
Automation, scripts |
Admin Access |
ISE admin access |
GUI, CLI administration |
User Identity Groups |
Custom groups |
Organizational structure |
Related Commands
-
Identity Groups - User identity group management
-
Endpoints - Endpoint management
-
Command Reference - Complete command list