Rejected Endpoints

Overview

ISE’s anti-RADIUS-spray protection blocks endpoints after repeated authentication failures. These commands manage rejected endpoints.

Commands

Command Description

get-rejected-endpoints

List all rejected/blocked endpoints

release-rejected

Release endpoint from rejection

List Rejected Endpoints

netapi ise get-rejected-endpoints

Release Rejected Endpoint

# Release specific endpoint
netapi ise release-rejected 14:F6:D8:7B:31:80
netapi ise release-rejected C8:5B:76:C6:59:62

Sample Output

✓ Found 2 rejected endpoint(s)
       Rejected Endpoints
┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ MAC Address       ┃ Reason   ┃
┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ 44:1B:88:75:CF:74 │ EndPoint │
│ 3C:EC:EF:43:4D:49 │ EndPoint │
└───────────────────┴──────────┘
The ISE ERS API returns EndPoint as the reason field for all rejections. The actual rejection cause (auth failures, RADIUS spray, etc.) must be correlated via netapi ise dc auth-history <MAC> to inspect the failure reason from authentication logs.

Use Cases

Help Desk Script

#!/bin/bash
# Release endpoint for help desk ticket
MAC="$1"

if [ -z "$MAC" ]; then
  echo "Usage: $0 <MAC>"
  exit 1
fi

echo "Releasing $MAC from rejection..."
netapi ise release-rejected "$MAC"
echo "Done. User should retry authentication."

List and Review

#!/bin/bash
# Review rejected endpoints before release
netapi ise get-rejected-endpoints

# Release specific endpoint after review
netapi ise release-rejected "14:F6:D8:7B:31:80"

Why Endpoints Get Rejected

Reason Cause Resolution

Auth failures

Wrong password/cert

Fix credentials, then release

RADIUS spray

Brute force attack

Investigate first, then release if legitimate

Misconfiguration

Wrong supplicant settings

Fix client config, then release

Related Commands