Authentication Deep Dive

Overview

ISE APIs use different authentication methods depending on the API type:

API	Method	Notes
ERS	Basic Auth	Username/password over HTTPS
OpenAPI v1	Basic Auth	Same credentials as ERS
MnT	Basic Auth	Same credentials as ERS
DataConnect	JDBC Auth	Separate DataConnect credentials
pxGrid	mTLS	Client certificates required

API

Method

Notes

ERS

Basic Auth

Username/password over HTTPS

OpenAPI v1

Basic Auth

Same credentials as ERS

MnT

Basic Auth

Same credentials as ERS

DataConnect

JDBC Auth

Separate DataConnect credentials

pxGrid

mTLS

Client certificates required

Basic Authentication (ERS, OpenAPI, MnT)

Requirements

User account in ISE Administration > System > Admin Access
ERS Admin role assigned
ERS enabled: Administration > System > Settings > ERS Settings

curl Implementation

# Load credentials
dsource d000 dev/network

# Option 1: Inline credentials
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  "https://${ISE_PAN_IP}:9060/ers/config/endpoint" \
  -H "Accept: application/json"

# Option 2: Using .netrc file
echo "machine ${ISE_PAN_IP} login ${ISE_API_USER} password ${ISE_API_PASS}" >> ~/.netrc
chmod 600 ~/.netrc
curl -sk --netrc "https://${ISE_PAN_IP}:9060/ers/config/endpoint"

netapi Implementation

netapi reads credentials from environment variables set by dsource:

# Load credentials
dsource d000 dev/network

# netapi uses ISE_PAN_IP, ISE_API_USER, ISE_API_PASS automatically
netapi ise get-endpoints

Security Best Practices

Never hardcode credentials in scripts
Use secrets manager (dsec, HashiCorp Vault, etc.)
Rotate credentials regularly
Use read-only accounts where possible

JDBC Authentication (DataConnect)

Requirements

DataConnect enabled: Administration > System > Settings > DataConnect
DataConnect user created with password
Port 2484 accessible

Configuration

# Add DataConnect credentials
dsec add d000 dev/network/ISE_DC_USER "dataconnect"
dsec add d000 dev/network/ISE_DC_PASS "dc-password"

# Test connection
dsource d000 dev/network
netapi ise dc test

Direct JDBC Connection

# Using SQLcl or SQL*Plus
sql "${ISE_DC_USER}/${ISE_DC_PASS}@//${ISE_PAN_IP}:2484/cpm10"

# Using Python
python -c "
import oracledb
conn = oracledb.connect(
    user='${ISE_DC_USER}',
    password='${ISE_DC_PASS}',
    dsn='${ISE_PAN_IP}:2484/cpm10'
)
print('Connected:', conn.version)
"

mTLS Authentication (pxGrid)

Requirements

pxGrid enabled: Administration > pxGrid Services
Client certificate issued by ISE Internal CA or trusted CA
Certificate approved in pxGrid Clients

Certificate Generation

# Generate private key
openssl genrsa -out pxgrid-client.key 2048

# Generate CSR
openssl req -new -key pxgrid-client.key \
  -out pxgrid-client.csr \
  -subj "/CN=pxgrid-client/O=Domus Digitalis"

# Submit CSR to ISE Internal CA or external CA
# Download signed certificate as pxgrid-client.pem

# Download ISE trust chain
curl -sk "https://${ISE_PAN_IP}/admin/API/mnt/AuthStatus/MACAddress/00:00:00:00:00:00" \
  -w '' -o /dev/null 2>&1 | openssl s_client -connect ${ISE_PAN_IP}:443 -showcerts

pxGrid Client Approval

Navigate to Administration > pxGrid Services > Clients
Find pending client certificate
Click Approve

Connection Test

# Test pxGrid WebSocket connection
netapi ise pxgrid test

# Or with curl (REST control API)
curl -sk --cert pxgrid-client.pem --key pxgrid-client.key \
  --cacert ise-trust-chain.pem \
  "https://${ISE_PAN_IP}:8910/pxgrid/control/AccountActivate" \
  -H "Content-Type: application/json" \
  -d '{}'

Credential Management

Using dsec (Recommended)

# Structure
dsec add d000 dev/network/ISE_PAN_IP "10.50.1.20"
dsec add d000 dev/network/ISE_API_USER "ersadmin"
dsec add d000 dev/network/ISE_API_PASS "password"
dsec add d000 dev/network/ISE_DC_USER "dataconnect"
dsec add d000 dev/network/ISE_DC_PASS "dc-password"

# Load all at once
dsource d000 dev/network

# Variables available:
# ISE_PAN_IP, ISE_API_USER, ISE_API_PASS, ISE_DC_USER, ISE_DC_PASS

Using Environment Variables

# Export directly (less secure)
export ISE_PAN_IP="10.50.1.20"
export ISE_API_USER="ersadmin"
export ISE_API_PASS="password"

# From file
source ~/.ise-credentials

Using HashiCorp Vault

# Read from Vault
export ISE_API_USER=$(vault kv get -field=username secret/ise/api)
export ISE_API_PASS=$(vault kv get -field=password secret/ise/api)

Troubleshooting

401 Unauthorized

# Verify credentials loaded
echo "User: ${ISE_API_USER}"
echo "Pass: ${ISE_API_PASS:0:3}***"  # Show first 3 chars only

# Test with explicit credentials
curl -sk -u "admin:password" "https://${ISE_PAN_IP}:9060/ers/config/endpoint?size=1"

403 Forbidden

User lacks ERS Admin role: 1. ISE > Administration > System > Admin Access > Administrators 2. Select user > Admin Groups 3. Add "ERS Admin" group

Certificate Errors

# Skip verification (testing only)
curl -sk ...

# Add ISE cert to trust store
openssl s_client -connect ${ISE_PAN_IP}:9060 -showcerts </dev/null 2>/dev/null | \
  openssl x509 -outform PEM > ise-cert.pem
sudo cp ise-cert.pem /usr/local/share/ca-certificates/ise.crt
sudo update-ca-certificates

DataConnect Connection Failed

# Check port accessibility
nc -zv ${ISE_PAN_IP} 2484

# Verify DataConnect enabled in ISE
# Administration > System > Settings > DataConnect > Enable DataConnect

# Check credentials
netapi ise dc test

Authentication Deep Dive

Overview

Basic Authentication (ERS, OpenAPI, MnT)

Requirements

curl Implementation

netapi Implementation

Security Best Practices

JDBC Authentication (DataConnect)

Requirements

Configuration

Direct JDBC Connection

mTLS Authentication (pxGrid)

Requirements

Certificate Generation

pxGrid Client Approval

Connection Test

Credential Management

Using dsec (Recommended)

Using Environment Variables

Using HashiCorp Vault

Troubleshooting

401 Unauthorized

403 Forbidden

Certificate Errors

DataConnect Connection Failed

See Also