Endpoints API

Overview

Endpoints represent network devices by their MAC address. This is the most commonly used ERS resource for network access control automation.

Base URL

ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint

Auth

Basic Authentication (ERS Admin)

Content-Type

application/json or application/xml

Pagination

?page=1&size=100 (max 100)

Filtering

?filter=mac.STARTSW.C8:5B

Setup

# Load credentials
dsource d000 dev/network

# ERS API configuration
ISE_HOST="${ISE_PAN_IP}"
ISE_PORT="9060"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_HOST}:${ISE_PORT}/ers/config"

Operations

List All Endpoints

curl

# List all endpoints (curl)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

netapi

# List all endpoints (netapi)
netapi ise get-endpoints

Response

{
  "SearchResult": {
    "total": 142,
    "resources": [
      {
        "id": "abc123-def456-ghi789",
        "name": "C8:5B:76:C6:59:62",
        "link": {
          "rel": "self",
          "href": "https://ise-01:9060/ers/config/endpoint/abc123-def456-ghi789",
          "type": "application/json"
        }
      }
    ]
  }
}

Get Endpoint by MAC

curl

# Get endpoint by MAC (curl)
MAC="C8:5B:76:C6:59:62"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/name/${MAC}" \
  -H "Accept: application/json" | jq '.ERSEndPoint'

netapi

# Get endpoint by MAC (netapi)
netapi ise get-endpoint "C8:5B:76:C6:59:62"

Response

{
  "ERSEndPoint": {
    "id": "abc123-def456-ghi789",
    "name": "C8:5B:76:C6:59:62",
    "mac": "C8:5B:76:C6:59:62",
    "profileId": "profileId-value",
    "staticProfileAssignment": false,
    "groupId": "groupId-value",
    "staticGroupAssignment": true,
    "portalUser": "",
    "identityStore": "",
    "identityStoreId": "",
    "link": {
      "rel": "self",
      "href": "https://ise-01:9060/ers/config/endpoint/abc123-def456-ghi789"
    }
  }
}

Get Endpoint by ID

curl

# Get endpoint by ID (curl)
ENDPOINT_ID="abc123-def456-ghi789"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/${ENDPOINT_ID}" \
  -H "Accept: application/json" | jq '.ERSEndPoint'

Create Endpoint

curl

# Create endpoint (curl)
MAC="AA:BB:CC:DD:EE:FF"

# First, get the group ID
GROUP_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/name/Linux-Workstations" \
  -H "Accept: application/json" | jq -r '.EndPointGroup.id')

# Create the endpoint
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d "{
    \"ERSEndPoint\": {
      \"name\": \"${MAC}\",
      \"mac\": \"${MAC}\",
      \"groupId\": \"${GROUP_ID}\",
      \"staticGroupAssignment\": true
    }
  }"

netapi

# Create endpoint (netapi)
netapi ise create-endpoint "AA:BB:CC:DD:EE:FF" --group "Linux-Workstations"

Create with Custom Attributes

curl

# Create endpoint with description and custom attributes
MAC="AA:BB:CC:DD:EE:FF"
GROUP_ID="your-group-id"

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d "{
    \"ERSEndPoint\": {
      \"name\": \"${MAC}\",
      \"mac\": \"${MAC}\",
      \"description\": \"Linux workstation - Research Lab\",
      \"groupId\": \"${GROUP_ID}\",
      \"staticGroupAssignment\": true,
      \"customAttributes\": {
        \"customAttributes\": {
          \"Department\": \"Research\",
          \"Owner\": \"jsmith\"
        }
      }
    }
  }"

Update Endpoint

curl

# Update endpoint (curl)
MAC="C8:5B:76:C6:59:62"
NEW_GROUP_ID="new-group-id"

# First get the endpoint ID
ENDPOINT_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/name/${MAC}" \
  -H "Accept: application/json" | jq -r '.ERSEndPoint.id')

# Update the endpoint
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/${ENDPOINT_ID}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d "{
    \"ERSEndPoint\": {
      \"id\": \"${ENDPOINT_ID}\",
      \"name\": \"${MAC}\",
      \"mac\": \"${MAC}\",
      \"groupId\": \"${NEW_GROUP_ID}\",
      \"staticGroupAssignment\": true
    }
  }"

netapi

# Update endpoint group (netapi)
netapi ise update-endpoint "C8:5B:76:C6:59:62" --group "New-Group-Name"

Delete Endpoint

curl

# Delete endpoint (curl)
MAC="AA:BB:CC:DD:EE:FF"

# Get endpoint ID
ENDPOINT_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/name/${MAC}" \
  -H "Accept: application/json" | jq -r '.ERSEndPoint.id')

# Delete
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/${ENDPOINT_ID}" \
  -X DELETE

echo "Deleted endpoint ${MAC}"

netapi

# Delete endpoint (netapi)
netapi ise delete-endpoint "AA:BB:CC:DD:EE:FF"

Bulk Operations

Bulk Create

# Bulk create endpoints (curl)
GROUP_ID="your-group-id"

cat > /tmp/endpoints.json << EOF
{
  "ERSEndPointBulkRequest": {
    "operationType": "create",
    "resourceMediaType": "application/json",
    "ERSEndPoint": [
      {"mac": "AA:BB:CC:DD:EE:01", "groupId": "${GROUP_ID}", "staticGroupAssignment": true},
      {"mac": "AA:BB:CC:DD:EE:02", "groupId": "${GROUP_ID}", "staticGroupAssignment": true},
      {"mac": "AA:BB:CC:DD:EE:03", "groupId": "${GROUP_ID}", "staticGroupAssignment": true}
    ]
  }
}
EOF

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/bulk/submit" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d @/tmp/endpoints.json

Bulk Delete

# Bulk delete endpoints (curl)
cat > /tmp/delete-endpoints.json << 'EOF'
{
  "ERSEndPointBulkRequest": {
    "operationType": "delete",
    "resourceMediaType": "application/json",
    "idList": [
      "endpoint-id-1",
      "endpoint-id-2",
      "endpoint-id-3"
    ]
  }
}
EOF

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/bulk/submit" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d @/tmp/delete-endpoints.json

Filtering

Filter Operators

# ERS Filter Operators
EQ        - Equals
NEQ       - Not Equals
STARTSW   - Starts With
ENDSW     - Ends With
CONTAINS  - Contains
GT        - Greater Than
LT        - Less Than
GE        - Greater Than or Equal
LE        - Less Than or Equal

# Examples
filter=mac.STARTSW.C8:5B
filter=name.CONTAINS.workstation
filter=staticGroupAssignment.EQ.true

Filter by MAC Prefix

# Filter endpoints by MAC prefix (curl)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint?filter=mac.STARTSW.C8:5B" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

Filter by Group

# Filter endpoints by group (curl)
GROUP_ID="your-group-id"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint?filter=groupId.EQ.${GROUP_ID}" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

Pagination

# Pagination loop (curl)
PAGE=1
SIZE=100
TOTAL=0

while true; do
  RESULT=$(curl -sk -u "${ISE_AUTH}" \
    "${BASE_URL}/endpoint?size=${SIZE}&page=${PAGE}" \
    -H "Accept: application/json")

  COUNT=$(echo "$RESULT" | jq '.SearchResult.resources | length')
  TOTAL=$((TOTAL + COUNT))

  echo "Page ${PAGE}: ${COUNT} results"
  echo "$RESULT" | jq -r '.SearchResult.resources[].name'

  [[ "$COUNT" -lt "$SIZE" ]] && break
  ((PAGE++))
done

echo "Total endpoints: ${TOTAL}"

Count Endpoints

curl

# Count total endpoints (curl)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint?size=1" \
  -H "Accept: application/json" | jq '.SearchResult.total'

netapi

# Count endpoints (netapi)
netapi ise get-endpoints --format json | jq 'length'

Export to CSV

curl

# Export endpoints to CSV (curl)
echo "MAC,Group ID,Static Assignment" > endpoints.csv

PAGE=1
SIZE=100
while true; do
  RESULT=$(curl -sk -u "${ISE_AUTH}" \
    "${BASE_URL}/endpoint?size=${SIZE}&page=${PAGE}" \
    -H "Accept: application/json")

  COUNT=$(echo "$RESULT" | jq '.SearchResult.resources | length')

  # Get full details for each endpoint
  for id in $(echo "$RESULT" | jq -r '.SearchResult.resources[].id'); do
    curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/endpoint/${id}" \
      -H "Accept: application/json" | \
      jq -r '.ERSEndPoint | [.mac, .groupId, .staticGroupAssignment] | @csv' >> endpoints.csv
  done

  [[ "$COUNT" -lt "$SIZE" ]] && break
  ((PAGE++))
done

echo "Exported to endpoints.csv"

netapi

# Export endpoints to CSV (netapi)
netapi ise get-endpoints --format json | \
  jq -r '["MAC","Group","Static"] as $h | $h, (.[] | [.mac, .groupId, .staticGroupAssignment]) | @csv' \
  > endpoints.csv

Common Patterns

Verify Endpoint Exists

# Verify endpoint exists and get details
MAC="C8:5B:76:C6:59:62"

if endpoint=$(netapi ise get-endpoint "${MAC}" --format json 2>/dev/null); then
  echo "Endpoint found:"
  echo "$endpoint" | jq '{mac, groupId, staticGroupAssignment}'
else
  echo "Endpoint ${MAC} not found"
  exit 1
fi

Search and Update

# Find endpoints without group and assign to default group
DEFAULT_GROUP_ID="your-default-group-id"

# Find ungrouped endpoints
netapi ise get-endpoints --format json | \
  jq -r '.[] | select(.staticGroupAssignment == false) | .mac' | \
  while read mac; do
    echo "Assigning ${mac} to default group"
    netapi ise update-endpoint "${mac}" --group-id "${DEFAULT_GROUP_ID}"
  done

Request/Response Schema

ERSEndPoint Object

Field Type Required Description

Field	Type	Required	Description
`id`	string	No (auto)	UUID assigned by ISE
`name`	string	No	Display name (defaults to MAC)
`mac`	string	Yes	MAC address (XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX)
`description`	string	No	Free-text description
`groupId`	string	No	Endpoint group UUID
`staticGroupAssignment`	boolean	No	Lock group assignment (default: false)
`profileId`	string	No	Profiler profile UUID
`staticProfileAssignment`	boolean	No	Lock profile assignment
`portalUser`	string	No	Associated portal user
`identityStore`	string	No	Identity store name
`identityStoreId`	string	No	Identity store UUID
`customAttributes`	object	No	Custom attribute key-value pairs

id

string

No (auto)

UUID assigned by ISE

name

string

Display name (defaults to MAC)

mac

string

Yes

MAC address (XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX)

description

string

Free-text description

groupId

string

Endpoint group UUID

staticGroupAssignment

boolean

Lock group assignment (default: false)

profileId

string

Profiler profile UUID

staticProfileAssignment

boolean

Lock profile assignment

portalUser

string

Associated portal user

identityStore

string

Identity store name

identityStoreId

string

Identity store UUID

customAttributes

object

Custom attribute key-value pairs

Error Codes

Code Meaning Resolution

Code	Meaning	Resolution
400	Invalid MAC format	Use format `XX:XX:XX:XX:XX:XX` or `XX-XX-XX-XX-XX-XX`
401	Unauthorized	Verify credentials, check ERS Admin role
404	Endpoint not found	Verify MAC exists: `netapi ise get-endpoint MAC`
409	Endpoint already exists	Use PUT to update, or DELETE first
422	Invalid group ID	Verify group exists: `netapi ise get-endpoint-groups`

400

Invalid MAC format

Use format XX:XX:XX:XX:XX:XX or XX-XX-XX-XX-XX-XX

401

Unauthorized

Verify credentials, check ERS Admin role

404

Endpoint not found

Verify MAC exists: netapi ise get-endpoint MAC

409

Endpoint already exists

Use PUT to update, or DELETE first

422

Invalid group ID

Verify group exists: netapi ise get-endpoint-groups

Endpoints API

Overview

Setup

Operations

List All Endpoints

Get Endpoint by MAC

Get Endpoint by ID

Create Endpoint

Create with Custom Attributes

Update Endpoint

Delete Endpoint

Bulk Operations

Bulk Create

Bulk Delete

Filtering

Filter Operators

Filter by MAC Prefix

Filter by Group

Pagination

Count Endpoints

Export to CSV

Common Patterns

Verify Endpoint Exists

Search and Update

Request/Response Schema

ERSEndPoint Object

Error Codes

See Also