Identity Groups API

Overview

Identity Groups organize endpoints for policy assignment. Groups can be static (manual assignment) or dynamic (profiling-based).

Base URL

/ers/config/endpointgroup

Alt URL

/ers/config/identitygroup (internal users)

Methods

GET, POST, PUT, DELETE

Pagination

?page=1&size=100

Setup

dsource d000 dev/network
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_HOST}:9060/ers/config"

List All Groups

netapi
netapi ise get-endpoint-groups
curl
# List all endpoint identity groups
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

Get Group by Name

curl
# Get group by name
GROUP_NAME="Linux-Workstations"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/name/${GROUP_NAME}" \
  -H "Accept: application/json" | jq '.EndPointGroup'

Get Group by ID

curl
# Get group by ID
GROUP_ID="abc123-def456"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/${GROUP_ID}" \
  -H "Accept: application/json" | jq '.EndPointGroup'

Create Group

netapi
netapi ise create-endpoint-group "Research-Linux" --description "Linux workstations in Research department"
curl
# Create endpoint group
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d '{
    "EndPointGroup": {
      "name": "Research-Linux",
      "description": "Linux workstations in Research department"
    }
  }'

Update Group

# Update group description
GROUP_ID="abc123-def456"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/${GROUP_ID}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d '{
    "EndPointGroup": {
      "id": "'"${GROUP_ID}"'",
      "name": "Research-Linux",
      "description": "Updated: Research Linux workstations with EAP-TLS"
    }
  }'

Delete Group

netapi
netapi ise delete-endpoint-group "Research-Linux"
curl
# Delete group (must be empty)
GROUP_ID="abc123-def456"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/${GROUP_ID}" \
  -X DELETE

Endpoint Operations

List Endpoints in Group

# List all endpoints in a specific group
GROUP_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/name/Linux-Workstations" \
  -H "Accept: application/json" | jq -r '.EndPointGroup.id')

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint?filter=groupId.EQ.${GROUP_ID}" \
  -H "Accept: application/json" | jq -r '.SearchResult.resources[].name'

Count Endpoints by Group

# Count endpoints per group
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup" \
  -H "Accept: application/json" | jq -r '.SearchResult.resources[] | .id' | \
  while read GROUP_ID; do
    GROUP_NAME=$(curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/endpointgroup/${GROUP_ID}" \
      -H "Accept: application/json" | jq -r '.EndPointGroup.name')
    COUNT=$(curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/endpoint?filter=groupId.EQ.${GROUP_ID}&size=1" \
      -H "Accept: application/json" | jq '.SearchResult.total')
    echo "${GROUP_NAME}: ${COUNT}"
  done

Move Endpoint to Group

# Move endpoint to different group
MAC="C8:5B:76:C6:59:62"
NEW_GROUP="Linux-Workstations"

# Get endpoint ID
ENDPOINT_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/name/${MAC}" \
  -H "Accept: application/json" | jq -r '.ERSEndPoint.id')

# Get new group ID
NEW_GROUP_ID=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpointgroup/name/${NEW_GROUP}" \
  -H "Accept: application/json" | jq -r '.EndPointGroup.id')

# Update endpoint
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/endpoint/${ENDPOINT_ID}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d '{
    "ERSEndPoint": {
      "id": "'"${ENDPOINT_ID}"'",
      "mac": "'"${MAC}"'",
      "groupId": "'"${NEW_GROUP_ID}"'",
      "staticGroupAssignment": true
    }
  }'

Bulk Assign Group

# Bulk assign endpoints to group (from file)
NEW_GROUP_ID="your-group-id"

cat macs.txt | while read MAC; do
  ENDPOINT_ID=$(curl -sk -u "${ISE_AUTH}" \
    "${BASE_URL}/endpoint/name/${MAC}" \
    -H "Accept: application/json" | jq -r '.ERSEndPoint.id')

  if [ "$ENDPOINT_ID" != "null" ]; then
    curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/endpoint/${ENDPOINT_ID}" \
      -H "Content-Type: application/json" \
      -X PUT \
      -d '{"ERSEndPoint": {"id": "'"${ENDPOINT_ID}"'", "groupId": "'"${NEW_GROUP_ID}"'", "staticGroupAssignment": true}}'
    echo "Assigned: ${MAC}"
  else
    echo "Not found: ${MAC}"
  fi
done

See Also