Network Devices API

Overview

Network Devices (NADs) are switches, WLCs, and routers that authenticate endpoints via RADIUS/TACACS+.

Base URL

/ers/config/networkdevice

Groups URL

/ers/config/networkdevicegroup

Methods

GET, POST, PUT, DELETE

Key Fields

name, ipaddress, coaPort, authenticationSettings

Setup

dsource d000 dev/network
ISE_HOST="${ISE_PAN_IP}"
ISE_AUTH="${ISE_API_USER}:${ISE_API_PASS}"
BASE_URL="https://${ISE_HOST}:9060/ers/config"

List All Devices

netapi
netapi ise get-network-devices
curl
# List all network devices (RADIUS clients)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

Get Device by Name

curl
# Get device by name
DEVICE_NAME="sw-core-01"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice/name/${DEVICE_NAME}" \
  -H "Accept: application/json" | jq '.NetworkDevice'

Get Device by IP

curl
# Get device by IP (filter)
DEVICE_IP="10.50.1.10"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice?filter=ipaddress.EQ.${DEVICE_IP}" \
  -H "Accept: application/json" | jq '.SearchResult.resources[0]'

Create Device

Switch (RADIUS)

curl
# Create network device (Cisco switch)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d '{
    "NetworkDevice": {
      "name": "sw-access-01",
      "description": "Access switch - Building A",
      "authenticationSettings": {
        "networkProtocol": "RADIUS",
        "radiusSharedSecret": "YourSecretHere",
        "enableKeyWrap": false,
        "dtlsRequired": false
      },
      "NetworkDeviceIPList": [
        {
          "ipaddress": "10.50.1.11",
          "mask": 32
        }
      ],
      "NetworkDeviceGroupList": [
        "Location#All Locations#Building-A",
        "Device Type#All Device Types#Switch"
      ],
      "coaPort": 1700,
      "snmpsettings": {
        "version": "TWO_C",
        "roCommunity": "public",
        "pollingInterval": 3600
      },
      "profileName": "Cisco"
    }
  }'

WLC (RADIUS)

curl
# Create network device (WLC)
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d '{
    "NetworkDevice": {
      "name": "wlc-01",
      "description": "Wireless LAN Controller",
      "authenticationSettings": {
        "networkProtocol": "RADIUS",
        "radiusSharedSecret": "YourSecretHere"
      },
      "NetworkDeviceIPList": [
        {
          "ipaddress": "10.50.1.5",
          "mask": 32
        }
      ],
      "NetworkDeviceGroupList": [
        "Location#All Locations",
        "Device Type#All Device Types#Wireless"
      ],
      "coaPort": 1700,
      "profileName": "Cisco"
    }
  }'

Using netapi

netapi ise create-network-device "sw-access-01" \
  --ip "10.50.1.11" \
  --secret "YourSecretHere" \
  --description "Access switch - Building A" \
  --location "Building-A" \
  --type "Switch"

Update Device Secret

curl
# Update RADIUS shared secret
DEVICE_NAME="sw-access-01"

# Get device details first
DEVICE=$(curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice/name/${DEVICE_NAME}" \
  -H "Accept: application/json")

DEVICE_ID=$(echo "$DEVICE" | jq -r '.NetworkDevice.id')

# Update with new secret
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice/${DEVICE_ID}" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X PUT \
  -d '{
    "NetworkDevice": {
      "id": "'"${DEVICE_ID}"'",
      "name": "'"${DEVICE_NAME}"'",
      "authenticationSettings": {
        "networkProtocol": "RADIUS",
        "radiusSharedSecret": "NewSecretHere"
      }
    }
  }'

Delete Device

netapi
netapi ise delete-network-device "sw-access-01"
curl
# Delete network device
DEVICE_ID="abc123-def456"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice/${DEVICE_ID}" \
  -X DELETE

Device Groups

List Groups

curl
# List network device groups
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevicegroup" \
  -H "Accept: application/json" | jq '.SearchResult.resources[] | {name, id}'

Create Group

curl
# Create network device group
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevicegroup" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -X POST \
  -d '{
    "NetworkDeviceGroup": {
      "name": "Location#All Locations#Building-C",
      "description": "Building C network devices",
      "othername": "Location"
    }
  }'

Filtering

Filter by Type

# List only switches
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Accept: application/json" | \
  jq -r '.SearchResult.resources[].id' | while read ID; do
    DEVICE=$(curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/networkdevice/${ID}" \
      -H "Accept: application/json")

    if echo "$DEVICE" | jq -e '.NetworkDevice.NetworkDeviceGroupList[] | select(contains("Switch"))' > /dev/null 2>&1; then
      echo "$DEVICE" | jq -r '.NetworkDevice | "\(.name)\t\(.NetworkDeviceIPList[0].ipaddress)"'
    fi
  done | column -t

Filter by Location

# List devices by location
LOCATION="Building-A"
curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Accept: application/json" | \
  jq -r '.SearchResult.resources[].id' | while read ID; do
    DEVICE=$(curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/networkdevice/${ID}" \
      -H "Accept: application/json")

    if echo "$DEVICE" | jq -e ".NetworkDevice.NetworkDeviceGroupList[] | select(contains(\"${LOCATION}\"))" > /dev/null 2>&1; then
      echo "$DEVICE" | jq -r '.NetworkDevice.name'
    fi
  done

Common Patterns

Export All Devices

# Export all devices to CSV
echo "Name,IP,Description,Groups" > network-devices.csv

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Accept: application/json" | \
  jq -r '.SearchResult.resources[].id' | while read ID; do
    curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/networkdevice/${ID}" \
      -H "Accept: application/json" | \
      jq -r '.NetworkDevice | [.name, .NetworkDeviceIPList[0].ipaddress, .description, (.NetworkDeviceGroupList | join(";"))] | @csv'
  done >> network-devices.csv

Bulk Update Secret

# Bulk update shared secret for all devices in location
LOCATION="Building-A"
NEW_SECRET="NewSharedSecret123"

curl -sk -u "${ISE_AUTH}" \
  "${BASE_URL}/networkdevice" \
  -H "Accept: application/json" | \
  jq -r '.SearchResult.resources[].id' | while read ID; do
    DEVICE=$(curl -sk -u "${ISE_AUTH}" \
      "${BASE_URL}/networkdevice/${ID}" \
      -H "Accept: application/json")

    if echo "$DEVICE" | jq -e ".NetworkDevice.NetworkDeviceGroupList[] | select(contains(\"${LOCATION}\"))" > /dev/null 2>&1; then
      DEVICE_NAME=$(echo "$DEVICE" | jq -r '.NetworkDevice.name')
      echo "Updating: ${DEVICE_NAME}"

      curl -sk -u "${ISE_AUTH}" \
        "${BASE_URL}/networkdevice/${ID}" \
        -H "Content-Type: application/json" \
        -X PUT \
        -d '{
          "NetworkDevice": {
            "id": "'"${ID}"'",
            "authenticationSettings": {
              "networkProtocol": "RADIUS",
              "radiusSharedSecret": "'"${NEW_SECRET}"'"
            }
          }
        }'
    fi
  done

See Also