5-Minute Quickstart

Prerequisites

ISE 3.x with ERS enabled (Administration > System > Settings > ERS Settings)
API user with ERS Admin role
netapi CLI installed (pip install netapi)
dsec secrets manager configured

Step 1: Configure Credentials

# Add ISE credentials to secrets manager
dsec add d000 dev/network/ISE_PAN_IP "10.50.1.20"
dsec add d000 dev/network/ISE_API_USER "ersadmin"
dsec add d000 dev/network/ISE_API_PASS "your-password"

Step 2: Load Credentials

# Load into environment
dsource d000 dev/network

# Verify
echo "ISE: ${ISE_PAN_IP}"

Step 3: Test Connectivity

Test ERS API (Port 9060)

# netapi
netapi ise get-endpoints --limit 1

# curl
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  "https://${ISE_PAN_IP}:9060/ers/config/endpoint?size=1" \
  -H "Accept: application/json" | jq '.SearchResult.total'

Expected: Returns endpoint count or empty list.

Test OpenAPI (Port 443)

# netapi
netapi ise get-policy-sets

# curl
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  "https://${ISE_PAN_IP}/api/v1/policy/network-access/policy-set" \
  -H "Accept: application/json" | jq '.response[].name'

Expected: Returns policy set names.

Test MnT API

# netapi
netapi ise mnt sessions

# curl
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  "https://${ISE_PAN_IP}/admin/API/mnt/Session/ActiveCount" \
  -H "Accept: application/xml"

Expected: Returns active session count.

Test DataConnect

# netapi
netapi ise dc test

# Expected output: "DataConnect connection successful"

Step 4: Your First Operations

List All Endpoints

netapi ise get-endpoints

Get Specific Endpoint

netapi ise get-endpoint "C8:5B:76:C6:59:62"

List Policy Sets

netapi ise get-policy-sets

View Active Sessions

netapi ise mnt sessions

Query with DataConnect

netapi ise dc query "SELECT COUNT(*) FROM RADIUS_AUTHENTICATIONS WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1"

Troubleshooting

Connection Refused (Port 9060)

ERS is disabled. Enable in ISE: Administration > System > Settings > ERS Settings > Enable ERS

401 Unauthorized

Verify credentials: echo "$"
Check user has ERS Admin role in ISE

SSL Certificate Error

Use -k flag with curl to skip verification, or add ISE cert to trust store.

DataConnect Failed

Verify DataConnect is enabled in ISE
Check port 2484 is reachable
Verify DataConnect username/password (different from ERS)

Next Steps

ERS API Reference - Configuration management
OpenAPI Reference - Policy management
MnT Reference - Session monitoring
DataConnect Reference - SQL analytics