ISE API Reference :: Domus Digitalis

API Landscape

Cisco ISE exposes five distinct APIs, each with different purposes, ports, and authentication methods:

API	Port	Auth	Format	Use Case
ERS	9060	Basic	JSON/XML	Configuration CRUD (endpoints, groups, policies)
MnT	443	Basic	XML	Session monitoring, CoA, auth logs
OpenAPI	443	Basic	JSON	Modern API (backup, certs, deployment, patching)
DataConnect	2484	Oracle	SQL	Direct database queries (analytics, reporting)
pxGrid	8910	mTLS	JSON/WS	Real-time pub/sub (sessions, TrustSec, ANC)

API

Port

Auth

Format

Use Case

ERS

9060

Basic

JSON/XML

Configuration CRUD (endpoints, groups, policies)

MnT

443

Basic

XML

Session monitoring, CoA, auth logs

OpenAPI

443

Basic

JSON

Modern API (backup, certs, deployment, patching)

DataConnect

2484

Oracle

SQL

Direct database queries (analytics, reporting)

pxGrid

8910

mTLS

JSON/WS

Real-time pub/sub (sessions, TrustSec, ANC)

Quick Reference Card

# Load credentials (dsec integration)
dsource d000 dev/network

# Verify environment
echo "ISE: ${ISE_PAN_FQDN}"
echo "User: ${ISE_API_USER}"

Authentication Patterns

ERS API (Port 9060)

curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  "https://${ISE_PAN_FQDN}:9060/ers/config/endpoint"

MnT API (Port 443)

curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  -H "Accept: application/xml" \
  "https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveList"

OpenAPI (Port 443)

curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  "https://${ISE_PAN_FQDN}/api/v1/backup-restore/config/last-backup-status"

DataConnect (Port 2484 - Oracle)

# Via sqlplus
sqlplus "${ISE_DC_USER}/${ISE_DC_PASS}@${ISE_PAN_FQDN}:2484/cpm10"

# Via netapi
netapi ise dc query "SELECT COUNT(*) FROM ENDPOINTS"

pxGrid (Port 8910 - mTLS)

# Requires client certificate
curl -sk --cert client.pem --key client.key \
  "https://${ISE_PAN_FQDN}:8910/pxgrid/control/ServiceLookup"

Environment Variables

Variable Required Description

Variable	Required	Description
`ISE_PAN_FQDN`	Yes	ISE Primary Admin Node FQDN (e.g., `ise-01.inside.domusdigitalis.dev`)
`ISE_PAN_IP`	Fallback	ISE PAN IP address (used if FQDN not set)
`ISE_API_USER`	Yes	API username (admin or ersadmin)
`ISE_API_PASS`	Yes	API password
`ISE_BACKUP_KEY`	Backup ops	Encryption key for backup/restore
`ISE_DC_USER`	DataConnect	DataConnect Oracle username
`ISE_DC_PASS`	DataConnect	DataConnect Oracle password
`ISE_PXGRID_CLIENT`	pxGrid	pxGrid client name
`ISE_MTLS_CERT`	pxGrid	Path to client certificate
`ISE_MTLS_KEY`	pxGrid	Path to client private key

ISE_PAN_FQDN

Yes

ISE Primary Admin Node FQDN (e.g., ise-01.inside.domusdigitalis.dev)

ISE_PAN_IP

Fallback

ISE PAN IP address (used if FQDN not set)

ISE_API_USER

Yes

API username (admin or ersadmin)

ISE_API_PASS

Yes

API password

ISE_BACKUP_KEY

Backup ops

Encryption key for backup/restore

ISE_DC_USER

DataConnect

DataConnect Oracle username

ISE_DC_PASS

DataConnect

DataConnect Oracle password

ISE_PXGRID_CLIENT

pxGrid

pxGrid client name

ISE_MTLS_CERT

pxGrid

Path to client certificate

ISE_MTLS_KEY

pxGrid

Path to client private key

API Coverage Matrix

Resource	ERS	MnT	OpenAPI	DataConnect	pxGrid
Endpoints	CRUD	-	-	Read	Subscribe
Sessions	-	Read/CoA	-	Read	Subscribe
Network Devices	CRUD	-	-	Read	-
Authorization Profiles	CRUD	-	-	Read	-
Identity Groups	CRUD	-	-	Read	-
Certificates	-	-	CRUD	-	-
Backup/Restore	-	-	Execute	-	-
Auth Logs	-	Read	-	Read	-
Profiler	Read	-	-	Read	-
TrustSec (SGT/SGACL)	CRUD	-	-	Read	Subscribe
ANC Policies	CRUD	-	-	-	Execute

Resource

ERS

MnT

OpenAPI

DataConnect

pxGrid

Endpoints

CRUD

-

Read

Subscribe

Sessions

-

Read/CoA

-

Read

Subscribe

Network Devices

CRUD

-

Read

-

Authorization Profiles

CRUD

-

Read

-

Identity Groups

CRUD

-

Read

-

Certificates

-

CRUD

-

Backup/Restore

-

Execute

-

Auth Logs

-

Read

-

Read

-

Profiler

Read

-

Read

-

TrustSec (SGT/SGACL)

CRUD

-

Read

Subscribe

ANC Policies

CRUD

-

Execute

HTTP Status Codes

Code	Meaning
200	Success (GET, PUT)
201	Created (POST)
204	No Content (DELETE success)
400	Bad Request (invalid JSON/parameters)
401	Unauthorized (check credentials)
403	Forbidden (insufficient permissions)
404	Not Found (resource doesn’t exist)
415	Unsupported Media Type (check Content-Type header)
500	Internal Server Error (ISE-side issue)
503	Service Unavailable (ISE overloaded or restarting)

Rate Limiting

ISE does not enforce strict rate limits, but best practices:

ERS: Max 10 concurrent connections recommended
MnT: Avoid polling more than once per 10 seconds
OpenAPI: Backup operations are serialized (one at a time)
DataConnect: Connection pooling recommended for high volume
pxGrid: WebSocket preferred over polling

Pagination Pattern

ERS API uses page and size parameters:

# Page 1, 100 results
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
  -H "Accept: application/json" \
  "https://${ISE_PAN_FQDN}:9060/ers/config/endpoint?page=1&size=100"

# Response includes total count
{
  "SearchResult": {
    "total": 1250,
    "resources": [...]
  }
}

Loop pattern for all results:

PAGE=1
SIZE=100
TOTAL=1

while [ $((PAGE * SIZE - SIZE)) -lt $TOTAL ]; do
  RESPONSE=$(curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
    -H "Accept: application/json" \
    "https://${ISE_PAN_FQDN}:9060/ers/config/endpoint?page=${PAGE}&size=${SIZE}")

  TOTAL=$(echo "$RESPONSE" | jq -r '.SearchResult.total')
  echo "$RESPONSE" | jq -r '.SearchResult.resources[].name'

  PAGE=$((PAGE + 1))
done

MAC Address Formats

ISE accepts multiple MAC formats but stores in uppercase colon-separated:

Input Normalized

Input	Normalized
`aa:bb:cc:dd:ee:ff`	`AA:BB:CC:DD:EE:FF`
`AA-BB-CC-DD-EE-FF`	`AA:BB:CC:DD:EE:FF`
`aabbccddeeff`	`AA:BB:CC:DD:EE:FF`
`AABB.CCDD.EEFF`	`AA:BB:CC:DD:EE:FF`

aa:bb:cc:dd:ee:ff

AA:BB:CC:DD:EE:FF

AA-BB-CC-DD-EE-FF

AA:BB:CC:DD:EE:FF

aabbccddeeff

AA:BB:CC:DD:EE:FF

AABB.CCDD.EEFF

AA:BB:CC:DD:EE:FF

Normalize in shell:

normalize_mac() {
  echo "$1" | tr -d ':-.' | tr 'a-f' 'A-F' | sed 's/\(..\)/\1:/g;s/:$//'
}

# Usage
normalize_mac "aa-bb-cc-dd-ee-ff"  # Returns AA:BB:CC:DD:EE:FF

Error Handling

Check for errors in response

RESPONSE=$(curl -sk -w "\n%{http_code}" -u "${ISE_API_USER}:${ISE_API_PASS}" \
  -H "Accept: application/json" \
  "https://${ISE_PAN_FQDN}:9060/ers/config/endpoint")

HTTP_CODE=$(echo "$RESPONSE" | tail -1)
BODY=$(echo "$RESPONSE" | sed '$d')

if [ "$HTTP_CODE" -ge 400 ]; then
  echo "Error $HTTP_CODE: $(echo "$BODY" | jq -r '.ERSResponse.messages[0].title')"
  exit 1
fi

ISE API Reference

API Landscape

Quick Reference Card

Authentication Patterns

Environment Variables

API Coverage Matrix

HTTP Status Codes

Rate Limiting

Pagination Pattern

MAC Address Formats

Error Handling

See Also