pxGrid API Reference

pxGrid 2.0 - Real-time publish/subscribe API for session data, TrustSec, and Adaptive Network Control.

Overview

Port 8910

Protocol

HTTPS + WebSocket

Authentication

Mutual TLS (client certificate)

Content Type

application/json

Base URL

<ise-pan>:8910/pxgrid/

pxGrid requires:

  1. Client certificate issued by ISE or trusted CA

  2. pxGrid client registered and approved in ISE

  3. pxGrid service enabled on ISE node

Certificate Setup

Environment Variables

ISE_PXGRID_CLIENT="netapi-client"
ISE_MTLS_CERT="/path/to/client.pem"
ISE_MTLS_KEY="/path/to/client.key"
ISE_MTLS_CA="/path/to/ise-ca.pem"

Test Connection

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  --cacert "${ISE_MTLS_CA}" \
  "https://${ISE_PAN_FQDN}:8910/pxgrid/control/AccountActivate" \
  -H "Content-Type: application/json" \
  -d "{\"accountName\": \"${ISE_PXGRID_CLIENT}\"}"

Control APIs

Activate Account

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d "{\"accountName\": \"${ISE_PXGRID_CLIENT}\"}" \
  "https://${ISE_PAN_FQDN}:8910/pxgrid/control/AccountActivate"
Response
{
  "accountState": "ENABLED",
  "version": "2.0.0.13"
}

Service Lookup

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"name": "com.cisco.ise.session"}' \
  "https://${ISE_PAN_FQDN}:8910/pxgrid/control/ServiceLookup"
Response
{
  "services": [
    {
      "name": "com.cisco.ise.session",
      "nodeName": "ise-01",
      "properties": {
        "restBaseUrl": "https://ise-01:8910/pxgrid/ise/radius",
        "wsPubsubService": "com.cisco.ise.pubsub",
        "sessionTopic": "/topic/com.cisco.ise.session"
      }
    }
  ]
}

Access Secret

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"peerNodeName": "ise-01"}' \
  "https://${ISE_PAN_FQDN}:8910/pxgrid/control/AccessSecret"

Available Services

Service Description

com.cisco.ise.session

Active sessions, session directory

com.cisco.ise.config.trustsec

Security groups, SGACLs, matrices

com.cisco.ise.config.anc

Adaptive Network Control policies

com.cisco.ise.radius

RADIUS failure statistics

com.cisco.ise.system

System health, performance

com.cisco.ise.mdm

MDM/EMM integration

com.cisco.ise.config.profiler

Profiler data

Session Directory

Get All Sessions

# First get the service URL
SERVICE_URL="https://ise-01:8910/pxgrid/ise/radius"

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{}' \
  "${SERVICE_URL}/getSessions"
Response
{
  "sessions": [
    {
      "timestamp": "2026-02-10T22:30:00.000Z",
      "state": "AUTHENTICATED",
      "userName": "evanusmodestus",
      "callingStationId": "28:92:00:89:EF:77",
      "ipAddresses": ["10.50.10.45"],
      "nasIpAddress": "10.50.1.2",
      "nasPortId": "GigabitEthernet1/0/1",
      "auditSessionId": "0A32010200001234",
      "adUserDomainName": "inside.domusdigitalis.dev",
      "selectedAuthzProfiles": ["PermitAccess"]
    }
  ]
}

Get Session by IP

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"ipAddress": "10.50.10.45"}' \
  "${SERVICE_URL}/getSessionByIpAddress"

Get Session by MAC

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{"macAddress": "28:92:00:89:EF:77"}' \
  "${SERVICE_URL}/getSessionByMacAddress"

ANC Operations

Get ANC Policies

ANC_URL="https://ise-01:8910/pxgrid/anc/config"

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{}' \
  "${ANC_URL}/getPolicies"

Apply ANC Policy

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{
    "policy": "ANC_Quarantine",
    "macAddress": "28:92:00:89:EF:77"
  }' \
  "${ANC_URL}/applyEndpointPolicy"

Clear ANC Policy

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{
    "policy": "ANC_Quarantine",
    "macAddress": "28:92:00:89:EF:77"
  }' \
  "${ANC_URL}/clearEndpointPolicy"

TrustSec

Get Security Groups

TRUSTSEC_URL="https://ise-01:8910/pxgrid/trustsec/config"

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{}' \
  "${TRUSTSEC_URL}/getSecurityGroups"

Get SGACLs

curl -sk \
  --cert "${ISE_MTLS_CERT}" \
  --key "${ISE_MTLS_KEY}" \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{}' \
  "${TRUSTSEC_URL}/getSecurityGroupAcls"

WebSocket Subscription

Session Topic Subscription

import asyncio
import websockets
import ssl
import json

async def subscribe_sessions():
    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ssl_context.load_cert_chain(
        certfile="/path/to/client.pem",
        keyfile="/path/to/client.key"
    )
    ssl_context.load_verify_locations("/path/to/ise-ca.pem")

    uri = "wss://ise-01:8910/pxgrid/ise/pubsub"

    async with websockets.connect(uri, ssl=ssl_context) as ws:
        # Subscribe to session topic
        subscribe_msg = {
            "sequence": 1,
            "type": "SUBSCRIBE",
            "topic": "/topic/com.cisco.ise.session"
        }
        await ws.send(json.dumps(subscribe_msg))

        # Receive messages
        while True:
            message = await ws.recv()
            data = json.loads(message)
            print(f"Session event: {data}")

asyncio.run(subscribe_sessions())

netapi CLI Equivalent

curl netapi

Activate client

netapi ise pxgrid activate

Test connection

netapi ise pxgrid test

List services

netapi ise pxgrid services

Get sessions

netapi ise pxgrid sessions

Get session by MAC

netapi ise pxgrid session --mac XX

Apply ANC

netapi ise pxgrid anc --mac XX --policy Quarantine

See Also