ERS API Coverage Matrix

Overview

ISE 3.4 ERS API provides 199 endpoints across 70 resource types. netapi currently implements 115 CLI commands covering the most critical operations.

Metric Value Notes

Total ERS Resources

70

From ISE 3.4 OpenAPI spec

Total API Endpoints

199

GET, POST, PUT, DELETE operations

netapi CLI Commands

115

Covering core operations

Implementation Coverage

~60%

By resource type

Implementation Status Legend

Fully implemented (CRUD operations)

Partially implemented (read-only or limited)

Planned for implementation

Not planned (low priority)

Core Identity Management

Resource Status Priority netapi Commands

endpoint

P0

get-endpoints, get-endpoint, create-endpoint, update-endpoint, delete-endpoint, bulk-create-endpoint

endpointgroup

P0

get-endpoint-groups, create-endpoint-group, update-endpoint-group, delete-endpoint-group, bulk-update-endpoint-group

identitygroup

P0

get-identity-groups, create-identity-group, update-identity-group, delete-identity-group

internaluser

P1

get-internal-users (read-only, create/update pending)

guestuser

P2

Not implemented - 12 API operations available

guesttype

P2

Not implemented - guest type CRUD

Network Access Devices

Resource Status Priority netapi Commands

networkdevice

P0

get-nads, get-nad, create-nad, update-nad, delete-nad

networkdevicegroup

P1

Not implemented - device group CRUD

externalradiusserver

P2

Not implemented - external RADIUS servers

radiusserversequence

P2

Not implemented - RADIUS server sequences

Policy & Authorization

Resource Status Priority netapi Commands

authorizationprofile

P0

get-authz-profiles, get-authz-profile, create-authz-profile, update-authz-profile, delete-authz-profile, create-authz-profiles-from-file

downloadableacl

P0

get-dacls, get-dacl, create-dacl, update-dacl, delete-dacl, create-dacls-from-file

allowedprotocols

P1

get-allowed-protocols, get-allowed-protocol, create-allowed-protocols, update-allowed-protocols, delete-allowed-protocols

certificateprofile

P1

get-cert-profiles, get-cert-profile, create-cert-profile, delete-cert-profile

certificatetemplate

P1

get-cert-templates, get-cert-template (read-only)

filterpolicy

P2

Not implemented - filter policies

idstoresequence

P2

Not implemented - identity store sequences

TrustSec (SGT/SXP)

Resource Status Priority netapi Commands

sgt

P0

get-sgts, get-sgt, create-sgt, update-sgt, delete-sgt

sgacl

P1

Not implemented - SGACL CRUD

sgmapping

P1

Not implemented - IP-SGT mappings (6 operations)

sgmappinggroup

P1

Not implemented - mapping groups (6 operations)

sgtvnvlan

P2

Not implemented - SGT-VN-VLAN mappings

egressmatrixcell

P2

Not implemented - TrustSec matrix (8 operations)

sxpconnections

P2

Not implemented - SXP connections

sxplocalbindings

P2

Not implemented - SXP local bindings

sxpvpns

P2

Not implemented - SXP VPNs

Adaptive Network Control (ANC)

Resource Status Priority netapi Commands

ancpolicy

P0

get-anc-policies, get-anc-policy

ancendpoint

P0

get-anc-endpoints, anc-apply, anc-clear

Active Directory Integration

Resource Status Priority netapi Commands

activedirectory

P0

get-ad-join-points, get-ad-groups, search-ad-groups, add-ad-groups

ldap

P1

Partial - needs CRUD commands (10 operations available)

Profiler

Resource Status Priority netapi Commands

profilerprofile

P1

get-profiler-profiles, get-profiler-profile (read-only - ISE system profiles)

Portals

Resource Status Priority netapi Commands

byodportal

P1

get-byod-portals, get-byod-portal, enable-byod-portal, configure-byod-from-file

selfregportal

P1

get-self-reg-portals (read-only)

sponsorportal

P1

get-sponsor-portals, get-sponsor-portal, update-portal-port

sponsoredguestportal

P1

get-sponsored-guest-portals (read-only)

hotspotportal

P1

get-hotspot-portals (read-only)

mydeviceportal

P1

get-my-devices-portals, get-my-devices-portal (read-only)

portal

P1

list-all-portals, get-ise-portal, set-ise-portal-cert-group

portalglobalsetting

P2

Not implemented - global portal settings

portaltheme

P2

Not implemented - portal themes

Native Supplicant Profiles

Resource Status Priority netapi Commands

nspprofile

P1

get-native-supplicant-profiles, get-native-supplicant-profile, update-native-supplicant-profile

Deployment & Nodes

Resource Status Priority netapi Commands

deploymentinfo

P0

get-nodes (deployment info)

node

P1

get-nodes (read-only)

sessionservicenode

P2

Read via deployment info

pxGrid

Resource Status Priority netapi Commands

pxgridnode

P2

Not implemented via ERS - use pxGrid CLI instead

pxgridsettings

P2

Not implemented - pxGrid settings

TACACS+

Resource Status Priority netapi Commands

tacacscommandsets

P2

Not implemented - TACACS command sets

tacacsexternalservers

P2

Not implemented - TACACS external servers

tacacsprofile

P2

Not implemented - TACACS profiles

tacacsserversequence

P2

Not implemented - TACACS server sequences

Guest Management

Resource Status Priority netapi Commands

guestlocation

P2

Not implemented - guest locations

guestsmtpnotificationsettings

P2

Not implemented - guest SMTP settings

guestssid

P2

Not implemented - guest SSIDs

sponsorgroup

P2

Not implemented - sponsor groups

sponsorgroupmember

P2

Not implemented - sponsor group members

REST Identity Stores

Resource Status Priority netapi Commands

restidstore

P2

Not implemented - REST identity stores (7 operations)

restidstoreattribute

P2

Not implemented - store attributes

restidstoresettings

P2

Not implemented - store settings

ACI Integration

Resource Status Priority netapi Commands

acibindings

P3

Not planned - ACI bindings (requires Cisco ACI)

acisettings

P3

Not planned - ACI settings

System & Support

Resource Status Priority netapi Commands

adminuser

P2

Not implemented - admin users (read-only available)

service

P2

Not implemented - ISE services status

supportbundle

P2

Not implemented - support bundle generation

supportbundledownload

P2

Not implemented - support bundle download

supportbundlestatus

P2

Not implemented - support bundle status

systemcertificate

P1

Not implemented - system certificate import

telemetryinfo

P3

Not planned - telemetry info

endpointcert

P2

Not implemented - endpoint certificate operations

threat

P2

Not implemented - threat operations

SMS Providers

Resource Status Priority netapi Commands

smsprovider

P3

Not planned - SMS providers (read-only)

Implementation Roadmap

Phase 1: TrustSec Enhancement (P1)

Priority additions for TrustSec deployments:

# Planned commands
netapi ise get-sgacls
netapi ise create-sgacl "Permit_All" --content "permit ip"
netapi ise get-sg-mappings
netapi ise create-sg-mapping --ip 10.50.1.0/24 --sgt Employees
netapi ise get-network-device-groups
netapi ise create-network-device-group "Switches" --type "Device Type"

Phase 2: Guest Management (P2)

# Planned commands
netapi ise get-guest-users
netapi ise create-guest-user "visitor@example.com" --sponsor-portal "Self-Reg"
netapi ise get-guest-types
netapi ise get-sponsor-groups

Phase 3: TACACS+ (P2)

# Planned commands
netapi ise get-tacacs-profiles
netapi ise create-tacacs-profile "Admin-Read-Only" --privilege-level 1
netapi ise get-tacacs-command-sets

API Introspection

Explore available SDK modules:

# List all available SDK modules
netapi ise list-api-modules

# Filter by pattern
netapi ise list-api-modules --filter "endpoint"

# Inspect module methods
netapi ise inspect-module endpoint_identity_group

Raw API Access

For resources not yet implemented, use the generic API call:

# GET request
netapi ise api-call ers GET /config/sgacl

# POST with JSON body
netapi ise api-call ers POST /config/sgacl --body '{"Sgacl": {"name": "Test"}}'

# With query parameters
netapi ise api-call ers GET /config/endpoint --params "size=100&page=1"

See Also