ERS Endpoints Commands

Synopsis

netapi ise get-endpoints [OPTIONS]
netapi ise get-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise create-endpoint <MAC> [OPTIONS]
netapi ise update-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise delete-endpoint <MAC_OR_UUID> [OPTIONS]
netapi ise update-endpoint-group <MAC> <GROUP>
netapi ise get-endpoint-groups

Description

Manage ISE endpoint database entries. Endpoints are devices identified by MAC address.

Commands

get-endpoints

List all endpoints in ISE database.

# First 100 endpoints (default)
netapi ise get-endpoints

# All endpoints (fetches all pages)
netapi ise get-endpoints --all

# Limit results
netapi ise get-endpoints --limit 50

# Filter by identity group
netapi ise get-endpoints --group Blacklist

# Filter by profile (contains match)
netapi ise get-endpoints --profile iPhone

# Filter by logical profile (server-side, fast)
netapi ise get-endpoints --logical-profile IP-Phone
netapi ise get-endpoints --logical-profile Mobile-Devices
Option Description

--all, -a

Fetch all pages (default: first page only)

--size

Results per page (max 100, default 100)

--limit, -l

Limit number of results

--group, -g

Filter by identity group name

--profile, -p

Filter by profile name (contains match)

--logical-profile, -L

Filter by logical profile (server-side filter)

get-endpoint

Get details for specific endpoint by MAC address or UUID.

# By MAC
netapi ise get-endpoint 70:15:FB:F8:47:EC

# By UUID
netapi ise get-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a

# Full view with session + auth history (requires DataConnect)
netapi ise get-endpoint 70:15:FB:F8:47:EC --full
Option Description

--full, -f

Include active session and auth history via DataConnect
Sample Output
╭──────────────────────────────────────╮
│        Endpoint Details              │
│        70:15:FB:F8:47:EC             │
╰──────────────────────────────────────╯

Identity
  MAC Address          70:15:FB:F8:47:EC
  Endpoint ID          68206ac0-a7cb-11f0-ac46-968ccf16ea3a
  Portal User          -
  Identity Store       -

Profiling
  Profile              Microsoft-Workstation
  Static Assignment    False

Identity Group
  Group                Trusted_Users
  Static Assignment    True
Full Output (--full)
Active Session (DataConnect)
  Username             jsmith@corp.com
  NAS                  10.193.144.124
  Port                 GigabitEthernet1/0/15
  Auth Method          dot1x
  VLAN                 100
  Status               PASSED

Auth History (Last 5)
Time                    Method  Result  Failure Reason
2026-01-23 08:15:32     dot1x   PASS    -
2026-01-23 06:02:11     dot1x   PASS    -
2026-01-22 18:45:03     dot1x   PASS    -

create-endpoint

Create new endpoint entry.

netapi ise create-endpoint 00:11:22:33:44:55 \
  --group "Medical-Devices" \
  --profile "Insensix-Device" \
  --description "Temperature sensor - Room 101"

delete-endpoint

Delete endpoint from ISE database.

# With confirmation prompt
netapi ise delete-endpoint 70:15:FB:F8:47:EC

# By UUID
netapi ise delete-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a

# Skip confirmation
netapi ise delete-endpoint 70:15:FB:F8:47:EC --force
Option Description

--force, -f

Skip confirmation prompt

update-endpoint

Update endpoint fields (description, group, static assignments).

# Set description
netapi ise update-endpoint 70:15:FB:F8:47:EC --description "John's laptop"

# Change identity group
netapi ise update-endpoint 70:15:FB:F8:47:EC --group Trusted_Users

# Multiple updates at once
netapi ise update-endpoint 70:15:FB:F8:47:EC --description "IoT sensor" --group IoT_Devices

# Lock profiler assignments
netapi ise update-endpoint 70:15:FB:F8:47:EC --static-profile --static-group

# By UUID
netapi ise update-endpoint 68206ac0-a7cb-11f0-ac46-968ccf16ea3a --description "Server NIC"
Option Description

--description, -d

Set endpoint description

--group, -g

Set identity group name

--static-group/--no-static-group

Lock/unlock group assignment (prevent profiler override)

--static-profile/--no-static-profile

Lock/unlock profile assignment (prevent profiler override)
Sample Output
Updated endpoint: 70:15:FB:F8:47:EC
  Description: John's laptop
  Group: Trusted_Users

update-endpoint-group

Move endpoint to a different identity group with proper static assignment.

# Move to DOMUS_Printers group (static assignment - PREVENTS profiler override)
netapi ise update-endpoint-group 90:32:4B:B8:FC:FE DOMUS_Printers

# Move to Blacklist (static assignment - PREVENTS profiler override)
netapi ise update-endpoint-group C8:5B:76:C6:59:62 Blacklist

# Move to Profiled group (allow profiler to re-assign)
netapi ise update-endpoint-group 00:11:22:33:44:55 Profiled --no-static

# Move to trusted users group
netapi ise update-endpoint-group 70:15:FB:F8:47:EC Trusted_Users
Option Description

--static (default)

Static group assignment - ISE Profiling will NOT change the group. Sets staticGroupAssignment=true.

--no-static

Allow ISE Profiling to automatically re-assign group based on profiling policy.
Implementation: Direct PUT to ERS API

This command uses a direct PUT request to the ISE ERS API (PUT /ers/config/endpoint/{id}) instead of the ciscoisesdk library. The SDK’s update_by_id() method doesn’t properly set staticGroupAssignment on ISE 3.x, allowing ISE Profiling to override manual group assignments.

What happens internally:

  1. Looks up endpoint ID using MAC address (via ERS get_endpoint_by_mac)

  2. Looks up group ID using group name (via ERS get_endpoint_group_by_name)

  3. Sends direct PUT request with staticGroupAssignment parameter

Fix history:

  • Before (broken): Used ciscoisesdk which silently ignored staticGroupAssignment

  • After (fixed): Uses requests.put() directly to ERS endpoint

For production 802.1X deployments: Always use --static (the default) to prevent ISE Profiling from moving endpoints out of their assigned identity groups.

bulk-create-endpoint

Bulk create endpoints and assign to identity group with static assignment.

# Create endpoints with group assignment
netapi ise bulk-create-endpoint DOMUS_Printers AA:BB:CC:DD:EE:03 11:22:33:44:55:66

# With description
netapi ise bulk-create-endpoint DOMUS_Printers AA:BB:CC:DD:EE:FF \
    --description "Network Printer - Building A"

# From file (one MAC per line)
netapi ise bulk-create-endpoint IoT_Devices --file /tmp/iot-macs.txt

# Update existing endpoints too (create + update)
netapi ise bulk-create-endpoint Blacklist --file macs.txt --update-existing

# From stdin
cat macs.txt | netapi ise bulk-create-endpoint Quarantine --stdin

# Dry run (preview only)
netapi ise bulk-create-endpoint Blacklist --file macs.txt --dry-run
Option Description

--description, -d

Description for all created endpoints

--static (default)

Static group assignment - ISE Profiling won’t override

--no-static

Allow ISE Profiling to re-assign group

--update-existing, -u

Update existing endpoints instead of skipping

--file, -f

Read MACs from file (one per line)

--stdin

Read MACs from stdin (pipe)

--dry-run, -n

Preview without making changes
Sample Output
Processing 3 endpoint(s) → group 'DOMUS_Printers' (static=True)
  Description: Test IoT Device
✓ [CREATED] AA:BB:CC:DD:EE:03 → DOMUS_Printers
✓ [CREATED] 11:22:33:44:55:66 → DOMUS_Printers
✓ [CREATED] 22:33:44:55:66:77 → DOMUS_Printers

✓ Completed: 3 created

bulk-update-endpoint-group

Bulk move existing endpoints to a different identity group.

# From arguments (space-separated)
netapi ise bulk-update-endpoint-group DOMUS_Printers AA:BB:CC:DD:EE:FF 11:22:33:44:55:66

# From file (one MAC per line)
netapi ise bulk-update-endpoint-group Blacklist --file /tmp/macs.txt

# From stdin (pipe)
cat macs.txt | netapi ise bulk-update-endpoint-group Quarantine --stdin

# Pipeline from ISE query
netapi ise get-endpoints --group Unknown -o json | jq -r '.[].mac' | \
    netapi ise bulk-update-endpoint-group Profiled --stdin

# Dry run (preview only)
netapi ise bulk-update-endpoint-group Blacklist --file macs.txt --dry-run

# Allow profiler override (no static)
netapi ise bulk-update-endpoint-group Profiled --file macs.txt --no-static
Option Description

--static (default)

Static group assignment - ISE Profiling won’t override

--no-static

Allow ISE Profiling to re-assign group

--file, -f

Read MACs from file (one per line)

--stdin

Read MACs from stdin (pipe)

--dry-run, -n

Preview without making changes
Sample Output
Processing 5 endpoint(s) → group 'DOMUS_Printers' (static=True)
Warning: [SKIP] AA:BB:CC:DD:EE:FF - not found in ISE
✓ [OK] 11:22:33:44:55:66 → DOMUS_Printers
✓ [OK] 22:33:44:55:66:77 → DOMUS_Printers

✓ Completed: 2/3 endpoints updated
Table 1. Bulk Commands Summary
Command Purpose

bulk-create-endpoint

Create new endpoints + assign to group

bulk-update-endpoint-group

Move existing endpoints to different group

get-endpoint-groups

List all endpoint identity groups.

netapi ise get-endpoint-groups
netapi ise get-endpoint-groups --size 50 --page 2
Options
--size, -s INTEGER    Results per page (default: 100)
--page, -p INTEGER    Page number (default: 1)

ANC (Adaptive Network Control)

Quarantine or restrict endpoints using ANC policies.

anc-apply

Apply ANC policy to endpoint (quarantine, port bounce, etc.).

# Quarantine an endpoint
netapi ise anc-apply C8:5B:76:C6:59:62 Quarantine

# Shut down port
netapi ise anc-apply 00:11:22:33:44:55 Shut_Down

# Port bounce (re-auth)
netapi ise anc-apply 70:15:FB:F8:47:EC Port_Bounce

anc-clear

Remove ANC policy from endpoint.

netapi ise anc-clear C8:5B:76:C6:59:62

get-anc-endpoints

List endpoints with ANC policies applied.

netapi ise get-anc-endpoints

Rejected Endpoints

Manage endpoints blocked by anti-RADIUS-spray protection.

get-rejected-endpoints

List all rejected endpoints with MAC addresses and rejection reason.

netapi ise get-rejected-endpoints
Sample Output
✓ Found 2 rejected endpoint(s)
       Rejected Endpoints
┏━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┓
┃ MAC Address       ┃ Reason   ┃
┡━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━┩
│ 44:1B:88:75:CF:74 │ EndPoint │
│ 3C:EC:EF:43:4D:49 │ EndPoint │
└───────────────────┴──────────┘

release-rejected

Release a rejected endpoint to allow new authentication attempts.

netapi ise release-rejected 14:F6:D8:7B:31:80

Use Cases

Audit: Who Added Device to Identity Group

Find out who moved an endpoint to a specific identity group and when.

#!/bin/bash
MAC="$1"

echo "=== Endpoint Modification History ==="
netapi ise get-endpoint "$MAC" --format json | jq '{
  mac,
  current_group: ._group_name,
  modified_by: .modifiedBy,
  modified_date: .modifiedDate,
  created_by: .createdBy,
  created_date: .createdDate,
  static_group_assignment: .staticGroupAssignment
}'

echo ""
echo "=== Recent Configuration Changes (Last 7 Days) ==="
echo "Checking DataConnect for endpoint modifications..."
netapi ise dc config-changes --type "Endpoint" --hours 168 --limit 100 | grep -i "$MAC" || echo "No recent changes found in config audit"

echo ""
echo "=== Authentication History (Shows Group at Auth Time) ==="
netapi ise dc auth-history "$MAC" --limit 10
Alternative: GUI Path for Full Audit Trail

If programmatic access isn’t sufficient:

  1. Navigate to: Operations > Reports > Reports > Audit > Change Configuration Audit

  2. Filter by:

    • Object Type: "Endpoint" or "Endpoint Identity Group"

    • Time Range: Last 7 days (or custom)

  3. Search for the MAC address in results

This shows the full audit trail including: - Who made the change (admin username) - What was changed (group assignment) - When it was changed (timestamp) - Source IP of the admin

Investigate Endpoint

#!/bin/bash
MAC="$1"

echo "=== Endpoint Details ==="
netapi ise get-endpoint "$MAC" --full

echo ""
echo "=== Current Session (MnT) ==="
netapi ise mnt session "$MAC"

Quarantine Compromised Device

#!/bin/bash
MAC="$1"
echo "Quarantining: $MAC"

# Apply quarantine policy
netapi ise anc-apply "$MAC" Quarantine

# Verify
netapi ise get-anc-endpoints | grep "$MAC"

Cleanup Old Endpoints

#!/bin/bash
# Find and remove endpoints from a specific group
for mac in $(netapi ise get-endpoints --group "Old_Devices" | grep -oE '([0-9A-F]{2}:){5}[0-9A-F]{2}'); do
  echo "Deleting: $mac"
  netapi ise delete-endpoint "$mac" --force
done

Blacklist a Device

#!/bin/bash
MAC="$1"
REASON="$2"

# Move to Blacklist group
netapi ise update-endpoint-group "$MAC" Blacklist

# Apply quarantine immediately
netapi ise anc-apply "$MAC" Quarantine

echo "Blacklisted: $MAC - $REASON"

Force Fresh Authentication (iPSK Troubleshooting)

When an iPSK device fails to connect despite correct PSK, cached endpoint data in ISE may cause issues. Delete and re-authenticate:

#!/bin/bash
MAC="$1"

# Check current state
echo "=== Current Endpoint State ==="
netapi ise get-endpoint "$MAC" 2>/dev/null || echo "Not in ISE"

# Check recent auth attempts
echo ""
echo "=== Recent Auth History ==="
netapi ise dc auth-history "$MAC" --hours 1

# Delete cached endpoint to force fresh auth
echo ""
echo "Deleting endpoint to force fresh authentication..."
netapi ise delete-endpoint "$MAC" --force

# Verify deleted
echo ""
echo "=== Verification ==="
netapi ise get-endpoint "$MAC" 2>&1 | grep -q "not found" && echo "✓ Endpoint deleted - ready for fresh auth"

echo ""
echo "Now reconnect device to WLAN. Then verify:"
echo "  netapi ise dc auth-history $MAC --hours 1"
echo "  netapi ise mnt session $MAC"

Related Commands