ERS Network Devices
Synopsis
netapi ise get-nads [OPTIONS]
netapi ise get-nad --name <NAME>
netapi ise create-nad <NAME> <IP_ADDRESS> <RADIUS_SECRET> [OPTIONS]
netapi ise update-nad <NAME> [OPTIONS]
netapi ise delete-nad <NAME> [OPTIONS]Description
Manage Network Access Devices (NADs) in ISE. NADs are switches, WLCs, and other devices that authenticate via RADIUS.
Output Formats
All commands support multiple output formats via --format:
| Format | Flag | Use Case |
|---|---|---|
Table (default) |
|
Human-readable terminal output |
JSON |
|
Piping to |
YAML |
|
Piping to |
XML |
|
Piping to |
Commands
get-nads
List all Network Access Devices.
# Table format (default)
netapi ise get-nads
# JSON format (pipe to jq)
netapi ise --format json get-nads | jq '.[].name'
# YAML format (pipe to yq)
netapi ise --format yaml get-nads | yq '.[].name'
# XML format (pipe to xq)
netapi ise --format xml get-nads | xq -r '.network_devices_page_1_size_100.item[].name'
# Pagination
netapi ise get-nads --size 50 --page 2| Option | Description |
|---|---|
|
Results per page (default: 100, max: 100) |
|
Page number (1-indexed, default: 1) |
Sample Table Output
Network Devices (Page 1, Size 100)
┏━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ ID ┃
┡━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Home-3560CX-01 │ 9cf557d0-a260-11f0-bf2b-022bf5b6e326 │
│ Home-9800-WLC │ c693ef30-a453-11f0-ac46-968ccf16ea3a │
│ LAB-9300-01 │ b2eda630-c049-11f0-bb2c-fe123a7c9ece │
└────────────────┴──────────────────────────────────────┘
Total: 3 resultsSample JSON Output
[
{
"id": "9cf557d0-a260-11f0-bf2b-022bf5b6e326",
"name": "Home-3560CX-01",
"description": "",
"link": {
"rel": "self",
"href": "https://10.50.1.20/ers/config/networkdevice/9cf557d0-a260-11f0-bf2b-022bf5b6e326",
"type": "application/json"
}
},
{
"id": "c693ef30-a453-11f0-ac46-968ccf16ea3a",
"name": "Home-9800-WLC",
"description": "",
"link": {
"rel": "self",
"href": "https://10.50.1.20/ers/config/networkdevice/c693ef30-a453-11f0-ac46-968ccf16ea3a",
"type": "application/json"
}
}
]JSON Extraction Examples
# List NAD names only
netapi ise --format json get-nads | jq -r '.[].name'
# Output: Home-3560CX-01, Home-9800-WLC, LAB-9300-01
# Get first NAD
netapi ise --format json get-nads | jq '.[0]'
# Count NADs
netapi ise --format json get-nads | jq 'length'
# Output: 3get-nad
Get details for a specific NAD by name.
# Table format (default)
netapi ise get-nad --name "Home-3560CX-01"
# JSON format
netapi ise --format json get-nad --name "Home-3560CX-01"
# YAML format
netapi ise --format yaml get-nad --name "Home-3560CX-01"
# XML format
netapi ise --format xml get-nad --name "Home-3560CX-01"| Option | Description |
|---|---|
|
NAD name (exact match) |
Sample Table Output
Network Device: Home-3560CX-01
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Property ┃ Value ┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ Name │ Home-3560CX-01 │
│ IP Address │ 10.50.1.10 │
│ Model │ Catalyst-3560-CX │
│ Profile │ Cisco │
│ CoA Port │ 1700 │
│ RADIUS Secret │ ***configured*** │
│ Group: Location │ All Locations │
│ Group: IPSEC │ Is IPSEC Device > No │
│ Group: Device Type │ All Device Types > Switch │
│ Group: Stage │ Stage > closed │
└────────────────────┴───────────────────────────┘Sample JSON Output
{
"id": "9cf557d0-a260-11f0-bf2b-022bf5b6e326",
"name": "Home-3560CX-01",
"description": "",
"modelName": "Catalyst-3560-CX",
"authenticationSettings": {
"networkProtocol": "RADIUS",
"radiusSharedSecret": "****",
"enableKeyWrap": false,
"dtlsRequired": false,
"keyInputFormat": "ASCII",
"enableMultiSecret": "false"
},
"profileName": "Cisco",
"coaPort": 1700,
"NetworkDeviceIPList": [
{
"ipaddress": "10.50.1.10",
"mask": 32
}
],
"NetworkDeviceGroupList": [
"Location#All Locations",
"IPSEC#Is IPSEC Device#No",
"Device Type#All Device Types#Switch",
"Stage#Stage#closed"
]
}Sample YAML Output
id: 9cf557d0-a260-11f0-bf2b-022bf5b6e326
name: Home-3560CX-01
description: ''
modelName: Catalyst-3560-CX
authenticationSettings:
networkProtocol: RADIUS
radiusSharedSecret: '****'
enableKeyWrap: false
dtlsRequired: false
keyInputFormat: ASCII
enableMultiSecret: 'false'
profileName: Cisco
coaPort: 1700
NetworkDeviceIPList:
- ipaddress: 10.50.1.10
mask: 32
NetworkDeviceGroupList:
- Location#All Locations
- IPSEC#Is IPSEC Device#No
- Device Type#All Device Types#Switch
- Stage#Stage#closedJSON Extraction Examples
# Get IP address
netapi ise --format json get-nad --name "Home-3560CX-01" | jq -r '.NetworkDeviceIPList[0].ipaddress'
# Output: 10.50.1.10
# Get RADIUS protocol
netapi ise --format json get-nad --name "Home-3560CX-01" | jq -r '.authenticationSettings.networkProtocol'
# Output: RADIUS
# Get device groups
netapi ise --format json get-nad --name "Home-3560CX-01" | jq -r '.NetworkDeviceGroupList[]'
# Output:
# Location#All Locations
# IPSEC#Is IPSEC Device#No
# Device Type#All Device Types#Switch
# Stage#Stage#closed
# Check if DTLS required
netapi ise --format json get-nad --name "Home-3560CX-01" | jq '.authenticationSettings.dtlsRequired'
# Output: falseYAML Extraction Examples
# Get IP address
netapi ise --format yaml get-nad --name "Home-3560CX-01" | yq '.NetworkDeviceIPList[0].ipaddress'
# Output: 10.50.1.10
# Get CoA port
netapi ise --format yaml get-nad --name "Home-3560CX-01" | yq '.coaPort'
# Output: 1700create-nad
Create a new network access device.
# Basic creation
netapi ise create-nad "SW1-ACCESS" "10.50.1.12" "MyRadiusSecret"
# With profile and description
netapi ise create-nad "SW1-ACCESS" "10.50.1.12" "MyRadiusSecret" \
--profile "Cisco" \
--description "Access switch for Building 1"
# With custom CoA port
netapi ise create-nad "SW1-ACCESS" "10.50.1.12" "MyRadiusSecret" \
--profile "Cisco" \
--description "Access switch" \
--coa-port 3799| Option | Description |
|---|---|
|
Device profile (e.g., "Cisco", "Cisco-Switch") |
|
Device description |
|
Change of Authorization port (default: 1700) |
update-nad
Update an existing network access device.
# Update IP address
netapi ise update-nad "SW1-ACCESS" --ip "10.50.1.13"
# Update RADIUS secret
netapi ise update-nad "SW1-ACCESS" --secret "NewRadiusSecret456"
# Update profile
netapi ise update-nad "SW1-ACCESS" --profile "Cisco-Switch"
# Rename NAD
netapi ise update-nad "SW1-ACCESS" --name "SW1-CORE"
# Multiple updates
netapi ise update-nad "SW1-ACCESS" \
--ip "10.50.1.13" \
--description "Renamed to CORE"| Option | Description |
|---|---|
|
New NAD name |
|
New IP address |
|
New RADIUS shared secret |
|
New device profile |
|
New description |
Common Pipelines
Get IP Addresses for Ansible Inventory
netapi ise --format json get-nads | jq -r '.[].name' | while read name; do
ip=$(netapi ise --format json get-nad --name "$name" | jq -r '.NetworkDeviceIPList[0].ipaddress')
echo "$name ansible_host=$ip"
doneEnvironment Variables
| Variable | Description |
|---|---|
|
ISE Primary Admin Node IP address |
|
Base64 encoded |
Example Setup
export ISE_PAN_IP="10.50.1.20"
export ISE_API_TOKEN=$(echo -n "admin:password" | base64)See Also
-
Authorization Profiles - Profiles assigned after NAD authentication
-
Downloadable ACLs - Access control pushed to NADs
-
Policy Sets - Policies matching NAD-based conditions