Policy API Reference
Overview
The ISE Policy API provides programmatic access to network access policies. This includes policy sets, authentication rules, authorization rules, and conditions.
|
Prerequisites
Load ISE credentials before running commands: This exports |
API Ports
| API | Port | Purpose | Auth |
|---|---|---|---|
ERS |
9060 |
CRUD operations (endpoints, policies, groups) |
Basic / mTLS |
MnT |
443 |
Session queries, active sessions, CoA |
Basic |
Policy |
443 |
Policy sets, rules, conditions |
Basic |
DataConnect |
2484 |
SQL analytics, reporting |
Certificate |
pxGrid |
8910 |
Real-time events, pub/sub |
Certificate |
Command Reference
| Command | Description | Status |
|---|---|---|
|
List all policy sets with hit counts |
|
|
Get single policy set by name or ID |
|
|
Create new policy set |
|
|
Modify existing policy set |
|
|
Remove policy set |
|
|
List authentication rules in policy set |
|
|
Add authentication rule to policy set |
|
|
Modify authentication rule |
|
|
Remove authentication rule |
|
|
List authorization rules in policy set |
|
|
Add authorization rule to policy set |
|
|
Modify authorization rule |
|
|
Remove authorization rule |
|
|
List policy conditions |
|
|
Get condition by name or ID |
|
|
Create new condition |
|
|
Remove condition |
|
|
Add condition to policy set |
|
|
Replace policy set condition |
Policy Sets
List All Policy Sets
# Table output (default)
netapi ise get-policy-sets
# JSON for jq processing
netapi ise get-policy-sets --format json | jq '.[] | {name, state, hitCounts}'┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓
┃ Name ┃ State ┃ Hit Counts ┃ Default ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━━┩
│ Wired_802.1X_Closed │ enabled │ 15,432 │ false │
│ Wireless_802.1X │ enabled │ 8,291 │ false │
│ MAB_Printers │ enabled │ 542 │ false │
│ Default │ enabled │ 12 │ true │
└───────────────────────────┴───────────┴────────────┴──────────────┘Get Single Policy Set
# By name
netapi ise get-policy-set "Wired_802.1X_Closed"
# With full JSON structure
netapi ise get-policy-set "Wired_802.1X_Closed" --format json | jq '.'Authentication Rules
Authentication rules determine HOW a client authenticates (which identity source to use).
List Authentication Rules
# List rules for specific policy set
netapi ise get-auth-rules "Wired_802.1X_Closed"
# JSON output with jq filtering
netapi ise get-auth-rules "Wired_802.1X_Closed" --format json | \
jq '.[] | {name, identitySourceName, state}'Add Authentication Rule
# Add EAP-TLS rule using AD
netapi ise add-auth-rule "Wired_802.1X_Closed" \
--name "EAP-TLS_AD_Auth" \
--condition "Network_Access_Authentication_Method=EAP-TLS" \
--identity-source "AD_Join_Point" \
--rank 1Authorization Rules
Authorization rules determine WHAT access a client gets after authentication (VLAN, dACL, SGT).
List Authorization Rules
# List all authz rules in policy set
netapi ise get-authz-rules "Wired_802.1X_Closed"
# Filter by profile
netapi ise get-authz-rules "Wired_802.1X_Closed" --format json | \
jq '.[] | select(.profile | contains("Permit")) | {name, profile}'Add Authorization Rule
# Add rule with condition and authorization profile
netapi ise add-authz-rule "Wired_802.1X_Closed" \
--name "Linux_Workstation_Access" \
--condition "AD:ExternalGroups CONTAINS Linux-Workstations" \
--profile "Linux_Full_Access" \
--rank 1
# Add rule with SGT assignment
netapi ise add-authz-rule "Wired_802.1X_Closed" \
--name "Employees_SGT" \
--condition "AD:ExternalGroups CONTAINS Domain Users" \
--profile "Permit_Access" \
--sgt "Employees" \
--rank 2Conditions
Conditions are reusable logic blocks used in policy sets and rules.
List Conditions
# All conditions
netapi ise get-conditions
# Filter by type
netapi ise get-conditions --format json | jq '.[] | select(.conditionType == "LibraryConditionAndBlock")'Create Condition
# Simple condition
netapi ise create-condition "EAP-TLS_Only" \
--attribute "Network_Access_Authentication_Method" \
--operator "equals" \
--value "EAP-TLS"
# Compound condition (AND)
netapi ise create-condition "Linux_AND_EAP-TLS" \
--type "and" \
--children "EAP-TLS_Only,Linux_Endpoint_Group"Advanced Patterns
Export Policy Set Configuration
# Export full policy set with rules
netapi ise get-policy-set "Wired_802.1X_Closed" --format json > policy-set.json
netapi ise get-auth-rules "Wired_802.1X_Closed" --format json > auth-rules.json
netapi ise get-authz-rules "Wired_802.1X_Closed" --format json > authz-rules.jsonHit Count Analysis
# Find unused policy sets (zero hits)
netapi ise get-policy-sets --format json | \
jq '.[] | select(.hitCounts == 0) | .name'
# Sort by hit count descending
netapi ise get-policy-sets --format json | \
jq 'sort_by(.hitCounts) | reverse | .[:5] | .[] | {name, hitCounts}'Reset Hit Counts
# Reset via raw API call (not yet in CLI)
netapi ise api-call policy POST \
"/api/v1/policy/network-access/policy-set/reset-hitcount"Policy Set Audit
#!/bin/bash
# Audit all policy sets
for ps in $(netapi ise get-policy-sets --format json | jq -r '.[].name'); do
echo "=== $ps ==="
echo "Auth Rules:"
netapi ise get-auth-rules "$ps" --format json | jq -r '.[].name' | sed 's/^/ /'
echo "Authz Rules:"
netapi ise get-authz-rules "$ps" --format json | jq -r '.[].name' | sed 's/^/ /'
echo
donePolicy API Endpoints (Raw)
For operations not yet in CLI, use raw API calls:
# List time conditions
netapi ise api-call policy GET "/api/v1/policy/network-access/time-condition"
# Get network conditions
netapi ise api-call policy GET "/api/v1/policy/network-access/network-condition"
# List identity stores
netapi ise api-call policy GET "/api/v1/policy/network-access/identity-stores"
# Get service names
netapi ise api-call policy GET "/api/v1/policy/network-access/service-names"Not Yet Implemented
The following Policy API operations are available but not yet in netapi CLI:
| Feature | API Endpoint |
|---|---|
Time Conditions |
|
Network Conditions |
|
Global Exceptions |
|
MFA Rules |
|
Custom Dictionaries |
|
TACACS+ Policies |
|