ISE ERS API Examples

 

 

Get Started

 

Guest & Sponsor API

Enable the ERS APIs

The ERS APIs are disabled by default for security so you must enable it.

  1. Login to your ISE PAN
  2. Navigate to Administration > System > Settings and select ERS Settings from the left panel.
  3. Enable the ERS APIs by selecting Enable ERS for Read/Write
  4. Select Save to save your changes.
  5. You may use the default admin account to view the ISE ERS Software Development Kit (SDK) at https://ise.domain.com:9060/ers/sdk

 

Create ERS API Users

You must create separate users (not admin) with the ERS Admin (Read/Write) or ERS Operator (Read-Onlly) roles to use the ERS APIs.

  1. Navigate to Administration > System > Admin Access
  2. Choose Administrators > Admin Users from the left pane
  3. Choose  +Add > Create an Admin User to create a new ers-admin and ers-operator accounts.
    New Administrator
    Nameers-admin
    StatusEnabled
    Password******
    Re-Enter Password******
    Admin GroupsERS Admin

 

 

 

Create an Internal User

Version : ISE 1.3

Create an add_internal_user.xml XML file to create user user2 :

 

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:inernaluser xmlns:ns2=“ers.ise.cisco.com” xmlns:ns3=“identity.ers.ise.cisco.com” name=“user2”>
  <changePassword>true</changePassword>
  <customAttribute/>
  <enabled>true</enabled>
  <firstName>first</firstName>
  <lastName>last</lastName>
  <password>C!sco123</password>
</ns3:internaluser>

 

Run the curl command:

curl -v -X POST -k --tlsv1 -H "Content-Type: application/vnd.com.cisco.ise.identity.internaluser.1.0+xml" https://ers-admin:ers-password@ise.domain.com:9060/ers/config/internaluser -d @add_internal_user.xml

 

 

 

Get Endpoints by Endpoint GroupID

Version : ISE 1.3

Get endpoints per endpoint group and perform appropriate action.

https://ers-username:ers-password@ise-pan.domain.com:9060/ers/config/endpoint?filter=groupId.EQ.210d87c0-c260-11e2-9e10-0050568e01f0

 

 

 

 

Get Endpoint ID Group by Name

Version : ISE 1.2

Find the endpoint id group with a group name (e.g. GL-0)

 

curl command :

 

curl -k 'https://ers-username:ers-password@ise-pan.domain.com:9060/ers/config/endpointgroup?filter=name.EQ.GL-0' -H 'Accept: application/vnd.com.cisco.ise.identity.endpointgroup.1.0+xml'

 

 

ISE Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="ers.ise.cisco.com" total="1">
  <resources>
    <resource name="GL-0" id="d27edfa0-889d-11e3-b246-000c2916b229" description="">
      <link type="application/xml" href="https://ise-pan.domain.com:9060/ers/config/endpointgroup/d27edfa0-889d-11e3-b246-000c2916b229" rel="self"/>
    </resource>
  </resources>
</ns2:searchResult>

 

 

Get Endpoint by MAC

Find the endpoint id using the MAC address :

 

curl command :

curl -k 'https://ers-username:ers-password@ise-pan.domain.com:9060/ers/config/endpoint?filter=mac.EQ.11:22:33:44:55:66' -H 'Accept: application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

 

ISE Response :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="ers.ise.cisco.com" total="1">
  <resources>
    <resource id="046f1250-bc6e-11e4-9baf-000c2916b229">
      <link type="application/xml" href="https://ise-pan.domain.com:9060/ers/config/endpoint/046f1250-bc6e-11e4-9baf-000c2916b229" rel="self"/>
     </resource>
   </resources>
</ns2:searchResult>

 

 

Get Endpoint Info by Resource ID

Get endpoint info by its Resource ID

 

curl command :

curl -k 'https://ers-admin:ers-password@ise.domain.com:9060/ers/config/endpoint/046f1250-bc6e-11e4-9baf-000c2916b229' -H 'Accept: application/vnd.com.cisco.ise.identity.endpoint.1.0+xml'

 

 

 

 

 

ISE Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com" id="046f1250-bc6e-11e4-9baf-000c2916b229">
  <link type="application/xml" href="https://ise-pan.domain.com:9060/ers/config/endpoint/046f1250-bc6e-11e4-9baf-000c2916b229" rel="self"/>
  <groupId>04f15020-f42f-11e2-bd54-005056bf2f0a</groupId>
  <identityStore></identityStore>
  <identityStoreId></identityStoreId>
  <mac>11:22:33:44:55:66</mac><portalUser></portalUser>
  <profileId>36c0ee30-f42f-11e2-bd54-005056bf2f0a</profileId>
  <staticGroupAssignment>false</staticGroupAssignment>
  <staticProfileAssignment>false</staticProfileAssignment>
</ns3:endpoint>

 

 

 

 

 

 

Update Endpoint : Statically Assign to an Identity Group

 

Create an XML file named endpoint.xml with the endpoint changes :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="ers.ise.cisco.com" xmlns:ns3="identity.ers.ise.cisco.com">
  <groupId>d27edfa0-889d-11e3-b246-000c2916b229</groupId>
  <identityStore></identityStore>
  <identityStoreId></identityStoreId>
  <mac>11:22:33:44:55:66</mac>
  <portalUser></portalUser>
  <profileId>36c0ee30-f42f-11e2-bd54-005056bf2f0a</profileId>
  <staticGroupAssignment>true</staticGroupAssignment>
  <staticProfileAssignment>false</staticProfileAssignment>
</ns3:endpoint>





 

Note: To remove an endpoint from an ID group, simply change staticGroupAssignment to false.

 

Update ISE using the XML file above :

curl -k -X PUT 'https://ers-username:ers-password@ise-pan.domain.com:9060/ers/config/endpoint/046f1250-bc6e-11e4-9baf-000c2916b229' -H 'Content-Type: application/vnd.com.cisco.ise.identity.endpoint.1.0+xml; charset=utf-8' -d @endpoint.xml

 

ISE Response :

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:updatedFields xmlns:ns2="ers.ise.cisco.com">
  <updatedField field="groupId">
    <newValue>d27edfa0-889d-11e3-b246-000c2916b229</newValue>
    <oldValue>04ea7250-f42f-11e2-bd54-005056bf2f0a</oldValue>
  </updatedField>
  <updatedField field="staticGroupAssignment">
    <newValue>true</newValue>
    <oldValue>false</oldValue>
  </updatedField>
</ns2:updatedFields>