ISE ERS API Examples



Get Started


Enable the ERS APIs

The ERS APIs are disabled by default for security so you must enable it.

  1. Login to your ISE PAN
  2. Navigate to Administration > System > Settings and select ERS Settings from the left panel.
  3. Enable the ERS APIs by selecting Enable ERS for Read/Write
  4. Select Save to save your changes.


After enabling ERS, it is available for Create, Read, Update, Delete (CRUD) operations on an ISE Policy Administration Node (PAN) and for Read-Only access (GET requests) on any ISE Policy Service Node (PSN).



View the ERS API SDK

  1. You may use the default admin account to view the ISE ERS Software Development Kit (SDK) at


Create ERS API Users

You can use the default ISE admin account for ERS APIs since it has SuperUser privileges. However, it is recommended to create separate users with the ERS Admin (Read/Write) or ERS Operator (Read-Onlly) privileges to use the ERS APIs so you can separately track and audit their activities.

  1. Navigate to Administration > System > Admin Access
  2. Choose Administrators > Admin Users from the left pane
  3. Choose  +Add > Create an Admin User to create a new ers-admin and ers-operator accounts.
    New Administrator
    Re-Enter Password************
    Admin GroupsERS AdminERS Operator




How to Invoke the REST APIs


Browser Extensions

Probably the easiest and most accessible way for most users to play with REST APIs is via a web browser extensions.


Firefox RESTED ExtensionChrome Poster Extension


All extensions have the same basic options.

To get a list of all ISE nodes in your deployment, try the following :


MethodGET (Read)

Content-Type: application/json

Accept-Type: application/json





If you prefer to use a command line, the cURL utility is probably the best and easiest choice for doing quick and dirty REST API calls.


To get a list of all ISE nodes in your deployment, try the following :

curl --include --header 'Accept: application/json' --user admin:C1sco12345




-H, --header <header>

Header to include in the request.

Use one per header.

-i, --include

Include the HTTP result headers in the output.

This is useful after creating (HTTP POST/PUT) an object to get it's Location identifier:


-k, --insecureAccept insecure connections. Useful if you are playing with ISE using a self-signed certificate.
-u, --user <username:password>Specify the username & password to authenticate the ERS user






Create an Internal User with an XML File


Version : ISE 1.3

Create an add_internal_user.xml XML file to create user user2 :


<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:inernaluser xmlns:ns2=“” xmlns:ns3=“” name=“user2”>


Run the curl command:

curl -v -X POST -k --tlsv1 -H "Content-Type: application/" -d @add_internal_user.xml




Create an Internal User with cURL and JSON


Create and enable the user 'thomas' in the default Internal Users database and do not require him to change his password upon login:

curl --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user admin:C1sco12345 --request POST  --data '


  "InternalUser" : {

    "name" : "thomas",

    "password" : "C1sco12345",

    "changePassword" : false




HTTP/1.1 201 Created

Set-Cookie: JSESSIONIDSSO=D4C830896B06B529CECCA61640B0193D; Path=/; Secure; HttpOnly

Set-Cookie: APPSESSIONID=C93E2BE40459768481F24D6DFA10B29D; Path=/ers; Secure; HttpOnly

Cache-Control: no-cache, no-store, must-revalidate

Pragma: no-cache

Expires: Thu, 01 Jan 1970 00:00:00 GMT


Date: Sat, 17 Mar 2018 20:32:31 GMT

Content-Type: application/json;charset=utf-8

Content-Length: 0








Get All ISE Administrators Using cURL and JSON

curl  --header  'Accept: application/json'  --user admin:C1sco12345



  "SearchResult" : {

    "total" : 1,

    "resources" : [ {

      "id" : "55c1b32f-9a89-4969-9ba2-151c8b03d3f1",

      "name" : "admin",

      "description" : "Default Admin User",

      "link" : {

        "rel" : "self",

        "href" : "",

        "type" : "application/xml"


    } ]





Get Endpoints by Endpoint GroupID


Version : ISE 1.3

Get endpoints per endpoint group and perform appropriate action.

curl  --header  'Accept: application/json' --user admin:C1sco12345



Get Endpoint ID Group by Name


Version : ISE 1.2

Find the endpoint id group with a group name (e.g. GL-0)

curl -k -H 'Accept: application/' --user admin:C1sco12345 ''


Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="" total="1">
    <resource name="GL-0" id="d27edfa0-889d-11e3-b246-000c2916b229" description="">
      <link type="application/xml" href="" rel="self"/>




Get Endpoint by MAC


Find the endpoint id using the MAC address :

curl -k -H 'Accept: application/' --user admin:C1sco12345  ''

Response :


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="" total="1">
    <resource id="046f1250-bc6e-11e4-9baf-000c2916b229">
      <link type="application/xml" href="" rel="self"/>




Get Endpoint Info by Resource ID


Get endpoint info by its Resource ID

curl -k '' -H 'Accept: application/'


ISE Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="" xmlns:ns3="" id="046f1250-bc6e-11e4-9baf-000c2916b229">
  <link type="application/xml" href="" rel="self"/>







Update Endpoint : Statically Assign to an Identity Group


Create an XML file named endpoint.xml with the endpoint changes :


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="" xmlns:ns3="">


Note: To remove an endpoint from an ID group, simply change staticGroupAssignment to false.


Update ISE using the XML file above :

curl -k -X PUT '' -H 'Content-Type: application/; charset=utf-8' -d @endpoint.xml


ISE Response :


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:updatedFields xmlns:ns2="">
  <updatedField field="groupId">
  <updatedField field="staticGroupAssignment">