ISE Endpoint Group API

Wes Schochet — Fri, 06 May 2022 14:39:13 GMT

Hi-

I am looking for the ISE API call to get the endpoint IDs that are members of a particular endpoint identity group. I have the group ID. I can't find the right call....

Re: ISE Endpoint Group API

thomas — Fri, 06 May 2022 16:21:45 GMT

Wes, the ISE APIs are documented @ https://cs.co/ise-api.

There is an area called Getting Started with a page Reading a Resource that has a section Adding Filters which describes the Filter syntax which can be combined with Paging and Sorting.

First, let us view the first page of Endpoint Identity Groups (up to 20 per page, by default) including their IDs:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpointgroup\?size\=100 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"38a73670-8c00-11e6-996c-525400b48521 | Sony-Device | Identity Group for Profile: Sony-Device"
"1e2700a0-8c00-11e6-996c-525400b48521 | Cisco-Meraki-Device | Identity Group for Profile: Cisco-Meraki-Device"
"0a4a50f0-8c00-11e6-996c-525400b48521 | Apple-iDevice | Identity Group for Profile: Apple-iDevice"
"0cc7ad00-8c00-11e6-996c-525400b48521 | BlackBerry | Identity Group for Profile: BlackBerry"
"ffa36b00-8bff-11e6-996c-525400b48521 | Android | Identity Group for Profile: Android"
"0c4eac70-8c00-11e6-996c-525400b48521 | Axis-Device | Identity Group for Profile: Axis-Device"
"2b07d100-8c00-11e6-996c-525400b48521 | Juniper-Device | Identity Group for Profile: Juniper-Device"
"22c6c780-8c00-11e6-996c-525400b48521 | Epson-Device | Identity Group for Profile: Epson-Device"
"aa10ae00-8bff-11e6-996c-525400b48521 | Profiled | Profiled Identity Group"
"aa000c30-8bff-11e6-996c-525400b48521 | Blocked List | Blocked List Identity Group"
"aa178bd0-8bff-11e6-996c-525400b48521 | GuestEndpoints | Guest Endpoints Identity Group"
"3a1b38d0-8c00-11e6-996c-525400b48521 | Synology-Device | Identity Group for Profile: Synology-Device"
"a4cd21c0-fd75-11eb-b43c-ba8c06185168 | OS_X_BigSur-Workstation | Identity Group for Profile: OS_X_BigSur-Workstation"
"3b113190-8c00-11e6-996c-525400b48521 | Vizio-Device | Identity Group for Profile: Vizio-Device"
"3a88eec0-8c00-11e6-996c-525400b48521 | Trendnet-Device | Identity Group for Profile: Trendnet-Device"
"aa13bb40-8bff-11e6-996c-525400b48521 | RegisteredDevices | Asset Registered Endpoints Identity Group"
"4ea2a450-5c7a-11ec-a6b9-ce11946aeeed | Windows11-Workstation | Identity Group for Profile: Windows11-Workstation"
"14f5cac0-8c00-11e6-996c-525400b48521 | Cisco-IP-Phone | Identity Group for Profile: Cisco-IP-Phone"
"aa0e8b20-8bff-11e6-996c-525400b48521 | Unknown | Unknown Identity Group"
"3b76f840-8c00-11e6-996c-525400b48521 | Workstation | Identity Group for Profile: Workstation"

Now let's say we want the Cisco-IP-Phone endpoints with group ID 14f5cac0-8c00-11e6-996c-525400b48521.

If you look at the structure of an endpoint object (this one is a printer) the attribute for the Endpoint Identity Group is groupID:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925
{
"ERSEndPoint" : {
"id" : "0e436440-cd53-11ec-bf2c-8220985ab925",
"name" : "00:00:AA:C0:93:18",
"description" : "Epson Printer",
"mac" : "00:00:AA:C0:93:18",
"profileId" : "44031480-8c00-11e6-996c-525400b48521",
"staticProfileAssignment" : false,
"staticProfileAssignmentDefined" : true,
"groupId" : "22c6c780-8c00-11e6-996c-525400b48521",
"staticGroupAssignment" : true,
"staticGroupAssignmentDefined" : true,
"portalUser" : "",
"identityStore" : "",
"identityStoreId" : "",
"link" : {
"rel" : "self",
"href" : "https://198.18.133.27/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925",
"type" : "application/json"
}
}
}

We can run a query against the endpoints using the groupID attribute matching the Endpoint Group ID for our Cisco-IP-Phones :

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint\?\&filter\=groupId.EQ.14f5cac0-8c00-11e6-996c-525400b48521 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"0b36e790-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:EF:EE:66 | IP Phone"
"0bdc7660-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:5F:C4:28 | IP Phone"
"0c811ad0-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:9E:57:BC | IP Phone"

8-)

Re: ISE Endpoint Group API

Wes Schochet — Fri, 06 May 2022 18:05:47 GMT

Exactly what i was looking for - thanks so much!

Re: ISE Endpoint Group API

HUBERT RESCH — Tue, 18 Apr 2023 16:36:31 GMT

Seems in ISE2.7 this do not work because:

GET https://$ise_hostname/ers/config/endpoint
does not include the groupId in the endpoint-dict ??

it only shows:

{

"id": "1d818dc0-5ff7-11e7-a32e-005056b315ee",

"name": "00:00:00:00:00:01",

"link": {

"rel": "self",

"href": "https://<ISE-IP>:9060/ers/config/endpoint/1d818dc0-5ff7-11e7-a32e-005056b315ee",

"type": "application/json"

}

topic Re: ISE Endpoint Group API in Network Access Control

ISE Endpoint Group API

Re: ISE Endpoint Group API

Re: ISE Endpoint Group API

Re: ISE Endpoint Group API