cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4056
Views
45
Helpful
8
Replies

ISE API add MAC address to specified Identity Group

We have an ISE instance set up for testing, I'm a developer but have never used ISE before.

 

What I'm wanting to do should be simple but I've not found docs on it so far after searching.  I want to add a MAC address to a specified Identity Group.  More specifically I want to set it up using the API.  My tool of choice here is CURL.

 

In this API call, the Identity Group will already be defined, however the MAC address will be new to ISE (a brand new device).  How would I do this?

I have seen some great docs here like this: ISE ERS API Examples - but it just doesn't cover this specific case.  Please remember I'm new to ISE and actually a coder.  Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions

Ok, those are Endpoints. This is how I did it. First get the group ID:

  

tools$ curl --tlsv1.1 -k -H 'ACCEPT: application/json' -H 'ERS-Media-Type: identity.endpointgroup.1.1' "https://admin:1111111@1.1.1.1:9060/ers/config/endpointgroup/name/RegisteredDevices" 

    "id" : "aa13bb40-8bff-11e6-996c-525400b48521",

  

Create a file with mac address and the group id of the desired group (above). I am not a coder so I may have extra stuff in here I don't need:

 

mac.xml:

 

<?xml version="1.0" encoding="UTF-8"?>
<ns0:endpoint xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
<groupId>aa13bb40-8bff-11e6-996c-525400b48521</groupId>
<mac>00:01:02:03:04:05</mac>
<staticGroupAssignment>true</staticGroupAssignment>
<staticProfileAssignment>false</staticProfileAssignment>
</ns0:endpoint>

 

 The do this:

 

curl -v -X POST --tlsv1.1 -v -k -H 'ACCEPT: application/xml' -H 'ERS-Media-Type: identity.endpoint.1.2' --header 'Content-Type:application/xml' https://admin:11111@1.1.1.1:9060/ers/config/endpoint -d @mac.xml

 

 

 

 

View solution in original post

8 REPLIES 8
dodgerfan78
Beginner

I believe the online documentation shows this (https://<ise-ip>:9060/ers/sdk). Go to API Documentation > Endpoint > Create. Is that what you are looking for?

 

No, I do not want to create an endpoint.  In fact nothing to do with Endpoints.  I want to add a new *MAC address* to an existing *Identity Group*

 

It's irrelevant to this post, but that Identity group does contain endpoints.  So my device with the new MAC will get on those endpoints because of how the Identity Group is set up.  But again, I don't want to add an endpoint.

I think there might be some confusion on the terminology here because an endpoint in ISE is referenced by a unique mac address.  Each mac address corresponds to an endpoint.

For purposes of this, mac address = endpoint/device. 

A device such as a laptop with both a wired and wireless adapter is currently treated as two endpoints in ISE, two unique mac addresses.  

 

I believe he might be trying to add a MAC to a profile condition so that the device automatically gets put in the right Identity Group based on MAC address during profiling. Certainly doable, but I don't see those capabilities in the API.

As Damien noted, endpoint is mac address. With the create endpoint operation you can also put it into the group as well during creation. This essentially maps the MAC address to the endpoint group, which you can use to influence policy for the MAC.

@dodgerfan78 say I may be "trying to add a MAC to a profile condition" - possibly but here's a screenshot now that I'm getting more familiar.  What you see when I click the green "Add" button, I'm wanting to do via API - ie, add MAC address FF:FF:FF:FF:FF:FF to the `RegisteredUsers` Group shown.

 

Screen Shot 2018-12-14 at 3.33.39 PM.png

Ok, those are Endpoints. This is how I did it. First get the group ID:

  

tools$ curl --tlsv1.1 -k -H 'ACCEPT: application/json' -H 'ERS-Media-Type: identity.endpointgroup.1.1' "https://admin:1111111@1.1.1.1:9060/ers/config/endpointgroup/name/RegisteredDevices" 

    "id" : "aa13bb40-8bff-11e6-996c-525400b48521",

  

Create a file with mac address and the group id of the desired group (above). I am not a coder so I may have extra stuff in here I don't need:

 

mac.xml:

 

<?xml version="1.0" encoding="UTF-8"?>
<ns0:endpoint xmlns:ns0="identity.ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns1="ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" description="description" id="id" name="name">
<groupId>aa13bb40-8bff-11e6-996c-525400b48521</groupId>
<mac>00:01:02:03:04:05</mac>
<staticGroupAssignment>true</staticGroupAssignment>
<staticProfileAssignment>false</staticProfileAssignment>
</ns0:endpoint>

 

 The do this:

 

curl -v -X POST --tlsv1.1 -v -k -H 'ACCEPT: application/xml' -H 'ERS-Media-Type: identity.endpoint.1.2' --header 'Content-Type:application/xml' https://admin:11111@1.1.1.1:9060/ers/config/endpoint -d @mac.xml

 

 

 

 

Hi There, I have accepted your answer and it did work, however, I thought I'd add something I learned.

 

This is not to attach an existing endpoint to an identity group, it looks like it can only attach a NEW endpoint to an existing identity group. Otherwise, you'll get something like this:


<?xml version="1.0" encoding="utf-8" standalone="yes"?><ns3:ersResponse operation="POST-create-endpoint" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns3="ers.ise.cisco.com"><link rel="related" href="https://1.1.1.1:9060/ers/config/endpoint" type="application/xml"/><messages><message type="ERROR" code="CRUD operation exception"><title> Failed to update endpoint 55:01:00:00:00:01 to aa13bb40-8bff-11e6-996c-525400b48521 null</title></message></messages></ns3:ersResponse>

which is not very helpful :)

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube