cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2006
Views
16
Helpful
3
Replies

ISE Endpoint Group API

Wes Schochet
Level 3
Level 3

Hi-

 

I am looking for the ISE API call to get the endpoint IDs that are members of a particular endpoint identity group.  I have the group ID.  I can't find the right call....

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

Wes, the ISE APIs are documented @ https://cs.co/ise-api.

There is an area called Getting Started with a page Reading a Resource that has a section Adding Filters which describes the Filter syntax which can be combined with Paging and Sorting.

First, let us view the first page of Endpoint Identity Groups (up to 20 per page, by default)  including their IDs:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpointgroup\?size\=100 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"38a73670-8c00-11e6-996c-525400b48521 | Sony-Device | Identity Group for Profile: Sony-Device"
"1e2700a0-8c00-11e6-996c-525400b48521 | Cisco-Meraki-Device | Identity Group for Profile: Cisco-Meraki-Device"
"0a4a50f0-8c00-11e6-996c-525400b48521 | Apple-iDevice | Identity Group for Profile: Apple-iDevice"
"0cc7ad00-8c00-11e6-996c-525400b48521 | BlackBerry | Identity Group for Profile: BlackBerry"
"ffa36b00-8bff-11e6-996c-525400b48521 | Android | Identity Group for Profile: Android"
"0c4eac70-8c00-11e6-996c-525400b48521 | Axis-Device | Identity Group for Profile: Axis-Device"
"2b07d100-8c00-11e6-996c-525400b48521 | Juniper-Device | Identity Group for Profile: Juniper-Device"
"22c6c780-8c00-11e6-996c-525400b48521 | Epson-Device | Identity Group for Profile: Epson-Device"
"aa10ae00-8bff-11e6-996c-525400b48521 | Profiled | Profiled Identity Group"
"aa000c30-8bff-11e6-996c-525400b48521 | Blocked List | Blocked List Identity Group"
"aa178bd0-8bff-11e6-996c-525400b48521 | GuestEndpoints | Guest Endpoints Identity Group"
"3a1b38d0-8c00-11e6-996c-525400b48521 | Synology-Device | Identity Group for Profile: Synology-Device"
"a4cd21c0-fd75-11eb-b43c-ba8c06185168 | OS_X_BigSur-Workstation | Identity Group for Profile: OS_X_BigSur-Workstation"
"3b113190-8c00-11e6-996c-525400b48521 | Vizio-Device | Identity Group for Profile: Vizio-Device"
"3a88eec0-8c00-11e6-996c-525400b48521 | Trendnet-Device | Identity Group for Profile: Trendnet-Device"
"aa13bb40-8bff-11e6-996c-525400b48521 | RegisteredDevices | Asset Registered Endpoints Identity Group"
"4ea2a450-5c7a-11ec-a6b9-ce11946aeeed | Windows11-Workstation | Identity Group for Profile: Windows11-Workstation"
"14f5cac0-8c00-11e6-996c-525400b48521 | Cisco-IP-Phone | Identity Group for Profile: Cisco-IP-Phone"
"aa0e8b20-8bff-11e6-996c-525400b48521 | Unknown | Unknown Identity Group"
"3b76f840-8c00-11e6-996c-525400b48521 | Workstation | Identity Group for Profile: Workstation"

Now let's say we want the Cisco-IP-Phone endpoints with group ID 14f5cac0-8c00-11e6-996c-525400b48521.

If you look at the structure of an endpoint object (this one is a printer) the attribute for the Endpoint Identity Group is groupID:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925
{
"ERSEndPoint" : {
"id" : "0e436440-cd53-11ec-bf2c-8220985ab925",
"name" : "00:00:AA:C0:93:18",
"description" : "Epson Printer",
"mac" : "00:00:AA:C0:93:18",
"profileId" : "44031480-8c00-11e6-996c-525400b48521",
"staticProfileAssignment" : false,
"staticProfileAssignmentDefined" : true,
"groupId" : "22c6c780-8c00-11e6-996c-525400b48521",
"staticGroupAssignment" : true,
"staticGroupAssignmentDefined" : true,
"portalUser" : "",
"identityStore" : "",
"identityStoreId" : "",
"link" : {
"rel" : "self",
"href" : "https://198.18.133.27/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925",
"type" : "application/json"
}
}
}

We can run a query against the endpoints using the groupID attribute matching the Endpoint Group ID for our Cisco-IP-Phones :

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint\?\&filter\=groupId.EQ.14f5cac0-8c00-11e6-996c-525400b48521 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"0b36e790-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:EF:EE:66 | IP Phone"
"0bdc7660-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:5F:C4:28 | IP Phone"
"0c811ad0-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:9E:57:BC | IP Phone"

8-)

 

 

View solution in original post

3 Replies 3

thomas
Cisco Employee
Cisco Employee

Wes, the ISE APIs are documented @ https://cs.co/ise-api.

There is an area called Getting Started with a page Reading a Resource that has a section Adding Filters which describes the Filter syntax which can be combined with Paging and Sorting.

First, let us view the first page of Endpoint Identity Groups (up to 20 per page, by default)  including their IDs:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpointgroup\?size\=100 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"38a73670-8c00-11e6-996c-525400b48521 | Sony-Device | Identity Group for Profile: Sony-Device"
"1e2700a0-8c00-11e6-996c-525400b48521 | Cisco-Meraki-Device | Identity Group for Profile: Cisco-Meraki-Device"
"0a4a50f0-8c00-11e6-996c-525400b48521 | Apple-iDevice | Identity Group for Profile: Apple-iDevice"
"0cc7ad00-8c00-11e6-996c-525400b48521 | BlackBerry | Identity Group for Profile: BlackBerry"
"ffa36b00-8bff-11e6-996c-525400b48521 | Android | Identity Group for Profile: Android"
"0c4eac70-8c00-11e6-996c-525400b48521 | Axis-Device | Identity Group for Profile: Axis-Device"
"2b07d100-8c00-11e6-996c-525400b48521 | Juniper-Device | Identity Group for Profile: Juniper-Device"
"22c6c780-8c00-11e6-996c-525400b48521 | Epson-Device | Identity Group for Profile: Epson-Device"
"aa10ae00-8bff-11e6-996c-525400b48521 | Profiled | Profiled Identity Group"
"aa000c30-8bff-11e6-996c-525400b48521 | Blocked List | Blocked List Identity Group"
"aa178bd0-8bff-11e6-996c-525400b48521 | GuestEndpoints | Guest Endpoints Identity Group"
"3a1b38d0-8c00-11e6-996c-525400b48521 | Synology-Device | Identity Group for Profile: Synology-Device"
"a4cd21c0-fd75-11eb-b43c-ba8c06185168 | OS_X_BigSur-Workstation | Identity Group for Profile: OS_X_BigSur-Workstation"
"3b113190-8c00-11e6-996c-525400b48521 | Vizio-Device | Identity Group for Profile: Vizio-Device"
"3a88eec0-8c00-11e6-996c-525400b48521 | Trendnet-Device | Identity Group for Profile: Trendnet-Device"
"aa13bb40-8bff-11e6-996c-525400b48521 | RegisteredDevices | Asset Registered Endpoints Identity Group"
"4ea2a450-5c7a-11ec-a6b9-ce11946aeeed | Windows11-Workstation | Identity Group for Profile: Windows11-Workstation"
"14f5cac0-8c00-11e6-996c-525400b48521 | Cisco-IP-Phone | Identity Group for Profile: Cisco-IP-Phone"
"aa0e8b20-8bff-11e6-996c-525400b48521 | Unknown | Unknown Identity Group"
"3b76f840-8c00-11e6-996c-525400b48521 | Workstation | Identity Group for Profile: Workstation"

Now let's say we want the Cisco-IP-Phone endpoints with group ID 14f5cac0-8c00-11e6-996c-525400b48521.

If you look at the structure of an endpoint object (this one is a printer) the attribute for the Endpoint Identity Group is groupID:

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925
{
"ERSEndPoint" : {
"id" : "0e436440-cd53-11ec-bf2c-8220985ab925",
"name" : "00:00:AA:C0:93:18",
"description" : "Epson Printer",
"mac" : "00:00:AA:C0:93:18",
"profileId" : "44031480-8c00-11e6-996c-525400b48521",
"staticProfileAssignment" : false,
"staticProfileAssignmentDefined" : true,
"groupId" : "22c6c780-8c00-11e6-996c-525400b48521",
"staticGroupAssignment" : true,
"staticGroupAssignmentDefined" : true,
"portalUser" : "",
"identityStore" : "",
"identityStoreId" : "",
"link" : {
"rel" : "self",
"href" : "https://198.18.133.27/ers/config/endpoint/0e436440-cd53-11ec-bf2c-8220985ab925",
"type" : "application/json"
}
}
}

We can run a query against the endpoints using the groupID attribute matching the Endpoint Group ID for our Cisco-IP-Phones :

curl \
--insecure \
--location \
--silent \
--header 'Accept: application/json' \
--user $ise_rest_username:$ise_rest_password \
--request GET https://$ise_hostname/ers/config/endpoint\?\&filter\=groupId.EQ.14f5cac0-8c00-11e6-996c-525400b48521 \
| jq -C '.[].resources[] | [.id,.name,.description ] | join(" | ")'
"0b36e790-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:EF:EE:66 | IP Phone"
"0bdc7660-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:5F:C4:28 | IP Phone"
"0c811ad0-cd53-11ec-bf2c-8220985ab925 | 00:11:BB:9E:57:BC | IP Phone"

8-)

 

 

Exactly what i was looking for - thanks so much!

Seems in ISE2.7 this do not work because:

GET https://$ise_hostname/ers/config/endpoint
does not include the groupId in the endpoint-dict ??

it only shows:

{
                "id""1d818dc0-5ff7-11e7-a32e-005056b315ee",
                "name""00:00:00:00:00:01",
                "link": {
                    "rel""self",
                    "href""https://<ISE-IP>:9060/ers/config/endpoint/1d818dc0-5ff7-11e7-a32e-005056b315ee",
                    "type""application/json"
                }
            }

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: