Solved: Re: ISE - How to export *ALL* endpoints in an identity group?

mattw · ‎01-17-2023

Hello,

I need to export all the Endpoint ID Groups and members from one ISE cluster and import into another. I've used context visibility to filter for endpoints in the group and then export them. However, there are not as many endpoints as when I go to Admin > ID Mgmt > Groups? There are more when I look in the actual group then when I look via context visibility? There is no option to export from the group section unfortunately.

Any idea why this is and how I get around it?

Many thanks in advance!

Rob Ingram · ‎01-17-2023

@mattw restAPI - Get All Endpoints in a Specifc Endpoint Identity Group

https://community.cisco.com/t5/security-knowledge-base/ise-ers-api-examples/ta-p/3622623#toc-hId-1086179976

View solution in original post

Charlie Moreton · ‎01-17-2023

Go to Work Centers > Network Access > Identities. Choose the gear at the far right of the table and enable the Identity Group column. This will allow you to create a filter based on Identity Group.

Create the filter then choose Export > Export Filtered

View solution in original post

marce1000 · ‎01-17-2023

- Check if this procedure could be useful (I have not verified it)

Log in to the Cisco ISE web interface.
Navigate to "Work Centers" > "Identity Management" > "Identity Group Management".
Select the Identity Group that you want to export endpoints from.
Click on the "More Actions" button and select "Export Endpoints".
Select the attributes you want to include in the exported file and click "Export".
Save the exported CSV file to your desired location.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

mattw · ‎01-17-2023

Hi @marce1000,

Many thanks for your suggestion but there is no "more actions" or "export endpoints" option in the ID group section of the ISE GUI.

Rob Ingram · ‎01-17-2023

@mattw selecting the endpoints will only display up to a maximum of 500 rows/page, default is 10.

Export all endpoints to CSV and then use excel skills to filter the endpoints, you can then use this to import to the new cluster.

mattw · ‎01-17-2023

Hi @Rob Ingram,

Thank you for your suggestion. This was the first thing I tried but with over 1 million endpoints known by ISE the exported file was 626MB and Excel couldn't open the entire contents. I could however open into Notepad++ and this also showed fewer endpoints associated with a particular endpoint group then are actually in the group.

I'm thinking that Context Visibility only shows endpoints that it has actually 'seen'? If this is the case, is there a way I can export all endpoints in each endpoint group (and not just the ones that have been seen on the network)?

Rob Ingram · ‎01-17-2023

@mattw restAPI - Get All Endpoints in a Specifc Endpoint Identity Group

https://community.cisco.com/t5/security-knowledge-base/ise-ers-api-examples/ta-p/3622623#toc-hId-1086179976

mattw · ‎01-17-2023

@Rob Ingram,

BEAUTIFUL! Thank you sir! That should do it!

Charlie Moreton · ‎01-17-2023

Go to Work Centers > Network Access > Identities. Choose the gear at the far right of the table and enable the Identity Group column. This will allow you to create a filter based on Identity Group.

Create the filter then choose Export > Export Filtered

LisaNichols · ‎01-17-2023

Thank you, this method was simple and easy to export. You saved my day.

mattw · ‎01-17-2023

Thank you @Charlie Moreton but that still didn't show all members of an ID group (I think it only shows members that ISE has seen active on the network).

@Rob Ingram's solution of using the REST API does the trick and shows all members of a group even if they have not been seen connected to the network.