List Endpoint by Location using Cisco ISE API

Daniele Visaggio · ‎04-06-2020

Cisco ISE newbie here.

From the Cisco ISE dashboard I can see each endpoint location.

I would like to query cisco ISE via rest api in order to retrieve all endpoints belonging to a specific location. I.e. given a location, return all endpoints sitting in.

I checked the documentation and tried various query but I'm not able to extract the endpoint location.

Instead ISE dashboard is able to aggregate those info.

I can't either dump the whole endpoint db, since it's too huge in my case.

Is this possible? can pixgrid help in this case?

Thanks a lot.

Mike.Cifelli · ‎04-07-2020

The API Docs from the SDK state that you can use ipaddress, name, description, location, type as filters to find info on network devices. You can accomplish what you are looking for with something like this:
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user>:<pass> --request GET https://<ise pan>:9060/ers/config/networkdevice?filter=location.ENDSW.BDLG2
Tweaking and getting results returned may be tricky since the the location string may be something like this: #All Locations#BDLG2
Hence why I used location.ENDSW.BLDG2. AFAIK the other options can be CONTAINS, STARTSW, EQ. Good luck & HTH!

Daniele Visaggio · ‎04-15-2020

Thank you, Mike.

I tried to run your query, but it gives me back just the network devices (wlc, switches, etc.) sitting in the given location. My goal is to get the endpoints (pc, workstation, etc.) living in that location.

Is there maybe a way to retrieve all the endpoints given a network device id? I was thinking something like: LOCATION ---> NETWORK DEVICE LIST---> ENDPOINTS

Kind regards

poongarg · ‎04-15-2020

Hello Daniele,

One option is to use Monitoring Rest API, however monitoring REST API calls allow you to locate, monitor, and accumulate important real-time, session-based information stored in individual endpoints in a network. You can access this information through a Monitoring node.

Using "NAS IPAddress API Call" will not exactly give the information that you are looking for but will give the details of the active endpoints connected to one particular Network device:

https://<ISEMnTnodeIP>/admin/API/mnt/Session/IPAddress/<NASIPadd>

https://www.cisco.com/c/en/us/td/docs/security/ise/1-4/api_ref_guide/api_ref_book/ise_api_ref_ch2.html

Mike.Cifelli · ‎04-20-2020

AFAIK you can't do it like that. Something I just thought of that would accomplish what you are attempting to do is this:
(will take a little more work upfront) If you use ISE for unique profiling you can setup a profile with conditions that will match on either or/both location & NAS IP Address attributes using the Radius probe to auto add endpoints to a identity group in ISE. The only thing you would need to use the group for is to identify what endpoints are a member based on the device location profiling profile you setup. The following query would then return what you are looking for:
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user>:<pass> --request GET https://<ise pan>:9060/ers/config/endpoint?filter=groupId.EQ.<GROUP-ID>

Use this to get the groupID:
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user>:<pass> --request GET https://<ise pan>:9060/ers/config/endpointgroup?filter=name.EQ.<GROUP NAME>

If you need to print more endpoints due to size you can use this: Add (&size=100) to the end of string to get additional pages returned. That would look like this:
curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user>:<pass> --request GET https://<ise pan>:9060/ers/config/endpoint?filter=groupId.EQ.<GROUP-ID>&size=100

HTH!