This is the return of our long usage of ISE and MAB for IoT/OT devices on segmented networks. All our "important" devices as company desktops and such are EAP/TLS auth.
We have for a few years used an external LDAP cluster for MAB auth, and are now looking to import all devices into ISE own backend/store.
Adding, deleting and getting with the macaddress is no problem with CRUD against the API, but as soon as we want to add a few more fields to filter with things gets interesting.
We tried to do a "synced" fastapi/psqldb where the devices were located in psqldb with the extra fields in, but that got paused for the complexity of having things in sync with ISE..
And now I start again to try to implement it directly against the ERS Rest API, but filtering on custom attributes is sadly non existent.
The best scenario is to have all devices only in ISE and a use a small webui to for helpdesk to add/delete/search for devices. But I don't know how to get the ISE api to scale when searching. Perhaps trying to cache the Custom Attribute fields, for search.
I am curious how you have solved this, and if you want to share ideas before I dig in to much again :)
I have to be honest I have not tried this myself but well done on giving it a go. If the API is lacking features (such as filtering on custom attributes) then you ought to make a feature request to have it extended. Cisco is big on DevNet and they should put some effort into making the API at least as functional as the web interface.
If I understand you correctly, are you able to use the API to extract ALL the endpoints from ISE (potentially thousands or hundreds of thousands), and then use your own code to filter out the stuff you want? If so, then I understand - you want to be able to apply the filter DURING the api call to make the call return only the required data.