cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7485
Views
16
Helpful
8
Replies

REST API Cisco ISE Endpoint Details

AimanZaid13934
Level 1
Level 1

Hi,

 

I would like to enquire on REST API ability to get details such as (' IP' , 'host-name' , 'MAC-address' , 'operating-system')

Is there a way that I can get all of those using the API. As far as I've tested, only 'MAC-address' can be obtained through the API. Besides, it will be such a hassle since the API has limited output per commands. For eg. Get_Endpoints() can get up to 100-200 MAC address per execution. My Endpoints has currently over 20000 Endpoints.

1 Accepted Solution

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

No REST API for all endpoints, only Active Endpoints the MNT REST APIs (https://cs.co/ise-api)

How to Get all Endpoints from ISE

SSH to ISE and run 'application configure ise'

ise/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

16
Starting to generate All Endpoints report
Copying files to /localdisk
Completed generating All Endpoints report. You can find details in following files located under /localdisk
FullReport_23-Dec-2019.csv

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

0
ise/admin#

Copy to an S/FTP Server

ise/admin# dir
Directory of disk:/
44251 Dec 23 2019 17:40:00 FullReport_23-Dec-2019.csv
...

ise/admin# copy disk:/FullReport_23-Dec-2019.csv ftp://198.18.133.36/ Username: admin Password: ise/admin#

Endpoint Data

You will find many columns (238!) of data about your endpoints:

  • MACAddress
  • ip
  • FQDN
  • host-name
  • IdentityGroup
  • MatchedPolicy
  • OUI
  • dhcp-user-class-identifier
  • dhcp-class-identifier
  • dhcp-user-class-id
  • dhcp-parameter-request-list
  • User-Agent
  • User-Name
  • Description
  • description
  • ElapsedDays
  • InactiveDays
  • Called-Station-ID
  • NAS-Port-Type
  • NADAddress
  • AAA-Server
  • BYODRegistration
  • Calling-Station-ID
  • User-Fetch-User-Name
  • Certificate Expiration Date
  • Certificate Issue Date
  • Certificate Issuer Name
  • Certificate Serial Number
  • DestinationIPAddress
  • Device Identifier
  • Device Name
  • DeviceRegistrationStatus
  • EndPointPolicy
  • EndPointPolicyID
  • EndPointProfilerServer
  • EndPointSource
  • FirstCollection
  • FirstCollectionLong
  • Framed-IP-Address
  • IdentityGroupID
  • IdentityStoreGUID
  • IdentityStoreName
  • L4_DST_PORT
  • LastNmapScanTime
  • MDMCompliant
  • MDMCompliantFailureReason
  • MDMDiskEncrypted
  • MDMEnrolled
  • MDMImei
  • MDMJailBroken
  • MDMManufacturer
  • MDMModel
  • MDMOSVersion
  • MDMPhoneNumber
  • MDMPinLockSet
  • MDMProvider
  • MDMSerialNumber
  • MDMUpdateTime
  • MDMServerReachable
  • MDMServerID
  • PhoneID
  • PhoneIDType
  • PreviousDeviceRegistrationStatus
  • MatchedPolicyID
  • NAS-IP-Address
  • NAS-Port-Id
  • NmapScanCount
  • NmapSubnetScanID
  • OS Version
  • PolicyVersion
  • PortalUser
  • PostureApplicable
  • PostureOS
  • PostureFailureReason
  • Product
  • RegistrationTimeStamp
  • SSID
  • StaticAssignment
  • StaticGroupAssignment
  • TimeToProfile
  • Total Certainty Factor
  • cdpCacheAddress
  • cdpCacheCapabilities
  • cdpCacheDeviceId
  • cdpCachePlatform
  • cdpCacheVersion
  • ciaddr
  • dhcp-requested-address
  • hrDeviceDescr
  • ifIndex
  • iotAssetRetrievedFrom
  • iotAssetDeviceType
  • iotAssetProductName
  • iotAssetVendorID
  • iotAssetProductCode
  • iotAssetSerialNumber
  • iotAssetTrustLevel
  • lldpCacheCapabilities
  • lldpCapabilitiesMapSupported
  • lldpSystemDescription
  • operating-system
  • sysDescr
  • 161-udp
  • AUPAccepted
  • LastAUPAccepted
  • UpdateTime
  • UpdateTimeLong
  • CreateTime
  • CacheUpdateTime
  • AC_User_Agent
  • UniqueSubjectID
  • AD-Operating-System
  • AD-OS-Version
  • AD-Service-Pack
  • AD-Host-Exists
  • AD-Join-Point
  • AD-Last-Fetch-Time
  • AD-Fetch-Host-Name
  • operating-system-result
  • IsRegistered
  • User-Fetch-First-Name
  • User-Fetch-Email
  • User-Fetch-Last-Name
  • User-Fetch-Department
  • User-Fetch-Telephone
  • User-Fetch-Job-Title
  • User-Fetch-Organizational-Unit
  • User-Fetch-CountryName
  • User-Fetch-LocalityName
  • User-Fetch-StateOrProvinceName
  • User-Fetch-StreetAddress
  • User-Fetch-PassiveID-Username
  • LastActivity
  • LastActivityLong
  • User-Name
  • 515-tcp
  • 9100-tcp
  • ADDomain
  • Airespace-Wlan-Id
  • AllowedProtocolMatchedRule
  • AuthState
  • AuthenticationIdentityStore
  • AuthenticationMethod
  • AuthorizationPolicyMatchedRule
  • DestinationPort
  • DetailedInfo
  • Device IP Address
  • Device Port
  • Device Type
  • DeviceCompliance
  • EapAuthentication
  • EapChainingResult
  • EapTunnel
  • EndPointMACAddress
  • FailureReason
  • IdentityPolicyMatchedRule
  • IssuedPacInfo
  • L4_SRC_PORT
  • LastAUPAcceptanceHours
  • Location
  • LogicalProfile
  • MACAddress
  • MDMMeid
  • MDMServerName
  • MDMUdid
  • MessageCode
  • NAS-Identifier
  • NAS-Port
  • NetworkDeviceGroups
  • NetworkDeviceName
  • OperatingSystem
  • PROTOCOL
  • PortalUser.CreationType
  • PostureAssessmentStatus
  • PostureStatus
  • RadiusPacketType
  • SelectedAccessService
  • SelectedAuthenticationIdentityStores
  • SelectedAuthorizationProfiles
  • Service-Type
  • UserType
  • Vlan
  • VlanName
  • active
  • authStatus
  • byodRegistration
  • chaddr
  • client-fqdn
  • customAttrCount
  • device-platform
  • device-platform-version
  • device-type
  • deviceRegistrationStatus
  • dhcp-client-identifier
  • dhcp-message-type
  • dhcpv6-vendor-class
  • enabledMDM
  • endpointProfilerServer
  • errorMessage
  • fileImportErrorMessage
  • fileImportStatus
  • flags
  • giaddr
  • h323DeviceName
  • h323DeviceVendor
  • h323DeviceVersion
  • hlen
  • hostName
  • htype
  • identityGroup
  • ipAddr
  • ipv6
  • isMDMEnrolled
  • lldpChassisId
  • lldpSystemName
  • macAddress
  • mdmServerName
  • mdns_VSM_class_identifier
  • mdns_VSM_srv_identifier
  • mdns_VSM_txt_identifier
  • name
  • nasIPAddress
  • nasPort
  • nativeDeviceIdentifier
  • nativeMDM
  • op
  • oui
  • policyName
  • portalUser
  • sipDeviceName
  • sipDeviceVendor
  • sipDeviceVersion
  • staticEndpoint
  • staticGroupEndpoint
  • sysContact
  • sysLocation
  • sysName
  • yiaddr

View solution in original post

8 Replies 8

Mike.Cifelli
VIP Alumni
VIP Alumni

I would suggest taking a peek at the online SDK via https://<isepan>:9060/ers/sdk#

Also, have a look into the MNT APIs as they may be able to meet your desires: Cisco Identity Services Engine API Reference Guide, Release 2.x - Introduction to the Monitoring REST APIs [Cisco Identity Services Engine] - Cisco

I do know there are a few APIs that will return a bit more information when using the endpoint ID string: 

1: GET endpoint ID by filter on MAC:

curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user:pass> --request GET https://<isepan>:9060/ers/config/endpoint?filter=mac.EQ.XX:XX:XX:XX:XX

Then the following will return info such as: name, mac, profile id, etc. 

 curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user:pass> --request GET https://<isepan>:9060/ers/config/endpoint/1324c060-9093-11eb-9962-c63c5470e9ab

Good luck & HTH!

 

Hi Mike,

 

I’ve tried to look deep into the documentation. It does not have the required attributes such as I’ve mentioned which is ip, host-name, mac-address, operating-system. 

Does REST API have limited capabilities on extracting the attributes above ? 

I’ve also tried to extract based on the commands that you gave. It still does not return the values that I need. Only mac-address is returned. And that also is limited to 200 per requests as I have around 20000 endpoints data need to collect. That will be such a hassle isn’t it if I need to run the command few times. 

Regards,

 

aiman

Hi, once I found the mac address, How can I move the endpoint from one group to another? does exist any api call to do this? And may I loss any log associated with the endpoint?

Thanks.

thomas
Cisco Employee
Cisco Employee

No REST API for all endpoints, only Active Endpoints the MNT REST APIs (https://cs.co/ise-api)

How to Get all Endpoints from ISE

SSH to ISE and run 'application configure ise'

ise/admin# application configure ise

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

16
Starting to generate All Endpoints report
Copying files to /localdisk
Completed generating All Endpoints report. You can find details in following files located under /localdisk
FullReport_23-Dec-2019.csv

Selection configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Enable/Disable Counter Attribute Collection
[15]View Admin Users
[16]Get all Endpoints
[17]Enable/Disable Wifi Setup
[18]Reset Config Wifi Setup
[19]Establish Trust with controller
[20]Reset Context Visibility
[21]Synchronize Context Visibility With Database
[22]Generate Heap Dump
[23]Generate Thread Dump
[24]Force Backup Cancellation
[25]CleanUp ESR 5921 IOS Crash Info Files
[0]Exit

0
ise/admin#

Copy to an S/FTP Server

ise/admin# dir
Directory of disk:/
44251 Dec 23 2019 17:40:00 FullReport_23-Dec-2019.csv
...

ise/admin# copy disk:/FullReport_23-Dec-2019.csv ftp://198.18.133.36/ Username: admin Password: ise/admin#

Endpoint Data

You will find many columns (238!) of data about your endpoints:

  • MACAddress
  • ip
  • FQDN
  • host-name
  • IdentityGroup
  • MatchedPolicy
  • OUI
  • dhcp-user-class-identifier
  • dhcp-class-identifier
  • dhcp-user-class-id
  • dhcp-parameter-request-list
  • User-Agent
  • User-Name
  • Description
  • description
  • ElapsedDays
  • InactiveDays
  • Called-Station-ID
  • NAS-Port-Type
  • NADAddress
  • AAA-Server
  • BYODRegistration
  • Calling-Station-ID
  • User-Fetch-User-Name
  • Certificate Expiration Date
  • Certificate Issue Date
  • Certificate Issuer Name
  • Certificate Serial Number
  • DestinationIPAddress
  • Device Identifier
  • Device Name
  • DeviceRegistrationStatus
  • EndPointPolicy
  • EndPointPolicyID
  • EndPointProfilerServer
  • EndPointSource
  • FirstCollection
  • FirstCollectionLong
  • Framed-IP-Address
  • IdentityGroupID
  • IdentityStoreGUID
  • IdentityStoreName
  • L4_DST_PORT
  • LastNmapScanTime
  • MDMCompliant
  • MDMCompliantFailureReason
  • MDMDiskEncrypted
  • MDMEnrolled
  • MDMImei
  • MDMJailBroken
  • MDMManufacturer
  • MDMModel
  • MDMOSVersion
  • MDMPhoneNumber
  • MDMPinLockSet
  • MDMProvider
  • MDMSerialNumber
  • MDMUpdateTime
  • MDMServerReachable
  • MDMServerID
  • PhoneID
  • PhoneIDType
  • PreviousDeviceRegistrationStatus
  • MatchedPolicyID
  • NAS-IP-Address
  • NAS-Port-Id
  • NmapScanCount
  • NmapSubnetScanID
  • OS Version
  • PolicyVersion
  • PortalUser
  • PostureApplicable
  • PostureOS
  • PostureFailureReason
  • Product
  • RegistrationTimeStamp
  • SSID
  • StaticAssignment
  • StaticGroupAssignment
  • TimeToProfile
  • Total Certainty Factor
  • cdpCacheAddress
  • cdpCacheCapabilities
  • cdpCacheDeviceId
  • cdpCachePlatform
  • cdpCacheVersion
  • ciaddr
  • dhcp-requested-address
  • hrDeviceDescr
  • ifIndex
  • iotAssetRetrievedFrom
  • iotAssetDeviceType
  • iotAssetProductName
  • iotAssetVendorID
  • iotAssetProductCode
  • iotAssetSerialNumber
  • iotAssetTrustLevel
  • lldpCacheCapabilities
  • lldpCapabilitiesMapSupported
  • lldpSystemDescription
  • operating-system
  • sysDescr
  • 161-udp
  • AUPAccepted
  • LastAUPAccepted
  • UpdateTime
  • UpdateTimeLong
  • CreateTime
  • CacheUpdateTime
  • AC_User_Agent
  • UniqueSubjectID
  • AD-Operating-System
  • AD-OS-Version
  • AD-Service-Pack
  • AD-Host-Exists
  • AD-Join-Point
  • AD-Last-Fetch-Time
  • AD-Fetch-Host-Name
  • operating-system-result
  • IsRegistered
  • User-Fetch-First-Name
  • User-Fetch-Email
  • User-Fetch-Last-Name
  • User-Fetch-Department
  • User-Fetch-Telephone
  • User-Fetch-Job-Title
  • User-Fetch-Organizational-Unit
  • User-Fetch-CountryName
  • User-Fetch-LocalityName
  • User-Fetch-StateOrProvinceName
  • User-Fetch-StreetAddress
  • User-Fetch-PassiveID-Username
  • LastActivity
  • LastActivityLong
  • User-Name
  • 515-tcp
  • 9100-tcp
  • ADDomain
  • Airespace-Wlan-Id
  • AllowedProtocolMatchedRule
  • AuthState
  • AuthenticationIdentityStore
  • AuthenticationMethod
  • AuthorizationPolicyMatchedRule
  • DestinationPort
  • DetailedInfo
  • Device IP Address
  • Device Port
  • Device Type
  • DeviceCompliance
  • EapAuthentication
  • EapChainingResult
  • EapTunnel
  • EndPointMACAddress
  • FailureReason
  • IdentityPolicyMatchedRule
  • IssuedPacInfo
  • L4_SRC_PORT
  • LastAUPAcceptanceHours
  • Location
  • LogicalProfile
  • MACAddress
  • MDMMeid
  • MDMServerName
  • MDMUdid
  • MessageCode
  • NAS-Identifier
  • NAS-Port
  • NetworkDeviceGroups
  • NetworkDeviceName
  • OperatingSystem
  • PROTOCOL
  • PortalUser.CreationType
  • PostureAssessmentStatus
  • PostureStatus
  • RadiusPacketType
  • SelectedAccessService
  • SelectedAuthenticationIdentityStores
  • SelectedAuthorizationProfiles
  • Service-Type
  • UserType
  • Vlan
  • VlanName
  • active
  • authStatus
  • byodRegistration
  • chaddr
  • client-fqdn
  • customAttrCount
  • device-platform
  • device-platform-version
  • device-type
  • deviceRegistrationStatus
  • dhcp-client-identifier
  • dhcp-message-type
  • dhcpv6-vendor-class
  • enabledMDM
  • endpointProfilerServer
  • errorMessage
  • fileImportErrorMessage
  • fileImportStatus
  • flags
  • giaddr
  • h323DeviceName
  • h323DeviceVendor
  • h323DeviceVersion
  • hlen
  • hostName
  • htype
  • identityGroup
  • ipAddr
  • ipv6
  • isMDMEnrolled
  • lldpChassisId
  • lldpSystemName
  • macAddress
  • mdmServerName
  • mdns_VSM_class_identifier
  • mdns_VSM_srv_identifier
  • mdns_VSM_txt_identifier
  • name
  • nasIPAddress
  • nasPort
  • nativeDeviceIdentifier
  • nativeMDM
  • op
  • oui
  • policyName
  • portalUser
  • sipDeviceName
  • sipDeviceVendor
  • sipDeviceVersion
  • staticEndpoint
  • staticGroupEndpoint
  • sysContact
  • sysLocation
  • sysName
  • yiaddr

Hi Thomas,

 

i’ve tried CLI method and it is working as per se. Thanks for the solution. 

I’ve taken a deep look in REST API. The method for endpoints is last updated based on ise 2.2.

 

Is there anyway it will be updated soon with more functionality? 

regards,

 

aiman

I doubt it since that is not the purpose of the ERS API.

I agree there should be another method to easily get all of the attributes in ISE about an endpoint.

I've already shared this thread with a PM so they are aware of the need.  8-)

 

Is there an Api to get all endpoints??

Get "/ers/config/endpoint" api allows the client to get all the endpoints.

Filters can be used to filter out Endpoints based on a set of attributes. This API currently provides the following filters: [logicalProfileName, portalUser, staticProfileAssignment, profileId, profile, groupId, staticGroupAssignment, mac]

If it's Open API, then api will be "Get /api/v1/endpoint"

More info at -> https://developer.cisco.com/docs/identity-services-engine/latest/#!endpoint