Showing results for 
Search instead for 
Did you mean: 

ISE ERS API Examples





Get Started


Devnet Documentation


Enable the ERS APIs

The ERS APIs are disabled by default for security so you must enable it.

  1. Login to your ISE PAN
  2. Navigate to Administration > System > Settings and select ERS Settings from the left panel.
  3. Enable the ERS APIs by selecting Enable ERS for Read/Write
  4. Select Save to save your changes.

After enabling ERS, it is available for Create, Read, Update, Delete (CRUD) operations on an ISE Policy Administration Node (PAN) and for Read-Only access (GET requests) on any ISE Policy Service Node (PSN).


Note: its good practice to disable CSRF to make sure you are able to authenticate successfully


Optionally: You can map external AD groups to these RBAC groups mentioned above. You can find the option external in ERS Admin and ERS operator group for that.

View the ERS API SDK

  1. You may use the default admin account to view the ISE ERS Software Development Kit (SDK) at


Create ERS API Users

You can use the default ISE admin account for ERS APIs since it has SuperUser privileges. However, it is recommended to create separate users with the ERS Admin (Read/Write) or ERS Operator (Read-Onlly) privileges to use the ERS APIs so you can separately track and audit their activities.

  1. Navigate to Administration > System > Admin Access
  2. Choose Administrators > Admin Users from the left pane
  3. Choose  +Add > Create an Admin User to create a new ers-admin and ers-operator accounts.
    New Administrator
    Name ers-admin ers-operator
    Status Enabled Enabled
    Password ****** ******
    Re-Enter Password ****** ******
    Admin Groups ERS Admin ERS Operator


How to Invoke the REST APIs

Browser Extensions

Probably the easiest and most accessible way for most users to play with REST APIs is via a web browser extensions.


Firefox RESTED Extension Chrome Poster Extension


All extensions have the same basic options.

To get a list of all ISE nodes in your deployment, try the following :


Field GET
Method GET (Read)
Username ers-admin
Password ******

Content-Type: application/json

Accept-Type: application/json



If you prefer to use a command line, the cURL utility is probably the best and easiest choice for doing quick and dirty REST API calls.


To get a list of all ISE nodes in your deployment, try the following :


curl --include --header 'Accept: application/json' --user admin:C1sco12345 





-H, --header <header>

Header to include in the request.

Use one per header.

-i, --include

Include the HTTP result headers in the output.

This is useful after creating (HTTP POST/PUT) an object to get it's Location identifier:


-k, --insecure Accept insecure connections. Useful if you are playing with ISE using a self-signed certificate.
-u, --user <username:password> Specify the username & password to authenticate the ERS user




Create an Internal User with an XML File

Version : ISE 1.3

Create an add_internal_user.xml XML file to create user user2 :

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns3:inernaluser xmlns:ns2=“” xmlns:ns3=“” name=“user2”>


Run the curl command with the file:

curl -v -X POST -k --tlsv1 -H "Content-Type: application/" -d @add_internal_user.xml


Create an Internal User with cURL and JSON

Create and enable the user 'thomas' in the default Internal Users database and do not require him to change his password upon login:


curl --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user admin:C1sco12345 --request POST  --data '
  "InternalUser" : {
    "name" : "thomas",
    "password" : "C1sco12345",
    "changePassword" : false




HTTP/1.1 201 Created
Set-Cookie: JSESSIONIDSSO=D4C830896B06B529CECCA61640B0193D; Path=/; Secure; HttpOnly
Set-Cookie: APPSESSIONID=C93E2BE40459768481F24D6DFA10B29D; Path=/ers; Secure; HttpOnly
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Date: Sat, 17 Mar 2018 20:32:31 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 0



Get All ISE Administrators Using cURL and JSON

curl  --header  'Accept: application/json'  --user admin:C1sco12345


  "SearchResult" : {
    "total" : 1,
    "resources" : [ {
      "id" : "55c1b32f-9a89-4969-9ba2-151c8b03d3f1",
      "name" : "admin",
      "description" : "Default Admin User",
      "link" : {
        "rel" : "self",
        "href" : "",
        "type" : "application/xml"
    } ]


Get Endpoints by Endpoint GroupID

Version : ISE 1.3

Get endpoints per endpoint group and perform appropriate action.


curl  --header  'Accept: application/json' --user admin:C1sco12345


Get Endpoint ID Group by Name

Version : ISE 1.2

Find the endpoint id group with a group name (e.g. GL-0) :


curl -k -H 'Accept: application/' --user admin:C1sco12345 ''

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="" total="1">
    <resource name="GL-0" id="d27edfa0-889d-11e3-b246-000c2916b229" description="">
      <link type="application/xml" href="" rel="self"/>


Get Endpoint by MAC

Find the endpoint id using the MAC address :

curl -k -H 'Accept: application/' --user admin:C1sco12345  '' 

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns2:searchResult xmlns:ns2="" total="1">
    <resource id="046f1250-bc6e-11e4-9baf-000c2916b229">
      <link type="application/xml" href="" rel="self"/>


Get Endpoint Info by Resource ID

Get endpoint info by its Resource ID :

curl -k '' -H 'Accept: application/'

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="" xmlns:ns3="" id="046f1250-bc6e-11e4-9baf-000c2916b229">
  <link type="application/xml" href="" rel="self"/>



Update Endpoint : Statically Assign to an Identity Group

Create an XML file named endpoint.xml with the endpoint changes :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns3:endpoint xmlns:ns2="" xmlns:ns3="">

Note: To remove an endpoint from an ID group, simply change staticGroupAssignment to false.


Update ISE using the XML file above :

curl -k -X PUT '' -H 'Content-Type: application/; charset=utf-8' -d @endpoint.xml

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ns2:updatedFields xmlns:ns2="">
  <updatedField field="groupId">
  <updatedField field="staticGroupAssignment">



 We don't have any examples of Delete, yet.



CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers