" The API's to add/manage endpoints are exposed, a developer could build a custom system to do this." <-- this is what we're doing (with little dev xp). Checkout some of the well documented python framworks like Flask or Django, and you can quickly get a basic webapp with a basic form, that accepts a MAC address as input, and makes a call to ISE to add it to the appropriate identity group upon submit. The basic calls you'll need to achieve this: GET https://<ise-hostname>:9060/ers/config/endpoint?filter=mac.EQ.<mac-address> PUT  https://<ise-hostname>:9060/ers/config/endpoint/<endpoint-id> POST https://<ise-hostname>:9060/ers/config/endpoint  Python requests module & Powershell Invoke-WebRequest module both work just fine for this type of thing. ... View more

FYI to all, I received the following email from TAC yesterday afternoon: Hello Anthony, You don’t need to continue collecting information on your ISE deployment anymore. Engineer I was collaborating with has shared with me an internal defect. I will get a summary of their findings and send you as soon as I get it. I will update this thread with their response once I receive it. ... View more

Great post, great responses. I'll add some additional info. Just copy / paste from a course I took a while back. This doesn't necessarily relate to your question, but is generally good 'rule-of-thumb' info: ISE Certificates Best Practices Ensure that all certificate CN names can be resolved by DNS Use lower case for appliance hostname, DNS name, certificate CN ISE cert CSR: Use format "CN=<FQDN>" for subject name Ensure time is synced: use NTP with UTC for all nodes Signed by Trusted CD - required for each node For external users/guests, certs should be signed by 3rd-party CA Install entire certificate chains as individual certs into ISE trust store Use PEN, not DER encoding for import/export operations ISE certificates best practices include such recommendations as: Correct synced by NTP time on all nodes. All certificates for external users/guests must be signed by trusted CA PEM encoding is preferable over DER encoding. When running the ISE Setup wizard, use lowercase for hostname. Do not use self-signed certificates in production networks (I break this rule) Certificates are used for all portal communication and EAP Using a certificate that is already trusted by most clients is a major benefit, especially for guests or visitors not part of corporate PKI ... View more