Endpoint Manager talks to Cisco ISE over HTTPS, using three of ISE’s API families authenticated as a dedicated admin user. Before a Context can connect, the ISE deployment itself needs three things in place. This page is the procedural checklist for that one-time ISE-side configuration. Work in this order:Documentation Index
Fetch the complete documentation index at: https://wiki.netgraph-connect.com/llms.txt
Use this file to discover all available pages before exploring further.
- Enable API services and the API Gateway in Cisco ISE.
- Create a dedicated API admin user for the platform.
- Define Endpoint Custom Attributes the platform writes to.
1. Enable API services and the API Gateway
In the Cisco ISE admin portal, navigate to Administration → System → Settings → API Settings.API Service Settings tab
On the API Service Settings tab, verify:- ERS (Read/Write) is enabled.
- Open API (Read/Write) is enabled.
- Under CSRF Check (only for ERS Settings), select Disable CSRF For ERS Request.
Cisco ISE 3.4 changed this UI. On ISE 3.4 the Open API
toggle is removed from this tab — Open API is enabled by
default and is no longer configurable from the UI. The ERS
toggle and the CSRF setting still appear. On ISE versions
earlier than 3.4, both toggles are visible and must both be
enabled.
| Setting | ISE pre-3.4 | ISE 3.4 |
|---|---|---|
| ERS API (Read/Write) | Visible and configurable | Visible and configurable |
| Open API (Read/Write) | Visible and configurable | Enabled by default; not shown in UI |
API Gateway Settings tab
Switch to the API Gateway Settings tab on the same page and confirm that the API Gateway is enabled on the Administration node (and on any additional nodes you want to load-balance API traffic across).
2. Create a dedicated API admin user
Mint an ISE admin user specifically for Endpoint Manager. Do not reuse a human administrator’s credentials — service accounts and interactive accounts have different rotation rules. Navigate to Administration → System → Admin Access → Administrators → Admin Users and click Add → Create an Admin User.Admin User details
Configure:- Name. A descriptive identifier such as
netgraph_api. - Status. Enabled.
- Inactive account never disabled. Check this box. The API user will never sign in interactively, so without this option Cisco ISE marks the account inactive after the configured inactivity period and disables it.
- Password. Use a strong, unique value.
Admin Groups
Under Admin Groups, add both:- MnT Admin — read access to live session data and Change of Authorization.
- ERS Admin — read and write access to Endpoint Identity Groups and endpoints.
Disable password expiry for the API user
Cisco ISE’s default Password Policy expires administrator passwords on a fixed cadence. For a service account that the platform uses to authenticate, an expired password breaks the connection silently — admins are usually unaware until the next time they look at the API Status table. Navigate to Administration → System → Admin Access → Authentication → Password Policy and uncheck Administrator passwords expire before saving.3. Define Endpoint Custom Attributes
Endpoint Manager writes ownership and timestamp metadata to every endpoint it manages — who created or last modified the endpoint, when, and a device-type label. Cisco ISE stores this metadata in Endpoint Custom Attributes, which must be defined on the ISE side before the platform can write to them. Cisco ISE silently drops writes to attributes it does not recognise. If any of the attributes below is missing, the platform’s writes succeed at the API level but the metadata never appears on the endpoint record. In the Cisco ISE admin portal, navigate to Administration → Identity Management → Settings → Endpoint Custom Attributes and add the following five attributes — all of type String:| Attribute | Type |
|---|---|
ngCreatedAt | String |
ngCreatedBy | String |
ngUpdatedAt | String |
ngUpdatedBy | String |
ngDeviceType | String |
4. Allow inbound HTTPS from the platform
Cisco ISE must accept inbound HTTPS connections on port 443 from the platform’s egress FQDN. The exact FQDN is shown on the API Configuration card in the Endpoint Manager Context once you create it — allow it on every firewall, proxy and ACL that sits in front of the ISE admin node.Cisco ISE can be on-premises or cloud-hosted — Endpoint Manager
only cares that it’s reachable over HTTPS from the platform’s
egress.
Done — continue with the platform side
The Cisco ISE side is ready. Return to the platform and continue with Connect Endpoint Manager to enter the Base URL, username and password, and verify that every row in the Cisco ISE API Status table reads Up.Related
Connect Endpoint Manager
Enter Base URL, username, password — verify all three APIs reach Up.
Connectivity troubleshooting
Three-step walkthrough when the API Status table reads Down.
Endpoint Manager Context
What a Context is and how it talks to ISE.
Endpoint Identity Groups
Connecting an existing ISE group to a Context.