Symptom — the API Status table shows at least one Down
You saved API Configuration; one or more rows in the Cisco ISE API Status table read Down. Nothing in the Context works until every row reads Up. Check in this order:- Is the API family enabled on Cisco ISE? Each of ERS, Open API and Monitoring (MnT) has its own enablement switch in ISE’s Administration → System → Settings area. A freshly- installed ISE often ships with one or more of them off. If the row that’s Down is Endpoint Groups API → ERS needs enabling; Endpoint API → Open API; Monitoring API → MnT.
- Does the API user have the right permissions? All three API families require per-user authorisation. A user that can hit one API doesn’t automatically get the others.
- Is Cisco ISE reachable from the egress FQDN? The platform’s outbound FQDN (shown on the API Configuration card) must be allowed by every firewall, proxy or ACL in front of ISE. If ERS is enabled but unreachable, the status row still reads Down.
- Has the password changed? Re-enter the password and save. Leaving the field blank on a re-save keeps the current password in place; that’s usually what you want, but if the ISE-side password changed out-of-band, a blank field means stale credentials.
Symptom — a group sticks at Not Connected after Connect this Group
You clicked Connect this Group on an existing ISE group and confirmed, but the row still reads Not Connected. Usually means:- A transient ERS error during the connect write. The platform tries to write a small record to ISE tracking the connection; a short-lived ERS timeout aborts it. Re-click Connect this Group — the second attempt almost always succeeds.
- The API user lost permission after API Configuration was saved. If the status table was Up earlier but is no longer, re-check the API user’s role. See the symptom above.
- The group was deleted on the ISE side. A group that existed when the list was cached but has since been deleted can’t be connected. Refresh the Groups list; the group will have vanished.
Symptom — a group is Connected but no endpoints appear
The group is Connected, Cisco ISE reports endpoints in it (you can see them in ISE’s own admin UI), but the platform’s ISE Endpoints tab is empty. Check:- The Endpoint API row in API Status. If it’s Down, endpoint reads are blocked. See the first symptom.
- The page of endpoints. The list is paginated — increase Per page to 50 or 100, or hit the next page.
- Any active MAC search. Clear the search filter if one’s set.
- ISE-side caching. Cisco ISE’s Open API occasionally returns a stale page on very fresh endpoint additions. Wait a minute and refresh the tab.
Symptom — Perform CoA is missing on an endpoint you know is online
The endpoint looks online (icon green, session data filled in) but the row action menu doesn’t show Perform CoA. Usually means:- The session dropped between list-load and action-click. Refresh the tab; the Status icon will now show offline. Wait for the endpoint to re-authenticate, then retry.
- The endpoint has a session row but no
acsServerin it. This happens when an endpoint authenticated a long time ago and ISE pruned the full session metadata. CoA needs the ACS server field to target the right NAS; without it, Endpoint Manager hides the action. Wait for the endpoint to re-authenticate. - Monitoring API is Down. Perform CoA depends on MnT. See the first symptom.
Symptom — batch import rejected a row that looks valid
The preview table in step 3 flagged a row in red. Most common causes:- MAC is not 14 hex characters. Separators are ignored but the underlying MAC must decode to 14 hex chars. A typo or a stray character in the MAC cell trips the validator.
- Device Type isn’t one of the allowed values. Step 1 of the wizard lists what’s allowed for this Context. Anything else — including a trailing space — fails validation.
- CSV encoding surprises. BOM characters or UTF-16 encoding can confuse the parser. Save the CSV as plain UTF-8 without BOM.
Symptom — Managed Attribute changes don’t reach Cisco ISE
You defined an attribute at the Context level, set its value at the group level, but Cisco ISE’s endpoint records don’t show it. Check:- The attribute exists in ISE under Administration → Identity Management → Endpoint Custom Attributes. If it doesn’t, create it there first — the platform writes values for every defined attribute, but ISE silently drops values for attributes it doesn’t know about.
- The attribute types match. If the platform says
vendor-owneris String and ISE says it’s Integer, the values won’t stick. Align the types on both sides. - Endpoint-level overrides. A per-endpoint value wins over the group-level value. If a specific endpoint’s attribute looks wrong, check the endpoint’s Edit dialog.
Symptom — a Self-Service User can’t sign in
They clicked the email invitation link or tried SAML and landed on an error page. Check:- The invitation is still valid. Click Resend Invitation on the user’s row to mint a fresh token.
- Email typos. The address the invite went to must match exactly — case-insensitive, but otherwise verbatim.
- For SAML sign-in: the Organization’s SAML settings are correctly configured for the Self-Service portal. See Organization SAML authentication.
When to reach out
If the API Status table reads Up, the underlying ISE APIs respond normally from another tool (for example acurl
against the same Base URL), and something on the platform side
still isn’t behaving, open a support ticket with your Netgraph
contact. Include:
- The Organization and Context names (not IDs — humans find names faster in our logs).
- The exact failing action (connect group X, add endpoint Y).
- The timestamp of the attempt, to five-minute accuracy.
- Anything relevant from the Context’s Audit Log around that time.
Related
Cisco ISE connection
Base URL, API user, three API families.
Managing endpoints
CRUD and Change of Authorization.
Managed Attributes
Context-level definition, group-level values.
Audit Log
Every operation recorded, with timestamps.