The External RESTful Services application programming interfaces (API) are based on HTTPS protocols and REST methodology
and use port 9060.
The External RESTful Services APIs support basic authentication. The authentication credentials are encrypted and are part
of the request header.
You can use any REST client like JAVA, cURL Linux command, Python, or any other client to invoke External RESTful Services
The ERS APIs support TLS 1.1 and TLS 1.2. ERS APIs do not support TLS 1.0 regardless of enabling TLS 1.0 in the Security Settings window ( ). Enabling TLS 1.0 in the Security Settings window is related to the EAP protocol only and does not impact ERS APIs.
You must assign special privileges to a user to allow the user to perform operations using the External RESTful Services APIs.
To perform operations using the External RESTful Services APIs (except for the Guest API), the user must be assigned to either
ERS Admin or ERS Operatoradministrator group. The user must be authenticated against the credentials that are stored in the Cisco ISE internal database
(internal admin users).
ERS Admin: This user can create, read, update, and delete External RESTful Services API requests. They have full access to all External
RESTful Services APIs (GET, POST, DELETE, PUT).
ERS Operator: This user has read-only access (GET requests only).
A user with the role Super Admin can access all External RESTful Services APIs.
ERS session idle timeout is 60 sec. If several requests are sent during this period, the same session is used with the same
Cross-Site Request Forgery (CSRF) token. If the session has been idle for more than 60 sec, the session is reset and a new
CSRF token is used.
The External RESTful Services APIs are disabled by default. If you evoke the External RESTful Services API calls before enabling
them, you will receive an error response. Enable the Cisco ISE REST API feature for the applications developed for a Cisco
ISE REST API to be able to access Cisco ISE. The Cisco REST APIs uses HTTPS port 9060, which is closed by default. If the
Cisco ISE REST APIs are not enabled on the Cisco ISE administration server, the client application receives a timeout error
from the server for any Guest REST API requests.