Architecture
Endpoint Manager for ISE is a cloud-native service in the Netgraph Connectivity Platform. It integrates with one or more Cisco ISE deployments through Cisco’s published APIs, presents a delegated-administration surface to authorised users, and synchronises every change back to the customer’s ISE.
Service position
Section titled “Service position”Endpoint Manager runs alongside Cisco ISE — it does not sit in the authentication path. Network endpoints continue to authenticate and authorise against the customer’s Cisco ISE using 802.1X, MAB, iPSK or whichever methods are already configured. Endpoint Manager’s responsibility starts and ends at the maintenance of endpoint records inside Cisco ISE’s Endpoint Identity Groups.
Authenticated endpoints continue to talk to Cisco ISE directly; Endpoint Manager is not in the authentication path. The connection from Endpoint Manager to Cisco ISE runs over HTTPS, and can be encapsulated over Service Connector (IPSec) for private connectivity instead of the public internet.
The Context model
Section titled “The Context model”An Endpoint Manager Context is the container that couples the platform to one Cisco ISE deployment. Each Context holds:
- The connection details for one Cisco ISE — base URL, API user and an internal display name. Credentials are stored secret-encrypted.
- The set of Endpoint Identity Groups that have been opted in to managed administration.
- The Managed Attribute definitions — which of Cisco ISE’s Endpoint Custom Attributes are exposed for delegated administration.
- The Self-Service Users invited to each managed group.
- The Context’s audit history and webhook subscriptions.
An organisation can run multiple Contexts in parallel — for example one for a production ISE and one for a lab ISE. Contexts are isolated from one another except for the shared Organization administrators and audit stream.
Cisco ISE API integration
Section titled “Cisco ISE API integration”Endpoint Manager interacts with Cisco ISE over three published API families. All three must be enabled and reachable for the Context to function:
| API family | Purpose in Endpoint Manager |
|---|---|
| ERS — External RESTful Services | Enumerate, create and update Endpoint Identity Groups; read/write endpoints. |
| Open API | Bulk endpoint operations, Endpoint Custom Attribute synchronisation. |
| Monitoring API (MnT) | Read live session data and trigger Change of Authorization (CoA). |
Endpoint Manager continuously verifies each API family’s reachability. The Context’s API status view surfaces individual API states so issues can be diagnosed without leaving the platform.
Data flow at a glance
Section titled “Data flow at a glance”- An Organization administrator connects a Context to Cisco ISE using an API user.
- The Context is configured: which Endpoint Custom Attributes to expose, which Endpoint Identity Groups to bring under managed administration, and which delegated administrators to invite.
- Delegated administrators sign in to the Self-Service portal and operate only on the groups they belong to. Every action results in an API call to Cisco ISE.
- Every configuration change and endpoint operation is captured in the Context’s audit stream and optionally forwarded via webhooks.
Security boundaries
Section titled “Security boundaries”The service is built around three hard boundaries that the customer’s policy and the platform jointly enforce:
- No Cisco ISE access for delegated users. Self-Service Users never see Cisco ISE’s admin UI, never hold ISE credentials, and never call ISE directly.
- Per-group scope. A Self-Service User can only see and modify endpoints in the groups they are invited to. Authorisation is enforced server-side on every request.
- Customer-owned credentials. The Cisco ISE API user is created and owned by the customer. Its scope is limited to endpoint and endpoint-group operations and can be revoked at any time without affecting Cisco ISE itself.
In addition:
- All communication between Endpoint Manager and Cisco ISE is over HTTPS (TLS).
- Cisco ISE API credentials are stored secret-encrypted and never displayed back to administrators.
- Authentication to the Netgraph admin and Self-Service portals supports SAML 2.0 Single Sign-On, enabling provisioning and de-provisioning of users through the customer’s Identity Provider.
Deployment options
Section titled “Deployment options”Endpoint Manager is delivered as a SaaS service. Two delivery options are available:
- Global Cloud — hosted in the public cloud (Amazon Web Services) with the platform’s global infrastructure footprint.
- Nordic Sovereign Cloud — data hosted in Sweden with Swedish-owned partners only. Aligned with recommendations for Swedish public administration and government agencies.
Both delivery options carry the same functional capabilities. The choice is driven by customer policy on data sovereignty and procurement requirements.