topic Re: Get report status endpoint from ISE in Network Access Control

Get report status endpoint from ISE

Da ICS16 — Fri, 19 Apr 2024 08:29:57 GMT

Dear Community,

There have 2 kind different of AnyConnect agent version on ISE.

Also have 2 kind of Complain Module as well.

There are 2 kindly of Cisco AnyConnect agent on ISE where Client Provisioning Policy.

1. AnyConnect 4.x with its Compliance Module

2. Secure client 5.x with its Compliance Module

Please share how to get the report from ISE with below points.

how to get the report status of endpoint with new version and old version of AnyConnect?
How to get the report status of endpoint with new version and old version of compliance module?

Best Regards

Re: Get report status endpoint from ISE

Arne Bier — Mon, 06 May 2024 23:35:04 GMT

Depending on your version of ISE, you might find an API call to retrieve very detailed endpoint information. However, as a start, I would try the following:

Export one example of such an endpoint in the ISE GUI Context Visibility and see if there data is there

if not, then export all the Endpoints via the Primary PAN CLI

application configure ise

Select option

[16]Get all Endpoints

If you have a recent ISE version (3.1 and onwards) then you can download the generated .csv from the PAN GUI and analyse the data in Excel.

Alternatively, it has been discussed before, that the SYSLOG messages that ISE sends to an external SYSLOG receiver is probably the best place to look for things like TLS versions used by endpoints. The trick of course, is to ensure that you are sending RADIUS Authentication SYSLOGs to your SIEM, and then, be confident that your endpoints have all authenticated so that you can analyse ALL your endpoints. You might have PCs that are offline or failing auth - and those might not reflect in our SIEM analysis.

Re: Get report status endpoint from ISE

thomas — Wed, 08 May 2024 22:42:19 GMT

I was able to use the ISE Data Connect feature (ISE 3.2+) with my iseql.py script to perform an SQL query for the versions of AnyConnect / Cisco Secure Client (CSC) :

iseql.py -it " SELECT posture_agent_version, endpoint_mac_address FROM (SELECT DISTINCT posture_agent_version, endpoint_mac_address FROM posture_assessment_by_endpoint) WHERE endpoint_mac_address IS NOT NULL and posture_agent_version IS NOT NULL ORDER BY posture_agent_version " posture_agent_version endpoint_mac_address ---------------------------------- ---------------------- Posture Agent for Windows 5.1.2.42 00:50:56:8E:25:BB Posture Agent for Windows 5.1.2.42 00:50:56:8E:39:CC Posture Agent for Windows 5.1.2.42 00:50:56:8E:24:79 Posture Agent for Windows 5.1.3.62 54:AF:97:D6:A7:3B Posture Agent for Windows 5.1.3.62 00:50:56:8E:25:BB

You could add additional columns for the endpoint_operating_system, posture_status, system_name, system_user, username, and more.

There is no attribute that I can find for the compliance module version. Submit an ISE Wish (cs.co/ise-wish) for that.

Re: Get report status endpoint from ISE

Arne Bier — Wed, 08 May 2024 23:43:07 GMT

@thomas you are our API champion! Thanks - I think I will start using this in my customer setups as an auditing tool - using python for the ODBC interface is super cool.

Re: Get report status endpoint from ISE

thomas — Thu, 09 May 2024 00:31:47 GMT

Yeah, I see a lot of custom reporting questions which is why we created the Data Connect feature in the first place.

It's so much faster than REST APIs, too, especially with more than a few hundred objects.

You can see how I used it in

▷How to Get Data Out of ISE 2024-04-02

48:32 ISE Data Connect

OpenAPI: https://cs.co/ise-api#!data-connect-openapi
Guides: https://cs.co/ise-dataconnect
iseql.py: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py

52:07: Demo: ISE Data Connect SQL Queries

iseql.py --help
iseql.py "SELECT view_name FROM user_views ORDER BY view_name ASC"
iseql.py "SELECT view_name FROM RADIUS_ACCOUNTING"
iseql.py "SELECT status,username,is_admin,password_never_expires FROM network_access_users"
iseql.py "select  location, sum(passed_count) as passed, sum(failed_count) as failed, sum(passed_count) + sum(failed_count) as total, round(to_char(((sum(failed_count) / (sum(passed_count) + sum(failed_count))) * 100)), 2) as failed_percentage, round(to_char(sum(total_response_time)/(sum(passed_count) + sum(failed_count))), 2) as total_response_time, max(max_response_time) as max_response_time from radius_authentication_summary group by location"

I also created a script ise-dc-enable.py to help you quickly enable Data Connect on ISE via REST APIs.

Re: Get report status endpoint from ISE

Arne Bier — Thu, 09 May 2024 10:27:28 GMT

Hey Thomas,

I like the SQL examples because I did one term of SQL in my undergrad. Many many many years ago. I never really got the hang of it, especially when dealing with all those complex inner/outer joins. Do you have any useful SQL guides you recommend for networking engineers?

Re: Get report status endpoint from ISE

pavagupt — Thu, 09 May 2024 11:51:20 GMT

You can take look at the examples and how to connect to ISE using SQLDeveloper and use simple queries.

Demo: Sample SQL Queries

You could make use of Posture_Assessment_by_endpoint table. Below query can give you unique users, devices, operating systems and agent version.

select Distinct Username, Endpoint_Mac_Address,Endpoint_Operating_System, Posture_agent_version from Posture_Assessment_by_endpoint;