Re: How to get Context Visibility data from Cisco ERS API?

ADuToit · ‎04-04-2023

Hi All,

I've recently been looking into some network automation pieces for Cisco products, and as part of that I need to be able to pull down all Context Visibility data for switches in the environment.

The context visibility data is useful since it gives me an idea of how many devices are connected to a switch and what the details of those devices are.

I couldnt find any documentation on the ERS API that describes how to get the data. Is there another API I can use to get that data from ISE? or am i missing the API Endpoint that gives that functionality.

Any feedback is highly Appreciated!
Best Regards

Andre

Charlie Moreton · ‎04-04-2023

Context Visibility itself hasn't made it as an API library, but you can use other API calls to get the information you want.

Using the MNT API, there is a GET request for 'Session by NAS ID' to return all sessions connected through a specific network device.

{{baseUrl}}/admin/API/mnt/Session/IPAddress/{{nas_ip}}

The full list of APIs available are at https://cs.co/ise-api

This is another great resource: ISE Monitoring API Examples

ADuToit · ‎04-05-2023

Hi Charlie,

Thank you for the reply, it is greatly appreciated. I will try and test with the MNT API, but it seems the ISE environment we are using has it disabled by default so i will have to get back to you on the success of this. But it does sound really promising, thank you very much!

hslai · ‎04-15-2023

@ADuToit MNT API uses the credentials of an ISE admin user belonging to ISE Super Admin, MnT Admin, or System Admin groups.

If you want to use one user for both MNT API and ERS API, then the user should be part of Super Admin.

ADuToit · ‎06-05-2023

Hi Charlie,

I have been able to get back session data from this IP Address, but upon giving the results to the network team and asking them to confirm that the data is accurate, it seems that there is a massive difference between what they see in the Context Visibility page, and what i get from the API.

They see 100+ devices connected to the switch, and i only find one result from the api endpoint. Am i doing something wrong?

Any feedback or assistance would be greatly appreciated!

Rodrigo Diaz · ‎04-04-2023

hello @ADuToit , perhaps this is not related API, but you can retrieve all the Context visibility info related to endpoint information from the PAN ISE if you run the command "application configure ise " and then you select option [16]Get all Endpoints, this will provide you the full list of endpoints from where you can filter through NAD to see which devices that are linked with those switches.

Let me know if that helped you.

ADuToit · ‎04-05-2023

Hi Rodrigo,

Thank you for your reply, I Am looking for ways to access the data through the API since this will be used in an Automation Solution, and going the API route is just best practice for me.

I do appreciate the information though!

Best Regards

Andre

briggsmitchell34 · ‎04-04-2023

To retrieve Context Visibility data for switches in your environment, you can use the Cisco Identity Services Engine (ISE) REST API.

You can retrieve this data by using the ISE Monitoring API, which provides access to the Context Visibility data through REST API endpoints. Specifically, you can use the following endpoint to retrieve the Context Visibility data for a given switch:

GET /ers/config/ctxacldetail/switchmac/{switch-mac-address}

In this endpoint, {switch-mac-address} should be replaced with the MAC address of the switch for which you want to retrieve the Context Visibility data.

You can authenticate with the ISE REST API by obtaining an access token, which can be done by following the steps outlined in the ISE API documentation.

Once you have obtained an access token, you can make requests to the ISE Monitoring API endpoints to retrieve the Context Visibility data for switches in your environment.

I hope this helps! Let me know if you have any further questions.

ADuToit · ‎04-05-2023

Hi Mitchell,

Thanks for the reply, I do not have a switch mac handy that i can feed into the API URL right now, but i will try this once i do.

Do you perhaps know of any way i can grab a switch mac address from the ERS API? that way i can dynamically fetch the data and do queries.

Best Regards

Andre

thomas · ‎04-08-2023

The switchport's ethernet MAC address (or wireless access point's MAC) can be found in every ISE LiveLog as the Called-Station-Id which is being called/connected to by the Calling-Station-Id (endpoint's MAC). I could not find the string "called" in my ISE Monitoring API Examples so that will not do it.

Instead, I highly recommend you try our ISE 3.2+ feature called Data Connect which allows you to perform an ODBC connection and query the ISE database tables directly. We recently had an ISE Webinar dedicated to this topic:

Next Generation ISE Telemetry, Monitoring, and Custom Reporting Part 2 20230302

08:10 Data Connect (ISE 3.2 and later)
10:52 Data Connect Deployment Scenarios
12:56 Using Data Connect
14:12 - Enable Data Connect (GUI)
16:38 - Enable Data Connect (API)
17:16 - Repository for Examples: https://github.com/EmmanuelCano/DataConnect/
29:36 Data Connect Views (read-only)

I know it's not a REST API but this is probably the fastest way to query for everything on a specific network device by port.

ADuToit · ‎06-05-2023

Hi Mitchell,

Hope you have been well. I've tried using the API Endpoint you specified with a given Switch MAC Address, but im getting an error stating that the URL im trying to GET doesnt exist. I also downloaded the CISCO ISE ERS Postman Collection, and i cannot find ctxacldetail endpoint anywhere.

Could you please elaborate as to where i could find more information on this API Endpoint?

Any other info would be greatly appreciated!