06-01-2020 02:56 PM
I want tp view "Radius errors" from "Report"--> "Diagnostic" section of GUI from ERS API,
I tried "mnt" url but i am getting 404 error,
is ot possible to view messages and filter messages based on the keywords?
Solved! Go to Solution.
06-03-2020 07:10 PM
MNT APIs are on port 443 but not 9060.
However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.
06-01-2020 03:08 PM
i was in the journey of looking at these features how API can pull the information outside.
maybe this API document helps you : (ignore if you come across this document).
https://developer.cisco.com/docs/identity-services-engine/#!setting-up
06-01-2020 03:27 PM
06-01-2020 05:32 PM
The Monitoring REST APIs are mainly to gather information about active sessions or the MnT nodes themselves. While you can get some Failure Reason info from the API, it would mainly be for active/recent sessions and not useful for historical data.
Most customers send all auth events to an external Syslog server (like Splunk) and use the correlation and dashboard functionalities in that platform for historical data.
06-02-2020 03:10 PM - edited 06-02-2020 03:11 PM
"mnt" is not a valid URL which is why you got a 404. Please be very specific about your inputs and outputs so we can help faster. See How to Ask The Community for Help.
The description of the Operations > Reports > Diagnostics > RADIUS Errors report says it "... enables you to check for RADIUS Requests Dropped, EAP connection time outs and unknown NADs".
The ISE Monitoring REST APIs > Supported API Calls are the closest thing to what you want.
The FailureReasons call simply returns a dump of all errors listed in the ISE Message Catalog (Administration > Logging > Message Catalog) so that will not help you until you want to know what a particular error means or what to do next to troubleshoot it.
The closest option is the AuthStatus call
https://<ISEhost>/admin/API/mnt/AuthStatus/MACAddress/<macaddress>/<numberofseconds>/<numberofrecordspermacaddress>/All
however it requires you to specify a single MAC address as an argument. Also it will not give you a list of all Drops, Timeouts, or Unknown NADs only Passed/Failed authentications for the single MAC.
If you want Passed/Failed messages of specific endpoints then AuthStatus can work for you.
curl -s -k --header 'Accept: application/xml' --user admin:C1sco12345 https://198.18.133.27/admin/API/mnt/AuthStatus/MACAddress/DEADBEEFCAFE/3600/100/All | xmllint --format - | grep fail
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</failed>
<failure_reason>22056 Subject not found in the applicable identity store(s)</failure_reason>
06-03-2020 07:43 AM
06-03-2020 07:10 PM
MNT APIs are on port 443 but not 9060.
However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.
06-03-2020 08:41 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide