Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

373
Views
25
Helpful
7
Replies
Highlighted
RakeshKulkarni82221
Beginner
Beginner
‎06-01-2020 02:56 PM
‎06-01-2020 02:56 PM

How to get Radius error Diagnostic logs through ISE ERS API?

I want tp view "Radius errors" from "Report"--> "Diagnostic" section of GUI from ERS API,

I tried "mnt" url but i am getting 404 error,

is ot possible to view messages and filter messages based on the keywords?

Labels:
Everyone's tags (3)
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
hslai
Cisco Employee
Cisco Employee
‎06-03-2020 07:10 PM
‎06-03-2020 07:10 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

MNT APIs are on port 443 but not 9060.

However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.

View solution in original post

Reply
7 REPLIES 7
Highlighted
balaji.bandi
VIP Mentor VIP Mentor
VIP Mentor
‎06-01-2020 03:08 PM
‎06-01-2020 03:08 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

i was in the journey of looking at these features how API can pull the information outside.

 

maybe this API document helps you : (ignore if you come across this document).

 

https://developer.cisco.com/docs/identity-services-engine/#!setting-up

BB
*** Rate All Helpful Responses ***
0 Helpful
Reply
Highlighted
RakeshKulkarni82221
Beginner
Beginner
‎06-01-2020 03:27 PM
‎06-01-2020 03:27 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

I have setup my account and i can pull basic stuff like internalUsers and all, but i needed any document that has pulling the logs like radius errors and live session logs.
0 Helpful
Reply
Highlighted
Greg Gibbs
Cisco Employee
Cisco Employee
‎06-01-2020 05:32 PM
‎06-01-2020 05:32 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

The Monitoring REST APIs are mainly to gather information about active sessions or the MnT nodes themselves. While you can get some Failure Reason info from the API, it would mainly be for active/recent sessions and not useful for historical data.

Most customers send all auth events to an external Syslog server (like Splunk) and use the correlation and dashboard functionalities in that platform for historical data.

Reply
Highlighted
thomas
Cisco Employee
Cisco Employee
‎06-02-2020 03:10 PM
‎06-02-2020 03:10 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

"mnt" is not a valid URL which is why you got a 404. Please be very specific about your inputs and outputs so we can help faster. See How to Ask The Community for Help.

The description of the Operations > Reports > Diagnostics > RADIUS Errors report says it "... enables you to check for RADIUS Requests Dropped, EAP connection time outs and unknown NADs".

The ISE Monitoring REST APIs > Supported API Calls are the closest thing to what you want.

The FailureReasons call simply returns a dump of all errors listed in the ISE Message Catalog (Administration > Logging > Message Catalog) so that will not help you until you want to know what a particular error means or what to do next to troubleshoot it.

The closest option is the AuthStatus call

https://<ISEhost>/admin/API/mnt/AuthStatus/MACAddress/<macaddress>/<numberofseconds>/<numberofrecordspermacaddress>/All

however it requires you to specify a single MAC address as an argument. Also it will not give you a list of all Drops, Timeouts, or Unknown NADs only Passed/Failed authentications for the single MAC.

If you want Passed/Failed messages of specific endpoints then AuthStatus can work for you.

curl -s -k --header 'Accept: application/xml' --user admin:C1sco12345 https://198.18.133.27/admin/API/mnt/AuthStatus/MACAddress/DEADBEEFCAFE/3600/100/All | xmllint --format - | grep fail

<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</failed>
<failure_reason>22056 Subject not found in the applicable identity store(s)</failure_reason>

 

 

 

Reply
Highlighted
RakeshKulkarni82221
Beginner
Beginner
‎06-03-2020 07:43 AM
‎06-03-2020 07:43 AM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

I have my monitoring node IP address and the user-id i am using is under (Super Admin, System Admin, MnT Admin)
but when i issue the request to url "https://monitoring_node_ip:9060/admin/API/mnt/Version" and also url r"https://monitoring_node_ip:9060/admin/API/mnt/Session/ActiveCount",

but i get 404 error
0 Helpful
Reply
Highlighted
hslai
Cisco Employee
Cisco Employee
‎06-03-2020 07:10 PM
‎06-03-2020 07:10 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

MNT APIs are on port 443 but not 9060.

However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.

View solution in original post

Reply
Highlighted
RakeshKulkarni82221
Beginner
Beginner
‎06-03-2020 08:41 PM
‎06-03-2020 08:41 PM

Re: How to get Radius error Diagnostic logs through ISE ERS API?

This resolved my issue and however we also need to use "xml" as accept type in headers otherwise we get http 406 error code.

Thanks and i will look into transferring logs to external syslog server.
0 Helpful
Reply
Latest Contents
What information is shared when I log into SecureX with Micr...
Created by diddly on 07-03-2020 04:05 PM
0
0
0
0
Question When I log into SecureX, I'm given an option to Sign in with MIcrosoft. What information is shared from my profile with Cisco? Answer 1. If you signed in with your work email, the information shared from your profile is controlled by your or... view more
Using Stealthwatch to Monitor IOT devices for exploitation, ...
Created by pejohns2 on 07-02-2020 09:08 AM
0
0
0
0
Stealthwatch Enterprise can be leveraged to monitor vulnerable devices, and alert on potential exploitation by bad actors looking to exploit Ripple20 and other potential vulnerabilities. Note that the concepts and procedures outlined here can be used for... view more
Using Stealthwatch to monitor and alert on suspicious/out-of...
Created by pejohns2 on 07-02-2020 06:23 AM
0
0
0
0
The following is useful to those entities interested in monitoring appropriate usage of Cisco WebEx resources within their environments, as well as those interested in tracking additional metrics around usage of the WebEx service. The relevant supporting... view more
Activated the SecureX ribbon with the wrong account in AMP, ...
Created by diddly on 07-01-2020 05:15 PM
0
0
0
0
Question I'm using AMP, and when I activated the SecureX Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it? Answer You can clear the SecureX Authorizatio... view more
Activated the SecureX ribbon with the wrong login account in...
Created by diddly on 07-01-2020 11:00 AM
0
0
0
0
Question I'm using Umbrella, and when I activated the Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it? Answer You can clear the SecureX Authorization for t... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels