This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I want tp view "Radius errors" from "Report"--> "Diagnostic" section of GUI from ERS API,
I tried "mnt" url but i am getting 404 error,
is ot possible to view messages and filter messages based on the keywords?
Solved! Go to Solution.
MNT APIs are on port 443 but not 9060.
However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.
i was in the journey of looking at these features how API can pull the information outside.
maybe this API document helps you : (ignore if you come across this document).
https://developer.cisco.com/docs/identity-services-engine/#!setting-up
The Monitoring REST APIs are mainly to gather information about active sessions or the MnT nodes themselves. While you can get some Failure Reason info from the API, it would mainly be for active/recent sessions and not useful for historical data.
Most customers send all auth events to an external Syslog server (like Splunk) and use the correlation and dashboard functionalities in that platform for historical data.
"mnt" is not a valid URL which is why you got a 404. Please be very specific about your inputs and outputs so we can help faster. See How to Ask The Community for Help.
The description of the Operations > Reports > Diagnostics > RADIUS Errors report says it "... enables you to check for RADIUS Requests Dropped, EAP connection time outs and unknown NADs".
The ISE Monitoring REST APIs > Supported API Calls are the closest thing to what you want.
The FailureReasons call simply returns a dump of all errors listed in the ISE Message Catalog (Administration > Logging > Message Catalog) so that will not help you until you want to know what a particular error means or what to do next to troubleshoot it.
The closest option is the AuthStatus call
https://<ISEhost>/admin/API/mnt/AuthStatus/MACAddress/<macaddress>/<numberofseconds>/<numberofrecordspermacaddress>/All
however it requires you to specify a single MAC address as an argument. Also it will not give you a list of all Drops, Timeouts, or Unknown NADs only Passed/Failed authentications for the single MAC.
If you want Passed/Failed messages of specific endpoints then AuthStatus can work for you.
curl -s -k --header 'Accept: application/xml' --user admin:C1sco12345 https://198.18.133.27/admin/API/mnt/AuthStatus/MACAddress/DEADBEEFCAFE/3600/100/All | xmllint --format - | grep fail
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">false</failed>
<failed xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:boolean">true</failed>
<failure_reason>22056 Subject not found in the applicable identity store(s)</failure_reason>
MNT APIs are on port 443 but not 9060.
However, it's not recommended to use MNT APIs for this type of monitoring. Instead, please either forward the ISE events to a remote syslog target and analyze them there or use pxGrid APIs.