Solved: Re: Query on APIs to Fetch Specific Fields from ISE

jagritibhardwaj471 · ‎11-27-2024

I need to fetch specific data fields from Cisco ISE. Could you please guide me on the appropriate APIs or endpoints that can be used to retrieve the following information?

NAS Port
NAS IP
NAS Type
Location
Network Device Details
Authorization Profile
Reason for Non-Compliance (if the posture status is Non-Compliant)

Additionally, I would appreciate any documentation or examples of API requests and responses that could assist in implementing these queries effectively.

thomas · ‎12-02-2024

You did not explain your desired goal or scenario but you have 2 options.

First is the ISE MNT APIs for active session details however these are only valid for active sessions - not all historical - and only return XML. See ISE Monitoring API Examples :

▷ How to Get Data Out of ISE

25:04 Demo: ISE REST APIs with curl and Python Scripts | ISE ERS API Examples | ISE Monitoring API Examples

Second - and my recommended approach - would be to not use REST APIs and instead to use the ISE 3.2+ Data Connect feature with an ODBC client to get the values or create queries/reports.

▷ How to Get Data Out of ISE

48:32 ISE Data Connect
OpenAPI: https://cs.co/ise-api#!data-connect-openapi
Guides: https://cs.co/ise-dataconnect
iseql.py: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries

And use my iseql.py script or preferred ODBC tool and my many saved SQL queries to get what you need:

❱ iseql.py "$(cat data/SQL/radius_auths_example.sql)" -it -f table

radius_auths_example.sql:

SELECT
    TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
    calling_station_id,
    username,
    device_name,
    nas_ip_address,
    nas_port_id,
    nas_port_type,
    location, -- NDG
    policy_set_name, -- Default, Wired, etc.
    authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
    posture_status
FROM radius_authentications
WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
ORDER BY timestamp ASC -- first/oldest records

There is no API or field for Reason for Posture Non-Compliance. Make a Wish for that @ https://cs.co/ise-wish

View solution in original post

thomas · ‎12-02-2024

The ISE Data Connect tables

will be very helpful by providing FAILURE_REASON and many other fields per endpoint posture assessment.

No additional licensing required.

View solution in original post

JPavonM · ‎11-27-2024

Check this is out:
https://www.postman.com/lunar-module-astronomer-52086722/cisco-ise/collection/ks7b1cf/cisco-ise-api-policy

jagritibhardwaj471 · ‎12-01-2024

Hey,

For this api :

https://10.215.26.83:443/api/v1/policy/network-access/authorization-profiles what value are we supposed to pass in the headers ? What is a X-Request-ID?

jagritibhardwaj471 · ‎11-28-2024

Hey, i think i wasnt clear enough i want these components , to be fetched that appear in radius live logs these above listed ip's dont help me with that ? maybe any other api?

NAS Port
NAS IP
NAS Type
Location
Network Device Details
Authorization Profile
Reason for Non-Compliance (if the posture status is Non-Compliant)

thomas · ‎12-02-2024

You did not explain your desired goal or scenario but you have 2 options.

First is the ISE MNT APIs for active session details however these are only valid for active sessions - not all historical - and only return XML. See ISE Monitoring API Examples :

▷ How to Get Data Out of ISE

25:04 Demo: ISE REST APIs with curl and Python Scripts | ISE ERS API Examples | ISE Monitoring API Examples

Second - and my recommended approach - would be to not use REST APIs and instead to use the ISE 3.2+ Data Connect feature with an ODBC client to get the values or create queries/reports.

▷ How to Get Data Out of ISE

48:32 ISE Data Connect
OpenAPI: https://cs.co/ise-api#!data-connect-openapi
Guides: https://cs.co/ise-dataconnect
iseql.py: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries

And use my iseql.py script or preferred ODBC tool and my many saved SQL queries to get what you need:

❱ iseql.py "$(cat data/SQL/radius_auths_example.sql)" -it -f table

radius_auths_example.sql:

SELECT
    TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
    calling_station_id,
    username,
    device_name,
    nas_ip_address,
    nas_port_id,
    nas_port_type,
    location, -- NDG
    policy_set_name, -- Default, Wired, etc.
    authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
    posture_status
FROM radius_authentications
WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
ORDER BY timestamp ASC -- first/oldest records

There is no API or field for Reason for Posture Non-Compliance. Make a Wish for that @ https://cs.co/ise-wish

jagritibhardwaj471 · ‎12-02-2024

Hey Thomas,

So basically my goal is to fetch fields for live data and store them in a database I have created,

these fields u can check by opening the UI of ISE and then Operations > Radius > Live Logs,

then in that , under the details column you open the authentication report .In that report,

Now the fields i want the data for are:

--> Under the section Authentication Details:

Username, Endpoint Id, Endpoint Profile, Calling Station Id , Network Device , Location ,Authorization Profile

-->Under the section Other Attributes :

Device IP Address, cisco-nas-port ,Location, network device profile.

So , using dataconnect feature can i fetch these ???

Also we are using golang on backend , will it be compatible with the dataconnect feature?

stephan.l.martin1 · ‎12-02-2024

Adding to this- I know there are current plans to release some additional API features in the future which is associated with DoD Comply-to-connect requirements. As far as I am aware this change will incur additional license requirements. I explicitly looked to identify posture information from ISE in which this was not possible given the currently available APIs. As @thomas may be more aprised of the situation I would certainly look at following his recommendation in the meantime.

thomas · ‎12-02-2024

The ISE Data Connect tables

will be very helpful by providing FAILURE_REASON and many other fields per endpoint posture assessment.

No additional licensing required.

jagritibhardwaj471 · ‎12-24-2024

Hey, i am facing an error while trying to connect to ise db after enabling the data connect feature .

The code is:

package main

import (

"database/sql"

"fmt"

"log"

_ "github.com/sijms/go-ora/v2" // Oracle DB driver

)

func main() {

// Define the connection string for Oracle with SSL/TCP

dsn := `dataconnect/password@tcps(1.1.1.1:2484)/cpm10?ssl=true&ssl_cert=<path_to_cert>`

// Open a database connection using the go-ora driver

db, err := sql.Open("oracle", dsn)

if err != nil {

log.Fatalf("Failed to open connection: %v", err)

}

defer db.Close()

// Try to ping the database to check connectivity

err = db.Ping()

if err != nil {

log.Fatalf("Failed to ping database: %v", err)

} else {

fmt.Println("Successfully connected to the Cisco ISE Database!")

}

// Sample query: List Network Device Groups

rows, err := db.Query("SELECT * FROM NETWORK_DEVICE_GROUPS")

if err != nil {

log.Fatalf("Error executing query: %v", err)

}

defer rows.Close()

// Print query results

fmt.Println("\nList of Network Device Groups:")

for rows.Next() {

var id, name, status string

err := rows.Scan(&id, &name, &status)

if err != nil {

log.Fatalf("Error scanning row: %v", err)

}

fmt.Printf("ID: %s, Name: %s, Status: %s\n", id, name, status)

}

if err := rows.Err(); err != nil {

log.Fatalf("Row iteration error: %v", err)

}

the error i am facing is :
2024/12/24 15:11:16 Failed to ping database: missing port in address