11-27-2024 08:25 PM
I am using the following API to fetch the authentication list of active sessions from Cisco ISE:
https://<ISEhost>/admin/API/mnt/Session/AuthList/starttime/endtime
When I retrieve the data using this API in Postman, I also receive a count of the total number of active sessions. However, when I insert this data into my database, the number of entries in the database exceeds the active session count provided by the API response.
What leads to this discrepancy?
Solved! Go to Solution.
12-02-2024 03:49 PM
> when I insert this data into my database
I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.
> the number of entries in the database exceeds the active session count provided by the API response.
You have not provided an actual query or response to know what you're doing or expecting - especially the specific GUI pages or database tables you are referencing. There are RADIUS authentications and then there are sessions which represent an endpoint's connection to the network between a RADIUS Accounting Start and Stop messages from the endpoint's network device.
According to the ISE MNT API documentation, the https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} represents the active sessions that are authenticated or lists the active sessions with accounting updates in the given time frame.
Unfortunately this documentation is old and confusing. It is counting the authentications (AuthList) between start-time and end-time.
❱ curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-12-02%2015:00:00/null \
| xq
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="4">
<activeSession>
<user_name>bob.ad</user_name>
<calling_station_id>B0:A7:B9:0B:7D:3A</calling_station_id>
<nas_ip_address>10.1.23.2</nas_ip_address>
<acct_session_id>E9CBAE0CCDF75A63</acct_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.23.14</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>AC:17:C8:0C:17:A0</user_name>
<calling_station_id>AC:17:C8:0C:17:A0</calling_station_id>
<nas_ip_address>10.1.10.3</nas_ip_address>
<acct_session_id>E7D8914C99DEE77D</acct_session_id>
<audit_session_id>531df7060000b803674dd61a</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.10.19</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>EC:71:DB:72:E7:55</user_name>
<calling_station_id>EC:71:DB:72:E7:55</calling_station_id>
<nas_ip_address>10.1.10.3</nas_ip_address>
<acct_session_id>4792114FC05859A9</acct_session_id>
<audit_session_id>531df7060000b801674dd5da</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.10.23</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>gguser1,gg-win11vm1.isedtea.net</user_name>
<calling_station_id>00:50:56:91:5A:7D</calling_station_id>
<nas_ip_address>10.1.23.3</nas_ip_address>
<acct_session_id>1943368F61D7420D</acct_session_id>
<audit_session_id>283fff060000240e6749499d</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.23.13</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
These 4 authentications above represent the start of only half of my actual live sessions (4 above, 8 below) from the ActiveList query :
❱ curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
| xq
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="8">
...
Please see my ISE MNT API examples: ISE Monitoring API Examples
With all that said, I do not recommend the ISE MNT APIs unless you have a very specify query by active session. For ISE authentication and accounting logs, please use the ISE 3.2+ Data Connect feature with an ODBC client for superior query capabilities and speed. I use my very simple iseql.py script and my many frequently asked queries like radius_auths.sql, radius_acct.sql, or radius_acct_sessions_active.sql. Also watch my webinar about many of these issues :
48:32 ISE Data Connect
OpenAPI: https://cs.co/ise-api#!data-connect-openapi
Guides: https://cs.co/ise-dataconnect
iseql.py
: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries
12-02-2024 09:22 PM
Hey Thomas, thanks for replying .
--> I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.
I mean that I am inserting data that i am fetching using MNT APIs into a database that i have created , that is where i am tallying the number of records from.
--> I'll explain to you what i am doing , basically I am fetching data using this api : https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time}
and inserting this data in my database .
Now, i have two doubts :
1) When i hit this api via postman i get this as a part of the response :
12-02-2024 03:49 PM
> when I insert this data into my database
I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.
> the number of entries in the database exceeds the active session count provided by the API response.
You have not provided an actual query or response to know what you're doing or expecting - especially the specific GUI pages or database tables you are referencing. There are RADIUS authentications and then there are sessions which represent an endpoint's connection to the network between a RADIUS Accounting Start and Stop messages from the endpoint's network device.
According to the ISE MNT API documentation, the https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} represents the active sessions that are authenticated or lists the active sessions with accounting updates in the given time frame.
Unfortunately this documentation is old and confusing. It is counting the authentications (AuthList) between start-time and end-time.
❱ curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-12-02%2015:00:00/null \
| xq
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="4">
<activeSession>
<user_name>bob.ad</user_name>
<calling_station_id>B0:A7:B9:0B:7D:3A</calling_station_id>
<nas_ip_address>10.1.23.2</nas_ip_address>
<acct_session_id>E9CBAE0CCDF75A63</acct_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.23.14</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>AC:17:C8:0C:17:A0</user_name>
<calling_station_id>AC:17:C8:0C:17:A0</calling_station_id>
<nas_ip_address>10.1.10.3</nas_ip_address>
<acct_session_id>E7D8914C99DEE77D</acct_session_id>
<audit_session_id>531df7060000b803674dd61a</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.10.19</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>EC:71:DB:72:E7:55</user_name>
<calling_station_id>EC:71:DB:72:E7:55</calling_station_id>
<nas_ip_address>10.1.10.3</nas_ip_address>
<acct_session_id>4792114FC05859A9</acct_session_id>
<audit_session_id>531df7060000b801674dd5da</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.10.23</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
<activeSession>
<user_name>gguser1,gg-win11vm1.isedtea.net</user_name>
<calling_station_id>00:50:56:91:5A:7D</calling_station_id>
<nas_ip_address>10.1.23.3</nas_ip_address>
<acct_session_id>1943368F61D7420D</acct_session_id>
<audit_session_id>283fff060000240e6749499d</audit_session_id>
<server>ise-ppan</server>
<framed_ip_address>10.1.23.13</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
These 4 authentications above represent the start of only half of my actual live sessions (4 above, 8 below) from the ActiveList query :
❱ curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
| xq
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="8">
...
Please see my ISE MNT API examples: ISE Monitoring API Examples
With all that said, I do not recommend the ISE MNT APIs unless you have a very specify query by active session. For ISE authentication and accounting logs, please use the ISE 3.2+ Data Connect feature with an ODBC client for superior query capabilities and speed. I use my very simple iseql.py script and my many frequently asked queries like radius_auths.sql, radius_acct.sql, or radius_acct_sessions_active.sql. Also watch my webinar about many of these issues :
48:32 ISE Data Connect
OpenAPI: https://cs.co/ise-api#!data-connect-openapi
Guides: https://cs.co/ise-dataconnect
iseql.py
: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries
12-02-2024 09:22 PM
Hey Thomas, thanks for replying .
--> I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.
I mean that I am inserting data that i am fetching using MNT APIs into a database that i have created , that is where i am tallying the number of records from.
--> I'll explain to you what i am doing , basically I am fetching data using this api : https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time}
and inserting this data in my database .
Now, i have two doubts :
1) When i hit this api via postman i get this as a part of the response :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide