cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
241
Views
1
Helpful
2
Replies

Query Regarding Discrepancy in Active Session Count from ISE API

I am using the following API to fetch the authentication list of active sessions from Cisco ISE:

https://<ISEhost>/admin/API/mnt/Session/AuthList/starttime/endtime

When I retrieve the data using this API in Postman, I also receive a count of the total number of active sessions. However, when I insert this data into my database, the number of entries in the database exceeds the active session count provided by the API response.

What leads to this discrepancy?

2 Accepted Solutions

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

> when I insert this data into my database

I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.

> the number of entries in the database exceeds the active session count provided by the API response.

You have not provided an actual query or response to know what you're doing or expecting - especially the specific GUI pages or database tables you are referencing. There are RADIUS authentications and then there are sessions which represent an endpoint's connection to the network between a RADIUS Accounting Start and Stop messages from the endpoint's network device.

According to the ISE MNT API documentation, the https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} represents the active sessions that are authenticated or lists the active sessions with accounting updates in the given time frame.

Unfortunately this documentation is old and confusing. It is counting the authentications (AuthList) between start-time and end-time.

 

❱ curl --silent --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-12-02%2015:00:00/null \
  | xq

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="4">
  <activeSession>
    <user_name>bob.ad</user_name>
    <calling_station_id>B0:A7:B9:0B:7D:3A</calling_station_id>
    <nas_ip_address>10.1.23.2</nas_ip_address>
    <acct_session_id>E9CBAE0CCDF75A63</acct_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.23.14</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>AC:17:C8:0C:17:A0</user_name>
    <calling_station_id>AC:17:C8:0C:17:A0</calling_station_id>
    <nas_ip_address>10.1.10.3</nas_ip_address>
    <acct_session_id>E7D8914C99DEE77D</acct_session_id>
    <audit_session_id>531df7060000b803674dd61a</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.10.19</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>EC:71:DB:72:E7:55</user_name>
    <calling_station_id>EC:71:DB:72:E7:55</calling_station_id>
    <nas_ip_address>10.1.10.3</nas_ip_address>
    <acct_session_id>4792114FC05859A9</acct_session_id>
    <audit_session_id>531df7060000b801674dd5da</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.10.23</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>gguser1,gg-win11vm1.isedtea.net</user_name>
    <calling_station_id>00:50:56:91:5A:7D</calling_station_id>
    <nas_ip_address>10.1.23.3</nas_ip_address>
    <acct_session_id>1943368F61D7420D</acct_session_id>
    <audit_session_id>283fff060000240e6749499d</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.23.13</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

These 4 authentications above represent the start of only half of my actual live sessions (4 above, 8 below) from the ActiveList query :

❱ curl  --silent  --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
  | xq

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="8">
...

Please see my ISE MNT API examples: ISE Monitoring API Examples 

With all that said, I do not recommend the ISE MNT APIs unless you have a very specify query by active session. For ISE authentication and accounting logs, please use the ISE 3.2+ Data Connect feature with an ODBC client for superior query capabilities and speed. I use my very simple iseql.py script and my many frequently asked queries like radius_auths.sqlradius_acct.sql, or radius_acct_sessions_active.sql. Also watch my webinar about many of these issues :

 How to Get Data Out of ISE 

48:32 ISE Data Connect
  OpenAPI: https://cs.co/ise-api#!data-connect-openapi
  Guides: https://cs.co/ise-dataconnect
  iseql.py: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries

 

 

View solution in original post

Hey Thomas, thanks for replying . 

--> I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.

       I mean that I am inserting data that i am fetching using MNT APIs into a database that i have created , that is where i am                   tallying the number of records from.

 

--> I'll explain to you what i am doing , basically I am fetching data using this api :  https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} 

and inserting this data in my database . 

Now, i have two doubts :

1) When i hit this api via postman i get this as a part of the response :

 
<activeList noOfActiveSession="2657">
    <activeSession>
 
but , this count doesn't match the entries in my database.
So are u trying to tell me that this is because this { noOfActiveSession="2657" } is the count for active sessions and it will not be the same as authlists ?
 
2)In the UI, in Operations > Radius > Live Logs , i search the data for last 24 hours for either a specific IP or MAC , in my db i query and search the entries for that same ip and mac , but the entries in both of these responses do not match , why is that ?
 
Also I will have a look at the dataConnect feature

View solution in original post

2 Replies 2

thomas
Cisco Employee
Cisco Employee

> when I insert this data into my database

I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.

> the number of entries in the database exceeds the active session count provided by the API response.

You have not provided an actual query or response to know what you're doing or expecting - especially the specific GUI pages or database tables you are referencing. There are RADIUS authentications and then there are sessions which represent an endpoint's connection to the network between a RADIUS Accounting Start and Stop messages from the endpoint's network device.

According to the ISE MNT API documentation, the https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} represents the active sessions that are authenticated or lists the active sessions with accounting updates in the given time frame.

Unfortunately this documentation is old and confusing. It is counting the authentications (AuthList) between start-time and end-time.

 

❱ curl --silent --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-12-02%2015:00:00/null \
  | xq

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="4">
  <activeSession>
    <user_name>bob.ad</user_name>
    <calling_station_id>B0:A7:B9:0B:7D:3A</calling_station_id>
    <nas_ip_address>10.1.23.2</nas_ip_address>
    <acct_session_id>E9CBAE0CCDF75A63</acct_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.23.14</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>AC:17:C8:0C:17:A0</user_name>
    <calling_station_id>AC:17:C8:0C:17:A0</calling_station_id>
    <nas_ip_address>10.1.10.3</nas_ip_address>
    <acct_session_id>E7D8914C99DEE77D</acct_session_id>
    <audit_session_id>531df7060000b803674dd61a</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.10.19</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>EC:71:DB:72:E7:55</user_name>
    <calling_station_id>EC:71:DB:72:E7:55</calling_station_id>
    <nas_ip_address>10.1.10.3</nas_ip_address>
    <acct_session_id>4792114FC05859A9</acct_session_id>
    <audit_session_id>531df7060000b801674dd5da</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.10.23</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
  <activeSession>
    <user_name>gguser1,gg-win11vm1.isedtea.net</user_name>
    <calling_station_id>00:50:56:91:5A:7D</calling_station_id>
    <nas_ip_address>10.1.23.3</nas_ip_address>
    <acct_session_id>1943368F61D7420D</acct_session_id>
    <audit_session_id>283fff060000240e6749499d</audit_session_id>
    <server>ise-ppan</server>
    <framed_ip_address>10.1.23.13</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

These 4 authentications above represent the start of only half of my actual live sessions (4 above, 8 below) from the ActiveList query :

❱ curl  --silent  --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
  | xq

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="8">
...

Please see my ISE MNT API examples: ISE Monitoring API Examples 

With all that said, I do not recommend the ISE MNT APIs unless you have a very specify query by active session. For ISE authentication and accounting logs, please use the ISE 3.2+ Data Connect feature with an ODBC client for superior query capabilities and speed. I use my very simple iseql.py script and my many frequently asked queries like radius_auths.sqlradius_acct.sql, or radius_acct_sessions_active.sql. Also watch my webinar about many of these issues :

 How to Get Data Out of ISE 

48:32 ISE Data Connect
  OpenAPI: https://cs.co/ise-api#!data-connect-openapi
  Guides: https://cs.co/ise-dataconnect
  iseql.py: https://github.com/1homas/ISE_Python_Scripts/blob/main/iseql.py
52:07: Demo: ISE Data Connect SQL Queries

 

 

Hey Thomas, thanks for replying . 

--> I don't know what you mean - you cannot insert data into the ISE database via these MNT APIs.

       I mean that I am inserting data that i am fetching using MNT APIs into a database that i have created , that is where i am                   tallying the number of records from.

 

--> I'll explain to you what i am doing , basically I am fetching data using this api :  https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{start-time}/{end-time} 

and inserting this data in my database . 

Now, i have two doubts :

1) When i hit this api via postman i get this as a part of the response :

 
<activeList noOfActiveSession="2657">
    <activeSession>
 
but , this count doesn't match the entries in my database.
So are u trying to tell me that this is because this { noOfActiveSession="2657" } is the count for active sessions and it will not be the same as authlists ?
 
2)In the UI, in Operations > Radius > Live Logs , i search the data for last 24 hours for either a specific IP or MAC , in my db i query and search the entries for that same ip and mac , but the entries in both of these responses do not match , why is that ?
 
Also I will have a look at the dataConnect feature