Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1098
Views
2
Helpful
7
Replies

REST API Cisco ISE geting NAD port ID

SzymonLudowicz
Level 1
Level 1

‎09-10-2023 05:25 AM

When I display the endpoint table in ISE, I have a column called "NAD port ID".

ISE.jpg

How to use the REST API with an endpoint ID to get the "NAD port ID" (Network Access Device port ID) to which endpoint is connected ?

The same question applies to the column "Network Device Name".

When I GET Endpoint Details, I do not have this information.

0 Helpful
7 Replies 7

SzymonLudowicz
Level 1
Level 1
In response to Greg Gibbs

‎09-12-2023 02:12 AM

I use https://<ISEserver>/admin/API/mnt/Session/MACAddress/<MACAddress> but respons does not contain all the parameters described in the documentation. A lot of data is missing for example: <nas_port_id>

api_blur.jpg

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SzymonLudowicz

‎09-12-2023 02:47 PM

Are you running the API call on an endpoint that is currently connected and has an active session? If so, you might need to look at exactly how the API call is crafted as I'm seeing the information in the 200 response when I run it from Postman.

Here is the cURL request being sent by Postman in my example:

curl --location 'https://ise31-1.ise.trappedunderise.com/admin/API/mnt/Session/MACAddress/00:50:56:91:35:71' \
--header 'Accept: application/xml' \
--header 'Authorization: Basic xxx'

And here is the output from the 200 OK response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionParameters>
<passed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</passed>
<failed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</failed>
<user_name>host/win10-vm1.trappedunderise.com</user_name>
<nas_ip_address>192.168.120.35</nas_ip_address>
<calling_station_id>00:50:56:91:35:71</calling_station_id>
<orig_calling_station_id>00-50-56-91-35-71</orig_calling_station_id>
<cpmsession_id>C0A878230000001132C36D44</cpmsession_id>
<destination_ip_address>192.168.222.50</destination_ip_address>
<device_ip_address>192.168.120.35</device_ip_address>
<identity_group>Workstation</identity_group>
<network_device_name>sw1</network_device_name>
<acs_server>ise31-1</acs_server>
<authentication_method>dot1x</authentication_method>
<authentication_protocol>PEAP (EAP-MSCHAPv2)</authentication_protocol>
<framed_ip_address>192.168.223.100</framed_ip_address>
<auth_acs_timestamp>2023-09-13T07:25:22.484+10:00</auth_acs_timestamp>
<execution_steps>11001,11017,15049,15008,15048,15048,15048,11507,12500,12625,11006,11001,11018,12301,12300,12625,11006,11001,11018,12302,12318,12800,12805,12806,12807,12808,12810,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12318,12810,12812,12803,12804,12801,12802,12816,12310,12305,11006,11001,11018,12304,12313,11521,12305,11006,11001,11018,12304,11522,11806,12305,11006,11001,11018,12304,11808,15041,15048,15048,15013,24431,24325,24313,24319,24323,24343,24470,22037,11824,12305,11006,11001,11018,12304,11810,11814,11519,12314,12305,11006,11001,11018,12304,15036,24209,24211,11055,15048,15048,15048,24433,24355,24435,15048,15016,11022,22081,22080,12306,11503,11002</execution_steps>
<response>{Class=CACS:C0A878230000001132C36D44:ise31-1/482822763/101; EAP-Key-Name=19:65:00:d7:13:a0:6f:6f:30:c3:ff:48:2e:39:19:de:27:08:59:72:4c:b3:ed:26:af:49:e6:43:6d:9b:c4:b5:15:f6:69:60:d5:c7:43:43:4c:59:d4:1f:48:ac:7b:6b:f6:f0:2d:c4:2e:8b:0e:d3:2e:53:e7:23:3f:60:80:42:42; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-MM-DACL-AD-Computer-62551515; cisco-av-pair=cts:security-group-tag=0004-00; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }</response>
<audit_session_id>C0A878230000001132C36D44</audit_session_id>
<nas_port_id>GigabitEthernet0/6</nas_port_id>
<posture_status></posture_status>
<selected_azn_profiles>MM-AuthZ-AD-Computer</selected_azn_profiles>
<service_type>Framed</service_type>
<message_code>5200</message_code>
<auth_acsview_timestamp>2023-09-13T07:25:22.484+10:00</auth_acsview_timestamp>
<auth_id>1693448150875012</auth_id>
<identity_store>TUI-AD</identity_store>
<cts_security_group>Employees</cts_security_group>
<location>All Locations</location>
<device_type>All Device Types</device_type>
<response_time>1114</response_time>
<other_attr_string>:!:ConfigVersionId=78:!:DestinationPort=1812:!:Protocol=Radius:!:NAS-Port=50106:!:Framed-MTU=9000:!:State=37CPMSessionID=C0A878230000001132C36D44;31SessionID=ise31-1/482822763/101;:!:Tunnel-Type=(tag=1) VLAN:!:Tunnel-Type=(tag=2) VLAN:!:Tunnel-Medium-Type=(tag=1) 802:!:Tunnel-Medium-Type=(tag=2) 802:!:EAP-Key-Name=:!:NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c:!:IsThirdPartyDeviceFlow=false:!:AcsSessionID=ise31-1/482822763/101:!:SelectedAuthenticationIdentityStores=All_AD_Join_Points:!:AuthenticationStatus=AuthenticationPassed:!:IdentityPolicyMatchedRule=PEAP:!:AuthorizationPolicyMatchedRule=PEAP Computer:!:EndPointMACAddress=00-50-56-91-35-71:!:ISEPolicySetName=Wired_MM:!:IdentitySelectionMatchedRule=PEAP:!:AD-Host-Resolved-Identities=WIN10-VM1$@trappedunderise.com:!:AD-Host-Candidate-Identities=WIN10-VM1$@trappedunderise.com:!:AD-Host-Join-Point=TRAPPEDUNDERISE.COM:!:TotalAuthenLatency=1335:!:ClientLatency=221:!:AD-Host-Resolved-DNs=CN=win10-vm1,OU=Intune Managed,DC=trappedunderise,DC=com:!:AD-Host-DNS-Domain=trappedunderise.com:!:AD-Groups-Names=trappedunderise.com/Users/Domain Computers:!:AD-Host-NetBios-Name=TRAPPEDUNDERISE:!:IsMachineIdentity=true:!:UserAccountControl=4128:!:AD-Host-SamAccount-Name=WIN10-VM1$:!:AD-Host-Qualified-Name=WIN10-VM1$@trappedunderise.com:!:TLSCipher=ECDHE-RSA-AES256-GCM-SHA384:!:TLSVersion=TLSv1.2:!:DTLSSupport=Unknown:!:HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation:!:Network Device Profile=Cisco:!:Location=Location#All Locations:!:Device Type=Device Type#All Device Types:!:IPSEC=IPSEC#Is IPSEC Device#No:!:CTS Tier=CTS Tier#CTS Tier:!:Restricted State=Restricted State#Restricted State:!:TrustSec Status=TrustSec Status#TrustSec Status:!:WLC OS Type=WLC OS Type#WLC OS Type:!:Deployment Stage=Deployment Stage#Deployment Stage#Monitor Mode:!:ExternalGroups=S-1-5-21-3491572877-815640636-3568788564-515:!:IdentityAccessRestricted=false:!:StepData="4= DEVICE.Device Type","5= Radius.User-Name","6= DEVICE.Deployment Stage","82= Network Access.EapTunnel","83= Network Access.EapAuthentication","84=All_AD_Join_Points","85=All_AD_Join_Points","86=host/win10-vm1.trappedunderise.com","87=trappedunderise.com","88=trappedunderise.com","90=WIN10-VM1$@trappedunderise.com","91=All_AD_Join_Points","112= Radius.NAS-Port-Type","113= Session.ANCPolicy","114= Network Access.EapTunnel","0=TUI-AD","1=trappedunderise.com","2=TUI-AD","118= TUI-AD.ExternalGroups"=StepData:!:RADIUS Username=host/win10-vm1.trappedunderise.com:!:NAS-Identifier=sw1.grizzwald.local:!:Device IP Address=192.168.120.35:!:CPMSessionID=C0A878230000001132C36D44:!:Called-Station-ID=00:56:2B:80:C0:86:!:CiscoAVPair=service-type=Framed,audit-session-id=C0A878230000001132C36D44,method=dot1x,dc-profile-name=Microsoft-Workstation,dc-device-name=MSFT 5.0,dc-device-class-tag=Workstation:Microsoft-Workstation,dc-certainty-metric=10,dc-opaque=,dc-protocol-map=9,dhcp-option=client-fqdn=0, 0, 0, 119, 105, 110, 49, 48, 45, 118, 109, 49, 46, 116, 114, 97, 112, 112, 101, 100, 117, 110, 100, 101, 114, 105, 115, 101, 46, 99, 111, 109,dhcp-option=dhcp-requested-address=192.168.223.100,dhcp-option=00:ff:00:87:76:62:98:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00,dhcp-option=dhcp-parameter-request-list=1, 3, 6, 15, 31, 33, 43, 44, 46, 47, 119, 121, 249, 252,dhcp-option=dhcp-class-identifier=MSFT 5.0,dhcp-option=host-name=win10-vm1,dhcp-option=dhcp-client-identifier=01:00:50:56:91:35:71,dhcp-option=dhcp-message-type=3,AuthenticationIdentityStore=TUI-AD,FQSubjectName=0a17d940-207d-11ee-aa43-5e31474d2eae#host/win10-vm1.trappedunderise.com,UniqueSubjectID=f3d8a27254b658ef163ea9d120aab89c5402c6d9</other_attr_string>
<acct_id>1693448150875016</acct_id>
<acct_acs_timestamp>2023-09-13T07:25:22.797+10:00</acct_acs_timestamp>
<acct_acsview_timestamp>2023-09-13T07:25:22.797+10:00</acct_acsview_timestamp>
<acct_session_id>0000000F</acct_session_id>
<acct_status_type>Start</acct_status_type>
<acct_input_octets>2593482</acct_input_octets>
<acct_output_octets>192507158</acct_output_octets>
<acct_input_packets>11755</acct_input_packets>
<acct_output_packets>2176394</acct_output_packets>
<acct_delay_time>0</acct_delay_time>
<event_timestamp>1694550479</event_timestamp>
<started xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</started>
<stopped xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</stopped>
<dacl>#ACSACL#-IP-MM-DACL-AD-Computer-62551515</dacl>
<endpoint_policy>Windows10-Workstation</endpoint_policy>
</sessionParameters>
0 Helpful

SzymonLudowicz
Level 1
Level 1
In response to Greg Gibbs

‎09-14-2023 12:42 AM

I noticed that the number of displayed XML tags depends on the status of the endpoint in ISE, look at ISE>Operations>Live Sessions, if the endpoint has the "Started" status, a short list of tags is displayed, if endpoint has the "Authenticated" status, we have a full list.

I have a lot of endpoints in ISE with the Started status that work normally on the network. They have had this status for a long time.

What should I do to change their status to Authenticated?
Or what to do to ensure that endpoints with the Started status return a full XML list when queried via monitoring Rest APIs?

session (1).JPG

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SzymonLudowicz

‎09-14-2023 04:17 PM

I would expect the other way around...

Started session means ISE received a matching accounting start message.
Authenticated session means ISE got authentication request without accounting message.

You can see from my API output, the endpoint is in the Started state. If you're not not getting RADIUS Accounting for some of the sessions, ISE would have more limited information about the endpoint session.

<acct_status_type>Start</acct_status_type>

 

0 Helpful

SzymonLudowicz
Level 1
Level 1

‎09-12-2023 02:11 AM

I use https://<ISEserver>/admin/API/mnt/Session/MACAddress/<MACAddress> but respons does not contain all the parameters described in the documentation. A lot of data is missing for example: <nas_port_id>

api_blur.jpg

0 Helpful

Charlie Moreton
Cisco Employee
Cisco Employee

‎09-12-2023 07:28 AM

ese attributes are not statically assigned to the endpoint.  This is why they don't exist in the API.  The information shown is learned by ISE using profiling probes.

0 Helpful
Customers Also Viewed These Support Documents