cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1140
Views
2
Helpful
7
Replies

REST API Cisco ISE geting NAD port ID

SzymonLudowicz
Level 1
Level 1

When I display the endpoint table in ISE, I have a column called "NAD port ID".

ISE.jpg

How to use the REST API with an endpoint ID to get the "NAD port ID" (Network Access Device port ID) to which endpoint is connected ?

The same question applies to the column "Network Device Name".

When I GET Endpoint Details, I do not have this information.

7 Replies 7

I use https://<ISEserver>/admin/API/mnt/Session/MACAddress/<MACAddress> but respons does not contain all the parameters described in the documentation. A lot of data is missing for example: <nas_port_id>

api_blur.jpg

Are you running the API call on an endpoint that is currently connected and has an active session? If so, you might need to look at exactly how the API call is crafted as I'm seeing the information in the 200 response when I run it from Postman.

Here is the cURL request being sent by Postman in my example:

curl --location 'https://ise31-1.ise.trappedunderise.com/admin/API/mnt/Session/MACAddress/00:50:56:91:35:71' \
--header 'Accept: application/xml' \
--header 'Authorization: Basic xxx'

And here is the output from the 200 OK response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionParameters>
<passed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</passed>
<failed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</failed>
<user_name>host/win10-vm1.trappedunderise.com</user_name>
<nas_ip_address>192.168.120.35</nas_ip_address>
<calling_station_id>00:50:56:91:35:71</calling_station_id>
<orig_calling_station_id>00-50-56-91-35-71</orig_calling_station_id>
<cpmsession_id>C0A878230000001132C36D44</cpmsession_id>
<destination_ip_address>192.168.222.50</destination_ip_address>
<device_ip_address>192.168.120.35</device_ip_address>
<identity_group>Workstation</identity_group>
<network_device_name>sw1</network_device_name>
<acs_server>ise31-1</acs_server>
<authentication_method>dot1x</authentication_method>
<authentication_protocol>PEAP (EAP-MSCHAPv2)</authentication_protocol>
<framed_ip_address>192.168.223.100</framed_ip_address>
<auth_acs_timestamp>2023-09-13T07:25:22.484+10:00</auth_acs_timestamp>
<execution_steps>11001,11017,15049,15008,15048,15048,15048,11507,12500,12625,11006,11001,11018,12301,12300,12625,11006,11001,11018,12302,12318,12800,12805,12806,12807,12808,12810,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12318,12810,12812,12803,12804,12801,12802,12816,12310,12305,11006,11001,11018,12304,12313,11521,12305,11006,11001,11018,12304,11522,11806,12305,11006,11001,11018,12304,11808,15041,15048,15048,15013,24431,24325,24313,24319,24323,24343,24470,22037,11824,12305,11006,11001,11018,12304,11810,11814,11519,12314,12305,11006,11001,11018,12304,15036,24209,24211,11055,15048,15048,15048,24433,24355,24435,15048,15016,11022,22081,22080,12306,11503,11002</execution_steps>
<response>{Class=CACS:C0A878230000001132C36D44:ise31-1/482822763/101; EAP-Key-Name=19:65:00:d7:13:a0:6f:6f:30:c3:ff:48:2e:39:19:de:27:08:59:72:4c:b3:ed:26:af:49:e6:43:6d:9b:c4:b5:15:f6:69:60:d5:c7:43:43:4c:59:d4:1f:48:ac:7b:6b:f6:f0:2d:c4:2e:8b:0e:d3:2e:53:e7:23:3f:60:80:42:42; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-MM-DACL-AD-Computer-62551515; cisco-av-pair=cts:security-group-tag=0004-00; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }</response>
<audit_session_id>C0A878230000001132C36D44</audit_session_id>
<nas_port_id>GigabitEthernet0/6</nas_port_id>
<posture_status></posture_status>
<selected_azn_profiles>MM-AuthZ-AD-Computer</selected_azn_profiles>
<service_type>Framed</service_type>
<message_code>5200</message_code>
<auth_acsview_timestamp>2023-09-13T07:25:22.484+10:00</auth_acsview_timestamp>
<auth_id>1693448150875012</auth_id>
<identity_store>TUI-AD</identity_store>
<cts_security_group>Employees</cts_security_group>
<location>All Locations</location>
<device_type>All Device Types</device_type>
<response_time>1114</response_time>
<other_attr_string>:!:ConfigVersionId=78:!:DestinationPort=1812:!:Protocol=Radius:!:NAS-Port=50106:!:Framed-MTU=9000:!:State=37CPMSessionID=C0A878230000001132C36D44;31SessionID=ise31-1/482822763/101;:!:Tunnel-Type=(tag=1) VLAN:!:Tunnel-Type=(tag=2) VLAN:!:Tunnel-Medium-Type=(tag=1) 802:!:Tunnel-Medium-Type=(tag=2) 802:!:EAP-Key-Name=:!:NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c:!:IsThirdPartyDeviceFlow=false:!:AcsSessionID=ise31-1/482822763/101:!:SelectedAuthenticationIdentityStores=All_AD_Join_Points:!:AuthenticationStatus=AuthenticationPassed:!:IdentityPolicyMatchedRule=PEAP:!:AuthorizationPolicyMatchedRule=PEAP Computer:!:EndPointMACAddress=00-50-56-91-35-71:!:ISEPolicySetName=Wired_MM:!:IdentitySelectionMatchedRule=PEAP:!:AD-Host-Resolved-Identities=WIN10-VM1$@trappedunderise.com:!:AD-Host-Candidate-Identities=WIN10-VM1$@trappedunderise.com:!:AD-Host-Join-Point=TRAPPEDUNDERISE.COM:!:TotalAuthenLatency=1335:!:ClientLatency=221:!:AD-Host-Resolved-DNs=CN=win10-vm1,OU=Intune Managed,DC=trappedunderise,DC=com:!:AD-Host-DNS-Domain=trappedunderise.com:!:AD-Groups-Names=trappedunderise.com/Users/Domain Computers:!:AD-Host-NetBios-Name=TRAPPEDUNDERISE:!:IsMachineIdentity=true:!:UserAccountControl=4128:!:AD-Host-SamAccount-Name=WIN10-VM1$:!:AD-Host-Qualified-Name=WIN10-VM1$@trappedunderise.com:!:TLSCipher=ECDHE-RSA-AES256-GCM-SHA384:!:TLSVersion=TLSv1.2:!:DTLSSupport=Unknown:!:HostIdentityGroup=Endpoint Identity Groups:Profiled:Workstation:!:Network Device Profile=Cisco:!:Location=Location#All Locations:!:Device Type=Device Type#All Device Types:!:IPSEC=IPSEC#Is IPSEC Device#No:!:CTS Tier=CTS Tier#CTS Tier:!:Restricted State=Restricted State#Restricted State:!:TrustSec Status=TrustSec Status#TrustSec Status:!:WLC OS Type=WLC OS Type#WLC OS Type:!:Deployment Stage=Deployment Stage#Deployment Stage#Monitor Mode:!:ExternalGroups=S-1-5-21-3491572877-815640636-3568788564-515:!:IdentityAccessRestricted=false:!:StepData="4= DEVICE.Device Type","5= Radius.User-Name","6= DEVICE.Deployment Stage","82= Network Access.EapTunnel","83= Network Access.EapAuthentication","84=All_AD_Join_Points","85=All_AD_Join_Points","86=host/win10-vm1.trappedunderise.com","87=trappedunderise.com","88=trappedunderise.com","90=WIN10-VM1$@trappedunderise.com","91=All_AD_Join_Points","112= Radius.NAS-Port-Type","113= Session.ANCPolicy","114= Network Access.EapTunnel","0=TUI-AD","1=trappedunderise.com","2=TUI-AD","118= TUI-AD.ExternalGroups"=StepData:!:RADIUS Username=host/win10-vm1.trappedunderise.com:!:NAS-Identifier=sw1.grizzwald.local:!:Device IP Address=192.168.120.35:!:CPMSessionID=C0A878230000001132C36D44:!:Called-Station-ID=00:56:2B:80:C0:86:!:CiscoAVPair=service-type=Framed,audit-session-id=C0A878230000001132C36D44,method=dot1x,dc-profile-name=Microsoft-Workstation,dc-device-name=MSFT 5.0,dc-device-class-tag=Workstation:Microsoft-Workstation,dc-certainty-metric=10,dc-opaque=,dc-protocol-map=9,dhcp-option=client-fqdn=0, 0, 0, 119, 105, 110, 49, 48, 45, 118, 109, 49, 46, 116, 114, 97, 112, 112, 101, 100, 117, 110, 100, 101, 114, 105, 115, 101, 46, 99, 111, 109,dhcp-option=dhcp-requested-address=192.168.223.100,dhcp-option=00:ff:00:87:76:62:98:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00,dhcp-option=dhcp-parameter-request-list=1, 3, 6, 15, 31, 33, 43, 44, 46, 47, 119, 121, 249, 252,dhcp-option=dhcp-class-identifier=MSFT 5.0,dhcp-option=host-name=win10-vm1,dhcp-option=dhcp-client-identifier=01:00:50:56:91:35:71,dhcp-option=dhcp-message-type=3,AuthenticationIdentityStore=TUI-AD,FQSubjectName=0a17d940-207d-11ee-aa43-5e31474d2eae#host/win10-vm1.trappedunderise.com,UniqueSubjectID=f3d8a27254b658ef163ea9d120aab89c5402c6d9</other_attr_string>
<acct_id>1693448150875016</acct_id>
<acct_acs_timestamp>2023-09-13T07:25:22.797+10:00</acct_acs_timestamp>
<acct_acsview_timestamp>2023-09-13T07:25:22.797+10:00</acct_acsview_timestamp>
<acct_session_id>0000000F</acct_session_id>
<acct_status_type>Start</acct_status_type>
<acct_input_octets>2593482</acct_input_octets>
<acct_output_octets>192507158</acct_output_octets>
<acct_input_packets>11755</acct_input_packets>
<acct_output_packets>2176394</acct_output_packets>
<acct_delay_time>0</acct_delay_time>
<event_timestamp>1694550479</event_timestamp>
<started xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</started>
<stopped xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</stopped>
<dacl>#ACSACL#-IP-MM-DACL-AD-Computer-62551515</dacl>
<endpoint_policy>Windows10-Workstation</endpoint_policy>
</sessionParameters>

I noticed that the number of displayed XML tags depends on the status of the endpoint in ISE, look at ISE>Operations>Live Sessions, if the endpoint has the "Started" status, a short list of tags is displayed, if endpoint has the "Authenticated" status, we have a full list.

I have a lot of endpoints in ISE with the Started status that work normally on the network. They have had this status for a long time.

What should I do to change their status to Authenticated?
Or what to do to ensure that endpoints with the Started status return a full XML list when queried via monitoring Rest APIs?

session (1).JPG

I would expect the other way around...

Started session means ISE received a matching accounting start message.
Authenticated session means ISE got authentication request without accounting message.

You can see from my API output, the endpoint is in the Started state. If you're not not getting RADIUS Accounting for some of the sessions, ISE would have more limited information about the endpoint session.

<acct_status_type>Start</acct_status_type>

 

SzymonLudowicz
Level 1
Level 1

I use https://<ISEserver>/admin/API/mnt/Session/MACAddress/<MACAddress> but respons does not contain all the parameters described in the documentation. A lot of data is missing for example: <nas_port_id>

api_blur.jpg

Charlie Moreton
Cisco Employee
Cisco Employee

ese attributes are not statically assigned to the endpoint.  This is why they don't exist in the API.  The information shown is learned by ISE using profiling probes.