cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1617
Views
0
Helpful
5
Replies

REST request to ISE 1.4 always returns 0 sessions or errors.

ILKIN GASIMOV
Level 1
Level 1

We`ve installed ISE 1.4.0.253  and also use REST API to get session details from ISE.

But for some reason ISE always returns 0  or error for the following requests although we have active sessions as shown below:

 

https://ise_ip/admin/API/mnt/Session/AuthList/null/null

<activeList noOfActiveSession="0"/>

https://ise_ip/admin/API/mnt/Session/ActiveCount

<sessionCount><count>0</count></sessionCount>

https://ise_ip/admin/API/mnt/Session/UserName/cisco

<mnt-rest-result><http-code>500</http-code><cpm-code>34110</cpm-code><description>Server has encountered error while processing the REST request</description><module-name>MnT</module-name><internal-error-info>Error in generating XML output. Error message = Session data is not available for cisco.</internal-error-info><requested-operation>Get By Name</requested-operation><resource-id>N/A</resource-id><resource-name>N/A</resource-name><resource-type>RESTSDStatus</resource-type><status>SERVER_ERROR</status></mnt-rest-result>

 

ISE authentication table

 

Only version information is returned correctly.

https://ise_ip/admin/API/mnt/Version

<product name="Cisco Identity Services Engine"><version>1.4.0.253</version><type_of_node>0</type_of_node></product>

5 Replies 5

jan.nielsen
Level 7
Level 7

The attached picture shows the live authentication log, not the session table, If you go the actual live session view, are there any sessions ? Also the user you are authenticating with in the API calls, is that user in the ERS Admin group ?

No sessions are available in the live session view window.

I`m doing a simple switch vty (ssh) access authentication and authorization on ISE.

According to the ISE REST API Guide there are active sessions and authenticated active sessions. 

None of those sessions are available in the session view windows in my case.

I use the default admin user for requests, because any other admin user requests result in "Logged-in Administrator is Unauthorized to access REST API" message, even if the user is in the ERS Admin group. Only when I add that user to the Super Admin group, then the request attempt is successful.

Thank you very much for your help. 

If there are no sessions, in your session view, then there should also not be any in the REST API returned data, so that is as expected. I don't think cli logins that are authen/authz will create "sessions" in ISE, as they are not related to user access, but rather device administration. For a session to be created, some type of endpoint mac address and ip address assignement needs to be available for ise to see, which it is not in your case. You need some cisco wlc or switch with mab or dot1x configured to trigger a session to be created.

OK, I`ll setup a simple lab, and see if this is the case. Thank you again.

jan.nielsen, correct, device administration logins will not create  radius, but dot1x or mab will do. I can now see sessions in the live session windows. Thanks.