09-21-2015 05:16 AM - edited 03-10-2019 11:04 PM
We`ve installed ISE 1.4.0.253 and also use REST API to get session details from ISE.
But for some reason ISE always returns 0 or error for the following requests although we have active sessions as shown below:
https://ise_ip/admin/API/mnt/Session/AuthList/null/null
<activeList noOfActiveSession="0"/>
https://ise_ip/admin/API/mnt/Session/ActiveCount
<sessionCount><count>0</count></sessionCount>
https://ise_ip/admin/API/mnt/Session/UserName/cisco
<mnt-rest-result><http-code>500</http-code><cpm-code>34110</cpm-code><description>Server has encountered error while processing the REST request</description><module-name>MnT</module-name><internal-error-info>Error in generating XML output. Error message = Session data is not available for cisco.</internal-error-info><requested-operation>Get By Name</requested-operation><resource-id>N/A</resource-id><resource-name>N/A</resource-name><resource-type>RESTSDStatus</resource-type><status>SERVER_ERROR</status></mnt-rest-result>
Only version information is returned correctly.
https://ise_ip/admin/API/mnt/Version
<product name="Cisco Identity Services Engine"><version>1.4.0.253</version><type_of_node>0</type_of_node></product>
09-21-2015 11:22 AM
The attached picture shows the live authentication log, not the session table, If you go the actual live session view, are there any sessions ? Also the user you are authenticating with in the API calls, is that user in the ERS Admin group ?
09-21-2015 12:50 PM
No sessions are available in the live session view window.
I`m doing a simple switch vty (ssh) access authentication and authorization on ISE.
According to the ISE REST API Guide there are active sessions and authenticated active sessions.
None of those sessions are available in the session view windows in my case.
I use the default admin user for requests, because any other admin user requests result in "Logged-in Administrator is Unauthorized to access REST API" message, even if the user is in the ERS Admin group. Only when I add that user to the Super Admin group, then the request attempt is successful.
Thank you very much for your help.
09-21-2015 05:04 PM
If there are no sessions, in your session view, then there should also not be any in the REST API returned data, so that is as expected. I don't think cli logins that are authen/authz will create "sessions" in ISE, as they are not related to user access, but rather device administration. For a session to be created, some type of endpoint mac address and ip address assignement needs to be available for ise to see, which it is not in your case. You need some cisco wlc or switch with mab or dot1x configured to trigger a session to be created.
09-21-2015 09:14 PM
OK, I`ll setup a simple lab, and see if this is the case. Thank you again.
09-27-2015 11:08 PM
jan.nielsen, correct, device administration logins will not create radius, but dot1x or mab will do. I can now see sessions in the live session windows. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide