08-10-2021 01:55 AM
Is it possible, to query authentication status of a port like the 'show authentication session int ...'; command with netconf/yang? To get MAC address and auth method? Especially on Catalyst 3650 switches or at least on 9200 series? What information (xpath?) would I need?
Solved! Go to Solution.
08-16-2021 10:27 AM
This is possible with a version that supports the Cisco-IOS-XE-identity-oper module.
I tested it in the lab with version 17.6 on a Catalyst 9300-24T.
Switch# show version
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.1, RELEASE SOFTWARE (fc6)
...
cisco C9300-24T (X86) processor with 1317626K/6147K bytes of memory.
The command show authentication session in the lab returns this result:
Switch# show authentication session
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1 70b3.17e9.f401 N/A UNKNOWN Unauth 000000000000000B4FE28C9B
Session count = 1
And the RESTCONF query with this URL:
https://{{host}}:{{port}}/restconf/data/Cisco-IOS-XE-identity-oper:identity-oper-data/
Displays the same result:
{
"Cisco-IOS-XE-identity-oper:identity-oper-data": {
"session-context-data": [
{
"mac": "70:b3:17:e9:f4:01",
"ipv4": "0.0.0.0",
"intf-iifid": 8,
"method-id": "invalid-method-id",
"domain": "domain-unknown",
"scope": "scope-unknown",
"audit-id": {
"aid": "000000000000000B4FE28C9B"
}
...
"intf-name": "GigabitEthernet5/0/1",
"policy-name": "POLICY_Gi5/0/1",
"blocked-on-state": "flags-none",
"pre-event": "event-none",
...
You can also try NETCONF but in order to make it work the MAC address needs to be used as a key.
Sends:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5"><nc:get>
<nc:filter>
<identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
<session-context-data>
<mac>70:b3:17:e9:f4:01</mac>
</session-context-data>
</identity-oper-data>
</nc:filter>
</nc:get>
</nc:rpc>
Receives:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5">
<data>
<identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
<session-context-data>
<mac>70:b3:17:e9:f4:01</mac>
<ipv4>0.0.0.0</ipv4>
<intf-iifid>8</intf-iifid>
<method-id>web-auth-id</method-id>
<domain>domain-unknown</domain>
<scope>scope-unknown</scope>
<audit-id>
<aid>000000000000000F4FF1A7C8</aid>
</audit-id>
...
<intf-name>GigabitEthernet5/0/1</intf-name>
<policy-name>POLICY_Gi5/0/1</policy-name>
<blocked-on-state>flags-none</blocked-on-state>
...
</session-context-data>
</identity-oper-data>
</data>
</rpc-reply>
The link that marce1000 sent is no longer valid, it includes information related to yang-explorer which is no longer supported.
I suggest to rather try Yang Suite to navigate the models:
This is what I used to quickly identify how to pull the data:
Enjoy the automation!
08-10-2021 02:49 AM
- Check this document : https://www.cisco.com/c/en/us/support/docs/storage-networking/management/200933-YANG-NETCONF-Configuration-Validation.html
and or some examples may apply (with modification according to your specific needs)
M.
08-12-2021 02:15 AM
Thanks, I checked all xpaths, especially regarding authentication, but I couldn't find anything that showed the authentication session status. Are there any specific areas I could look at?
08-16-2021 10:27 AM
This is possible with a version that supports the Cisco-IOS-XE-identity-oper module.
I tested it in the lab with version 17.6 on a Catalyst 9300-24T.
Switch# show version
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.1, RELEASE SOFTWARE (fc6)
...
cisco C9300-24T (X86) processor with 1317626K/6147K bytes of memory.
The command show authentication session in the lab returns this result:
Switch# show authentication session
Interface MAC Address Method Domain Status Fg Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1 70b3.17e9.f401 N/A UNKNOWN Unauth 000000000000000B4FE28C9B
Session count = 1
And the RESTCONF query with this URL:
https://{{host}}:{{port}}/restconf/data/Cisco-IOS-XE-identity-oper:identity-oper-data/
Displays the same result:
{
"Cisco-IOS-XE-identity-oper:identity-oper-data": {
"session-context-data": [
{
"mac": "70:b3:17:e9:f4:01",
"ipv4": "0.0.0.0",
"intf-iifid": 8,
"method-id": "invalid-method-id",
"domain": "domain-unknown",
"scope": "scope-unknown",
"audit-id": {
"aid": "000000000000000B4FE28C9B"
}
...
"intf-name": "GigabitEthernet5/0/1",
"policy-name": "POLICY_Gi5/0/1",
"blocked-on-state": "flags-none",
"pre-event": "event-none",
...
You can also try NETCONF but in order to make it work the MAC address needs to be used as a key.
Sends:
<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5"><nc:get>
<nc:filter>
<identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
<session-context-data>
<mac>70:b3:17:e9:f4:01</mac>
</session-context-data>
</identity-oper-data>
</nc:filter>
</nc:get>
</nc:rpc>
Receives:
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5">
<data>
<identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
<session-context-data>
<mac>70:b3:17:e9:f4:01</mac>
<ipv4>0.0.0.0</ipv4>
<intf-iifid>8</intf-iifid>
<method-id>web-auth-id</method-id>
<domain>domain-unknown</domain>
<scope>scope-unknown</scope>
<audit-id>
<aid>000000000000000F4FF1A7C8</aid>
</audit-id>
...
<intf-name>GigabitEthernet5/0/1</intf-name>
<policy-name>POLICY_Gi5/0/1</policy-name>
<blocked-on-state>flags-none</blocked-on-state>
...
</session-context-data>
</identity-oper-data>
</data>
</rpc-reply>
The link that marce1000 sent is no longer valid, it includes information related to yang-explorer which is no longer supported.
I suggest to rather try Yang Suite to navigate the models:
This is what I used to quickly identify how to pull the data:
Enjoy the automation!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide