Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
0
Helpful
3
Replies

show authentication session via netconf/yang

Go to solution
j-ackermann
Level 1
Level 1

‎08-10-2021 01:55 AM

Is it possible, to query authentication status of a port like the 'show authentication session int ...'; command with netconf/yang? To get MAC address and auth method? Especially on Catalyst 3650 switches or at least on 9200 series? What information (xpath?) would I need?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Spindola
Cisco Employee
Cisco Employee

‎08-16-2021 10:27 AM

This is possible with a version that supports the Cisco-IOS-XE-identity-oper module.

 

I tested it in the lab with version 17.6 on a Catalyst 9300-24T.

Switch# show version
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.1, RELEASE SOFTWARE (fc6)
...
cisco C9300-24T (X86) processor with 1317626K/6147K bytes of memory.

 

The command show authentication session in the lab returns this result:

Switch# show authentication session
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1                  70b3.17e9.f401 N/A     UNKNOWN Unauth      000000000000000B4FE28C9B

Session count = 1

 

And the RESTCONF query with this URL:

https://{{host}}:{{port}}/restconf/data/Cisco-IOS-XE-identity-oper:identity-oper-data/

 

Displays the same result:

{
    "Cisco-IOS-XE-identity-oper:identity-oper-data": {
        "session-context-data": [
            {
                "mac": "70:b3:17:e9:f4:01",
                "ipv4": "0.0.0.0",
                "intf-iifid": 8,
                "method-id": "invalid-method-id",
                "domain": "domain-unknown",
                "scope": "scope-unknown",
                "audit-id": {
                    "aid": "000000000000000B4FE28C9B"
                }
...
                "intf-name": "GigabitEthernet5/0/1",
                "policy-name": "POLICY_Gi5/0/1",
                "blocked-on-state": "flags-none",
                "pre-event": "event-none",
...

 

 

You can also try NETCONF but in order to make it work the MAC address needs to be used as a key.

 

Sends:

<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5"><nc:get>
    <nc:filter>
      <identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
        <session-context-data>
          <mac>70:b3:17:e9:f4:01</mac>
        </session-context-data>
      </identity-oper-data>
    </nc:filter>
  </nc:get>
</nc:rpc>

 

Receives:

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5">
  <data>
    <identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
      <session-context-data>
        <mac>70:b3:17:e9:f4:01</mac>
        <ipv4>0.0.0.0</ipv4>
        <intf-iifid>8</intf-iifid>
        <method-id>web-auth-id</method-id>
        <domain>domain-unknown</domain>
        <scope>scope-unknown</scope>
        <audit-id>
          <aid>000000000000000F4FF1A7C8</aid>
        </audit-id>
...
        <intf-name>GigabitEthernet5/0/1</intf-name>
        <policy-name>POLICY_Gi5/0/1</policy-name>
        <blocked-on-state>flags-none</blocked-on-state>
...
      </session-context-data>
    </identity-oper-data>
  </data>
</rpc-reply>

 

The link that marce1000 sent is no longer valid, it includes information related to yang-explorer which is no longer supported.

 

I suggest to rather try Yang Suite to navigate the models:

 

This is what I used to quickly identify how to pull the data:

Screen Shot 2021-08-16 at 6.26.46 PM.png

 

Enjoy the automation!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
marce1000
VIP
VIP

‎08-10-2021 02:49 AM

 

 - Check this document : https://www.cisco.com/c/en/us/support/docs/storage-networking/management/200933-YANG-NETCONF-Configuration-Validation.html

               and or some examples may apply (with modification according to your specific needs)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
j-ackermann
Level 1
Level 1
In response to marce1000

‎08-12-2021 02:15 AM

Thanks, I checked all xpaths, especially regarding authentication, but I couldn't find anything that showed the authentication session status. Are there any specific areas I could look at?

0 Helpful

Go to solution
David Spindola
Cisco Employee
Cisco Employee

‎08-16-2021 10:27 AM

This is possible with a version that supports the Cisco-IOS-XE-identity-oper module.

 

I tested it in the lab with version 17.6 on a Catalyst 9300-24T.

Switch# show version
Cisco IOS XE Software, Version 17.06.01
Cisco IOS Software [Bengaluru], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 17.6.1, RELEASE SOFTWARE (fc6)
...
cisco C9300-24T (X86) processor with 1317626K/6147K bytes of memory.

 

The command show authentication session in the lab returns this result:

Switch# show authentication session
Interface                MAC Address    Method  Domain  Status Fg  Session ID
--------------------------------------------------------------------------------------------
Gi5/0/1                  70b3.17e9.f401 N/A     UNKNOWN Unauth      000000000000000B4FE28C9B

Session count = 1

 

And the RESTCONF query with this URL:

https://{{host}}:{{port}}/restconf/data/Cisco-IOS-XE-identity-oper:identity-oper-data/

 

Displays the same result:

{
    "Cisco-IOS-XE-identity-oper:identity-oper-data": {
        "session-context-data": [
            {
                "mac": "70:b3:17:e9:f4:01",
                "ipv4": "0.0.0.0",
                "intf-iifid": 8,
                "method-id": "invalid-method-id",
                "domain": "domain-unknown",
                "scope": "scope-unknown",
                "audit-id": {
                    "aid": "000000000000000B4FE28C9B"
                }
...
                "intf-name": "GigabitEthernet5/0/1",
                "policy-name": "POLICY_Gi5/0/1",
                "blocked-on-state": "flags-none",
                "pre-event": "event-none",
...

 

 

You can also try NETCONF but in order to make it work the MAC address needs to be used as a key.

 

Sends:

<nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5"><nc:get>
    <nc:filter>
      <identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
        <session-context-data>
          <mac>70:b3:17:e9:f4:01</mac>
        </session-context-data>
      </identity-oper-data>
    </nc:filter>
  </nc:get>
</nc:rpc>

 

Receives:

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:faacf12f-a69f-4298-ac1e-bf1eb3a2ccf5">
  <data>
    <identity-oper-data xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-identity-oper">
      <session-context-data>
        <mac>70:b3:17:e9:f4:01</mac>
        <ipv4>0.0.0.0</ipv4>
        <intf-iifid>8</intf-iifid>
        <method-id>web-auth-id</method-id>
        <domain>domain-unknown</domain>
        <scope>scope-unknown</scope>
        <audit-id>
          <aid>000000000000000F4FF1A7C8</aid>
        </audit-id>
...
        <intf-name>GigabitEthernet5/0/1</intf-name>
        <policy-name>POLICY_Gi5/0/1</policy-name>
        <blocked-on-state>flags-none</blocked-on-state>
...
      </session-context-data>
    </identity-oper-data>
  </data>
</rpc-reply>

 

The link that marce1000 sent is no longer valid, it includes information related to yang-explorer which is no longer supported.

 

I suggest to rather try Yang Suite to navigate the models:

 

This is what I used to quickly identify how to pull the data:

Screen Shot 2021-08-16 at 6.26.46 PM.png

 

Enjoy the automation!

0 Helpful
Customers Also Viewed These Support Documents