03-23-2023 05:56 PM - edited 04-03-2024 10:12 AM
Content
The ISE Monitoring REST API allows allow you to retrieve active and historic RADIUS session details using from the ISE MNT Monitoring (MNT) nodes in your deployment.
There are several things to understand about the ISE Monitoring APIs before trying to use them:
9443
(https://ise.example.com:9443/...
) . /admin/API/mnt/Session/ActiveList
) - are case-sensitive
The ISE Monitoring REST API supports both HTTP PUT
and HTTP GET
calls however this document will only use HTTPS GET
calls. These APIs use path parameters in the URL as noted by the {}
’s below
https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount
https://$ISE_PMNT/admin/API/mnt/Session/PostureCount
https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount
https://$ISE_PMNT/admin/API/mnt/Session/ActiveList
https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{START_TIME}/{END_TIME}
https://$ISE_PMNT/admin/API/mnt/Session/UserName/{USERNAME}
https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/{MAC}
https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/{NAD_IP}
https://$ISE_PMNT/admin/API/mnt/Session/EndPointIPAddress/{NAD_IP}
https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/{Audit-Session-ID}/0
https://$ISE_PMNT/admin/API/mnt/Version https://$ISE_PMNT/admin/API/mnt/FailureReasons https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/{MAC}/{SECONDS}/{RECORDS}>/All https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/{MAC}/{SECONDS} https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/{PSN}/{MAC}/{reauth-type}/{NAD_IP}/{ENDPOINT_IP}
https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/{PSN_NAME}/{MAC}/{DISCONNECT}/{NAD_IP}/{ENDPOINT_IP}
The ISE REST APIs - also known as External RESTful Services (ERS) - are disabled by default for security. You must enable it:
To use the ISE Monitoring APIs, the user must be a member of the ISE SuperAdmin or MnT Admin groups. For non-SuperAdmin users that want to use both ISE ERS and Monitoring APIs, they must be a member of both ERS Admin and MnT Admin groups.
The examples below utilize the command line utility cURL. This is because cURL is the most universal and flexible choice for quickly doing HTTP/S-based REST calls natively in Linux and macOS and may be easily added to Windows.
To quickly test if curl is working with your ISE MNT node, try the following :
curl --insecure \
--header 'Accept: application/xml' \
--user admin:C1sco12345 \
https://ise.example.com/admin/API/mnt/Version
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<product name="Cisco Identity Services Engine">
<version>3.2.0.542</version>
<type_of_node>0</type_of_node>
</product>
Frequently used command line options with curl:
cURL Option | Description |
-k, --insecure | Accept insecure connections. Useful if you are playing with a demo installation of ISE using a self-signed certificate. |
-H, --header {header} |
Header to include in the request. Use one per header. |
-i, --include | Include the HTTP result headers in the output. |
-s, --silent | Disable the progress bar output for clean output when piping the output to other utilities like xq |
-u, --user {username:password} | Specify the username & password to authenticate the API user |
-d, --data '{content}' | The data payload to send, as a string or file, typically with JSON or XML content. |
Most of the examples below will also utilize the command line utility xq to pretty-print the XML output of the Monitoring APIs. Without it, you will get a long, single line dump of unformatted and unhighlighted XML that is difficult to visually parse. We think you will like xq!
Pipe the output of curl into xq (" | xq"):
curl --insecure \
--header 'Accept: application/xml' \
--user admin:C1sco12345 \
https://ise.example.com/admin/API/mnt/Version | xq
Example output of the https://ise/admin/API/mnt/Session/ActiveList API without xq :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><activeList noOfActiveSession="1"><activeSession><user_name>thomas</user_name><calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id><nas_ip_address>10.80.60.150</nas_ip_address><acct_session_id>2F0B6ADDB4353BAE</acct_session_id><server>ise</server><framed_ip_address>10.251.204.55</framed_ip_address><framed_ipv6_address/></activeSession></activeList>
Example output of the https://ise/admin/API/mnt/Session/ActiveList API with xq :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
<activeSession>
<user_name>thomas</user_name>
<calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
<nas_ip_address>10.80.60.150</nas_ip_address>
<acct_session_id>2F0B6ADDB4353BAE</acct_session_id>
<server>ise</server>
<framed_ip_address>10.251.204.55</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
In the above example, we showed you the ISE admin username and password C1sco12345 in the clear on the command line. It is a bad security practice to do API work with your passwords to security applications like ISE exposed for anyone to see over your shoulder or in your command line history. For this reason, we will utilize environment variables in our command line work as a best practice with our ISE REST API usernames and passwords for all further examples.
The fastest to use environment variables in your command line scripts is to create temporary environment variables using the export command (or set command on Windows) in your terminal:
export ISE_PPAN=ise-ppan.example.com # large ISE deployments use the PAN node for ERS APIs export ISE_PMNT=ise-pmnt.example.com # large ISE deployments use the MNT node for MNT APIs export ISE_REST_USERNAME=admin export ISE_REST_PASSWORD=C1sco12345
You may also add the lines above to an ise-env.sh file in a .secrets folder in your home directory then, when you want to use them in your terminal session, run:
source ~/.secrets/ise-env.sh
You may view and verify your current environment variables using the following commands and access them in scripts or on the command line by prefixing them with a `$`:
env printenv ISE_REST_PASSWORD echo $ISE_REST_PASSWORD
The same example cURL command above using environment variables might look like this:
curl --insecure \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Version
If you want to verify your environment variable values, use the echo command to help you troubleshoot!
> echo https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/$PSN/$MAC/$DISCONNECT/$NAD_IP/$ENDPOINT_IP
https://ise.securitydemo.net/admin/API/mnt/CoA/Disconnect/ise/BA:4B:FB:77:B8:BF/0//10.251.204.55
Use the ActiveCount API call to retrieve a count of all currently active sessions.
https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
<count>0</count>
</sessionCount>
Use the PostureCount API call to retrieve a count of all currently active sessions using posture:
https://$ISE_PMNT/admin/API/mnt/Session/PostureCount
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Session/PostureCount \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
<count>0</count>
</sessionCount>
Use the ProfilerCount API call to retrieve a count of all currently active sessions using profilng:
https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
<count>1</count>
</sessionCount>
Get a list of all active RADIUS sessions:
https://$ISE_PMNT/admin/API/mnt/Session/ActiveList
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
<activeSession>
<user_name>thomas</user_name>
<calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
<nas_ip_address>10.80.60.150</nas_ip_address>
<acct_session_id>351E07BC138D77F8</acct_session_id>
<server>ise</server>
<framed_ip_address>10.251.204.55</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
Get a list of all authenticated sessions between start and end timestamps:
https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{'null'|{START_TIME}/{'null'|{END_TIME}
null/endtime
: Lists all active authenticated sessions before the specified end timestarttime/null
: Lists all active authenticated sessions after the specified start timestarttime/endtime
: Lists all active authenticated sessions between the specified start time and end time{START_TIME
}
and {END_TIME
}
have the format: YYYY-MM-DD hh:mm:ss.s
⚠ When putting the start/end times in a curl URL, you must replace the space between the date and time with a `%20` for URL encoding. For example, to see all authenticated session for January 1, 2024:
https://ise.example.com/admin/API/mnt/Session/AuthList/2024-01-01%2000:00:00/2024-01-02%2000:00:00
Failure to do this will return an error: Error in generating active session list with time. Invalid end time format.
null/null
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/null/null \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
<activeSession>
<user_name>thomas</user_name>
<calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
<nas_ip_address>10.80.60.150</nas_ip_address>
<acct_session_id>351E07BC138D77F8</acct_session_id>
<server>ise</server>
<framed_ip_address>10.251.204.55</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
START_TIME
and END_TIME
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-01-01%2000:00:00/2024-01-02%2000:00:00 \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
<activeSession>
<user_name>thomas</user_name>
<calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
<nas_ip_address>10.80.60.150</nas_ip_address>
<acct_session_id>351E07BC138D77F8</acct_session_id>
<server>ise</server>
<framed_ip_address>10.251.204.55</framed_ip_address>
<framed_ipv6_address/>
</activeSession>
</activeList>
The following detailed session attribute API calls let you quickly search the last session using these key attributes :
UserName
)MACAddress
)IPAddress
associated with a target Monitoring ISE node)EndPointIPAddress
)SessionID
)These APIs all return many attributes:
passed
or failed
: Authentication status results: Passed|Faileduser_name
: User namenas_ip_address
: IP address/hostname for the network access devicecalling_station_id
: endpoint MAC addressacs_timestamp
: Time stamp that is associated with the Cisco ISE authentication requestexecution_steps
: List of message codes for each diagnostic message logged while processing the requestmessage_code
: Identifier of the audit message that defines the processed request resultorig_calling_station_id
: endpoint MAC addresscpmsession_id
: ID of the authentication sessiondestination_ip_address
: IP address of the ISE serverdevice_ip_address
: IP Address of the network access deviceidentity_group
: A logical group consisting of related users and hostsnetwork_device_name
: name of the network access device as defined in ISEacs_server
: Name of the Cisco ISE applianceauthentication_method
: Identifies the method used in authenticationauthentication_protocol
: the authentication protocol used for authentication requestframed_ip_address
: the configured IP Address of the endpointauth_acs_timestamp
: the time of authenticationexecution_steps
: the execution step numbers within ISE for troubleshootingresponse
: ???posture_status
: ???selected_azn_profiles
: Identifies the profile used in authorizationservice_type
: Indicates a framed usermessage_code
: the resulting ISE message code of the authentication requestauth_acsview_timestamp
: the time of authenticationauth_id
: ???identity_store
: the external identity store used for authenticationlocation
: the network access device group (NDG) location as defined in ISEdevice_type
: the network access device group (NDG) device-type as defined in ISErespone_time
: the time to complete the authentication & authorization request in ISEother_attr_string
: a list of other attributes included in the requestacct_id
: ???acct_acs_timestamp
: the time of accounting startacct_acsview_timestamp
: the time of accounting startacct_session_id
: ID of the accounting sessionacct_status_type
: the accounting message type (start/stop)
acct_input_octets
: current count of octets passed by the endpointacct_output_octets
: current count of octets passed by the endpointacct_input_packets
: current count of octets passed by the endpointacct_output_packets
: current count of octets passed by the endpointacct_authentic
: protocol used to authenticat (RADIUS)?acct_delay_time
: ???event_timestamp
: ???started
: true or falsestopped
: true or falseendpoint_policy
: ???
Get the active RADIUS session for the specified MAC address :
https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/{MAC}
XX:XX:XX:XX:XX:XX
Example:
export MAC=BA:4B:FB:77:B8:BF curl --silent --insecure --location \ --header 'Accept: application/xml'\ --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \ https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/$MAC \ | xq
Get a list of all active RADIUS sessions for the specified username:
https://$ISE_PMNT/admin/API/mnt/Session/UserName/{USERNAME}
Example:
export USERNAME=thomas
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Session/UserName/$USERNAME \
| xq
Example response for a session:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionParameters>
<passed http://www.w3.org/2001/XMLSchema-instance:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</passed>
<failed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</failed>
<user_name>thomas</user_name>
<nas_ip_address>10.80.60.150</nas_ip_address>
<calling_station_id>76:58:CE:FE:BF:4C</calling_station_id>
<orig_calling_station_id>76-58-CE-FE-BF-4C</orig_calling_station_id>
<cpmsession_id>c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s</cpmsession_id>
<destination_ip_address>198.18.133.27</destination_ip_address>
<device_ip_address>10.80.60.150</device_ip_address>
<identity_group>User Identity Groups:Employee,Unknown</identity_group>
<network_device_name>lab-mr46-1</network_device_name>
<acs_server>ISE</acs_server>
<authentication_method>dot1x</authentication_method>
<authentication_protocol>PEAP (EAP-MSCHAPv2)</authentication_protocol>
<framed_ip_address>10.138.142.152</framed_ip_address>
<auth_acs_timestamp>2023-11-01T16:41:47.714Z</auth_acs_timestamp>
<execution_steps>11001,11017,11117,15049,15008,11507,12500,11006,11001,11018,12301,12300,11006,11001,11018,12302,61025,12319,12800,12805,12806,12807,12808,12810,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12319,12810,12812,12803,12804,12801,12802,12816,12310,12305,11006,11001,11018,12304,12313,11521,12305,11006,11001,11018,12304,11522,11806,12305,11006,11001,11018,12304,11808,15041,15048,22072,15013,24210,24212,22037,11824,12305,11006,11001,11018,12304,11810,11814,11519,12314,12305,11006,11001,11018,12304,24715,15036,24209,24211,15048,15048,15048,15016,22081,22080,12306,61026,11503,11002</execution_steps>
<response>{Class=CACS:c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s:ISE/488071013/48; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }</response>
<posture_status/>
<selected_azn_profiles>PermitAccess</selected_azn_profiles>
<service_type>Framed</service_type>
<message_code>5200</message_code>
<auth_acsview_timestamp>2023-11-01T16:41:47.714Z</auth_acsview_timestamp>
<auth_id>1698696460153375</auth_id>
<identity_store>Internal Users</identity_store>
<location>All Locations</location>
<device_type>All Device Types</device_type>
<response_time>87</response_time>
<other_attr_string>:!:ConfigVersionId=74:!:DestinationPort=1812:!:Protocol=Radius:!:NAS-Port=1:!:Framed-MTU=1400:!:State=64CPMSessionID=c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s;26SessionID=ISE/488071013/48;:!:Acct-Session-Id=8894534E474CEFFF:!:Connect-Info=CONNECT 54.00 Mbps / 802.11ax / RSSI: 54 / Channel: 36:!:undefined-186=00:0f:ac:04:!:undefined-187=00:0f:ac:04:!:undefined-188=00:0f:ac:01:!:NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c:!:IsThirdPartyDeviceFlow=false:!:AcsSessionID=ISE/488071013/48:!:SelectedAuthenticationIdentityStores=Internal Users:!:SelectedAuthenticationIdentityStores=All_AD_Join_Points:!:SelectedAuthenticationIdentityStores=Guest Users:!:AuthenticationStatus=AuthenticationPassed:!:IdentityPolicyMatchedRule=Dot1X:!:AuthorizationPolicyMatchedRule=Basic_Authenticated_Access:!:EndPointMACAddress=76-58-CE-FE-BF-4C:!:ISEPolicySetName=Default:!:IdentitySelectionMatchedRule=Dot1X:!:StepLatency=1=0;2=1;3=0;4=0;5=8;6=0;7=1;8=50;9=0;10=1;11=0;12=0;13=37;14=0;15=0;16=0;17=1;18=0;19=0;20=0;21=0;22=10;23=0;24=0;25=1;26=29;27=0;28=1;29=0;30=0;31=24;32=0;33=1;34=0;35=0;36=32;37=0;38=1;39=0;40=0;41=31;42=0;43=0;44=0;45=0;46=29;47=0;48=0;49=0;50=0;51=3016;52=0;53=0;54=0;55=0;56=5;57=0;58=0;59=0;60=0;61=0;62=0;63=0;64=0;65=25;66=0;67=0;68=1;69=0;70=0;71=0;72=27;73=0;74=1;75=0;76=0;77=0;78=0;79=28;80=0;81=1;82=0;83=0;84=4;85=6;86=0;87=0;88=9;89=0;90=0;91=0;92=0;93=25;94=0;95=0;96=0;97=0;98=0;99=1;100=0;101=0;102=28;103=0;104=0;105=0;106=1;107=0;108=3;109=9;110=10;111=1;112=3;113=1;114=0;115=0;116=0;117=0;118=2:!:TotalAuthenLatency=3465:!:ClientLatency=3378:!:TLSCipher=ECDHE-RSA-AES256-GCM-SHA384:!:TLSVersion=TLSv1.2:!:DTLSSupport=Unknown:!:HostIdentityGroup=Endpoint Identity Groups:Unknown:!:Network Device Profile=Cisco:!:Location=Location#All Locations:!:Device Type=Device Type#All Device Types:!:IPSEC=IPSEC#Is IPSEC Device#No:!:Name=User Identity Groups:Employee:!:Name=Endpoint Identity Groups:Unknown:!:EnableFlag=Enabled:!:StepData="84= Normalised Radius.RadiusFlowType","85=All_User_ID_Stores","86=Internal Users","109= Radius.NAS-Port-Type","110= EndPoints.LogicalProfile","111= Network Access.AuthenticationStatus"=StepData:!:RADIUS Username=thomas:!:NAS-Identifier=2C-3F-0B-56-E3-6C:vap0:!:Device IP Address=10.80.60.150:!:CPMSessionID=c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s:!:Called-Station-ID=2C-3F-0B-56-E3-6C:.corp:!:CiscoAVPair=AuthenticationIdentityStore=Internal Users,FQSubjectName=9273fe30-8c01-11e6-996c-525400b48521#thomas,UniqueSubjectID=01a78479d83d16a34091e1d792dc0f2e66fb6a65</other_attr_string>
<acct_id>1698696460153376</acct_id>
<acct_acs_timestamp>2023-11-01T16:41:47.752Z</acct_acs_timestamp>
<acct_acsview_timestamp>2023-11-01T16:41:47.752Z</acct_acsview_timestamp>
<acct_session_id>8894534E474CEFFF</acct_session_id>
<acct_status_type>Start</acct_status_type>
<acct_input_octets>0</acct_input_octets>
<acct_output_octets>0</acct_output_octets>
<acct_input_packets>0</acct_input_packets>
<acct_output_packets>0</acct_output_packets>
<acct_authentic>RADIUS</acct_authentic>
<acct_delay_time>0</acct_delay_time>
<event_timestamp>1698856907</event_timestamp>
<started xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</started>
<stopped xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</stopped>
<endpoint_policy>Unknown</endpoint_policy>
</sessionParameters>
Cisco ISE Monitoring REST API doesn’t work when username contains a domain. The workaround is to change the API method from GET
to POST
. For example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request POST https://ise31.securitydemo.net/admin/API/mnt/Session/UserName \
--data 'employee@example.com'
Get a list of all active RADIUS sessions for the specified network access device (NAD) NAS IP address:
https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/{NAD_IP}
IPv4 (n.n.n.n
) or IPv6 (xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
) address is allowed.
Example:
export NAD_IP=10.80.60.151 # IPv4 or IPv6 address
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/$NAD_IP \
| xq
Get the active RADIUS session for the specified endpoint IP address:
https://$ISE_PMNT/ise/mnt/api/Session/EndPointIPAddress/{ENDPOINT_IP
}
Example:
export ENDPOINT_IP=10.251.204.55
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/ise/mnt/api/Session/EndPointIPAddress/$ENDPOINT_IP \
| xq
Get the active RADIUS session with the specified audit-session-id:
https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/{AUDIT_SID}/0
⚠ Not all sessions may have an Audit Session ID. The Account Session ID is not the Audit Session ID.
Example:
export AUDIT_SID=
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/$AUDIT_SID/0 \
| xq
Delete a stale session by MAC address :
https://$ISE_PMNT/admin/API/mnt/Session/Delete/MACAddress/{MAC}
Example:
export MAC=BA:4B:FB:77:B8:BF
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/MACAddress/$MAC \
| xq
Delete a stale session by Session ID:
export SID=351E07BC138D77F8
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/SessionID/$SID \
| xq
Delete all sessions on the Monitoring node, issue the following API call on the command line:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/All \
| xq
Response :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<mnt-rest-result>
<http-code>200</http-code>
<cpm-code>52092</cpm-code>
<description>The software update was completed successfully</description>
<module-name>MnT</module-name>
<internal-error-info/>
<requested-operation>Not Available</requested-operation>
<resource-id>0</resource-id>
<resource-name>MNT_RAD_SESS</resource-name>
<status>SUCCESSFUL</status>
</mnt-rest-result>
https://$ISE_PMNT/admin/API/mnt/Version
Example:
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/Version \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<product name="Cisco Identity Services Engine">
<version>3.2.0.542</version>
<type_of_node>0</type_of_node>
</product>
https://$ISE_PMNT/admin/API/mnt/FailureReasons
Example :
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/FailureReasons \
| xq
Response :
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<failureReasonList>
<failureReason id="100001">
<code>100001 AUTHMGR-5-FAIL Authorization failed for client</code>
<cause>This may or may not be indicating a violation</cause>
<resolution>Please review and resolve according to your organization's policy</resolution>
</failureReason>
<failureReason id="100002">
<code>100002 AUTHMGR-5-SECURITY_VIOLATION Security violation on the interface</code>
<cause>This may or may not be indicating a violation</cause>
<resolution>Please review and resolve according to your organization's policy</resolution>
</failureReason>
<failureReason id="100003">
<code>100003 AUTHMGR-5-UNAUTHORIZED Interface unauthorized</code>
<cause>This may or may not be indicating a violation</cause>
<resolution>Please review and resolve according to your organization's policy</resolution>
</failureReason>
...
The AuthStatus API takes this simple form with several required variables :
https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/{MAC}/{SECONDS}/{RECORDS}>/All
You may want to pre-define some additional environment variables to
export HOURS_1=3600
export HOURS_8=28800
export HOURS_24=86400
export DAYS_1=86400
export DAYS_7=604800
export WEEK_1=604800
Provide the last 10
authentications for MAC BA:4B:FB:77:B8:BF
in the last 24 hours :
export MAC=BA:4B:FB:77:B8:BF
export SECONDS=$DAYS_1
export RECORDS=3
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/$MAC/$SECONDS/$RECORDS/All \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authStatusOutputList>
<authStatusList key="BA:4B:FB:77:B8:BF">
<authStatusElements>
...
https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/{MAC}/{SECONDS}
calling_station_id
: MAC address of the clientpaks_in
: Packets received count totalpaks_out
: Packets transmitted count totalbytes_in
: Bytes received count totalbytes_out
: Bytes transmitted count totalsession_time
: Duration of current sessions before expirationserver
: the ISE Policy Service Node (PSN) that handled the endpoint⚠ Configurable values range from 1-432000 seconds (5 days) 0
seconds, uses a default duration of 15 minutes (900 seconds)
Provide the accounting details for endopint BA:4B:FB:77:B8:BF
from the last 24 hours :
export MAC=BA:4B:FB:77:B8:BF
export SECONDS=$DAYS_1
export RECORDS=3
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/$MAC/$SECONDS \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<acctStatusOutputList>
<acctStatusList macAddress="BA:4B:FB:77:B8:BF">
<acctStatusElements>
<calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
<paks_in>2332</paks_in>
<paks_out>2510</paks_out>
<bytes_in>333013</bytes_in>
<bytes_out>828021</bytes_out>
<session_time>7200</session_time>
<server>ise</server>
</acctStatusElements>
</acctStatusList>
</acctStatusOutputList>
CoA session management API calls allow you to send reauthentication and disconnect commands to a specified session on a target Cisco Monitoring ISE node in your Cisco ISE deployment.
The Session Reauthentication API Call constitutes the following types:
REAUTH_TYPE_DEFAULT
= 0REAUTH_TYPE_LAST
= 1REAUTH_TYPE_RERUN
= 2https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/{PSN_NAME}/{MAC}/{REAUTH_TYPE}
export COA_REAUTH_TYPE_DEFAULT=0
export COA_REAUTH_TYPE_LAST=1
export COA_REAUTH_TYPE_RERUN=2
export MAC=BA:4B:FB:77:B8:BF
export PSN_NAME=ise
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/$PSN_NAME/$MAC/$COA_REAUTH_TYPE_DEFAULT \
| xq
True indicates that the command was successfully executed. False means that the command was not executed (due to a variety of conditions).
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<remoteCoA requestType="reauth">
<results>true</results>
</remoteCoA>
https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/{PSN_NAME}/{MAC}/{DISCONNECT}/{NAD_IP}/{ENDPOINT_IP}
The Session Disconnect API call uses the following disconnect port options:
DYNAMIC_AUTHZ_PORT_DEFAULT
= 0DYNAMIC_AUTHZ_PORT_BOUNCE
= 1DYNAMIC_AUTHZ_PORT_SHUTDOWN
= 2Verify any Active Sessions:
curl --silent --insecure --location \
--header 'Accept: application/xml' \
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
--request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
| xq
export DYNAMIC_AUTHZ_PORT_DEFAULT=0
export DYNAMIC_AUTHZ_PORT_BOUNCE=1
export DYNAMIC_AUTHZ_PORT_SHUTDOWN=2
export DISCONNECT=$DYNAMIC_AUTHZ_PORT_DEFAULT
export ENDPOINT_IP=10.251.204.55
export NAD_IP=10.80.60.150
export PSN_NAME=ise
curl --silent --insecure --location \
--header 'Accept: application/xml'\
--user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/$PSN_NAME/$MAC/$DISCONNECT/$NAD_IP/$ENDPOINT_IP \
| xq
Response:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<remoteCoA requestType="disconnect">
<results>true</results>
</remoteCoA>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: