- Introduction
- License
- Deployment
- Data Connect
- Tables
- Enabled Data Connect
- Certificate
- ISE 3.2
- CSCwk73627
- ISE 3.3+
- Troubleshooting
- ISE GUI
- ISE CLI
- Support Bundle
- Scripts
- References
The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre Data Connect .
 |
For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like. |
Introduction
Data Connect is a feature that provides Read-Only access to the ISE Database so that you can query Data and create your own Reports - DIY Reports (Do It Yourself).
TCP / 2484 is used to establish Database Connections with ISE through Oracle TCPS (TCP Secure) Protocol.
To establish Database Connection with ISE, use a Programming Language such as:
- Java
- Python
- SQL Client Tools
- Oracle SQL Developer
- JDBC Client
- etc.
| ISE 3.2+ supports Data Connect. |
License
Data Connect requires at least an Essential License.
| Data Connect will be disabled if your License: Expires or becomes NonCompliant. |
Deployment
In a Distributed Deployment, Data Connect is enabled by default in Secondary Monitoring (SMnT) because it is less overhead than Primary Monitoring (PMnT).
In case of changes to the Deployment or Persona:
- If Data Connect is enabled in PMnT and an SMnT is added, then there will be no change.
- If Data Connect is enabled in SMnT and SMnT is manually removed from the Deployment, then Data Connect will be automatically enabled in PMnT.
| In case of a Deployment with Dedicated MnT Node and Data Connect enabled, Database Queries and Configuration Data are routed internally to the Primary PAN (PPAN). |
Data Connect
Tables
To view the available Data Connect Tables: DevNet - Data Connect - Database Views.
|
To submit a request to include required Tables that are not available: ISE - Make a Wish. |
Enabled Data Connect
In Administration > System > Settings > Data Connect:
|
Password: 12 to 30 characters containing at least:
You can reset the Password at any time (it should not be the same as the last 5x Passwords). If you try to connect to the ISE Database using an incorrect Password for more than 5x, for 24 hours you will have an Account Locked (ORA-28000: The account is locked). In an Account Locked situation, you can:
Password Expiry: the valid range is 1 to 3,650 days. Default is 90 days. Username | Port | Service Name: set by default to dataconnect | TCP / 2484 | cpm10 (cannot be changed). |
Certificate
The configuration of Certificates required to use Data Connect changes based on the ISE Version:
ISE 3.2
After Data Connect is enabled, a Self-Signed Certificate (called Data Connect Certificate) is stored in Trusted Certificates for use by Clients, under Administration > System > Certificates > Certificate Management > Trusted Certificates > select Data Connect Certificate and click Export.
|
The Data Connect Certificate must be regenerated if:
|
CSCwk73627
ISE 3.3+
In Administration > System > Certificates > Certificate Management > System Certificates > select the Certificate with Used by: Admin and click Export, to add this Certificate to the Client's Trust Store and thus be able to establish a TCPS Connection:
|
When selecting the Certificate, you can see in Usage: Admin: Use Certificate to Authenticate the ISE Admin Portal and DataConnect |
Troubleshooting
ISE GUI
To view when the Data Connect feature is enabled / disabled or if a Persona change occurred, in Operations > Reports > Reports > Audit > Change Configuration Audit:
| This Report does not contain information about Logins performed by Third-Party Tools. |
ISE CLI
Additional Logs can be found in ise-psc.log (example on PPAN) :
ise/admin# show logging application ise-psc.log
...
2025-02-17 07:54:19,571 INFO [admin-http-pool100][[]] admin.restui.features.mnt.DatadirectUIApi -:::::- New status of dataconnect recieved : false
...
2025-02-17 07:54:32,618 INFO [admin-http-pool34][[]] admin.restui.features.mnt.DatadirectUIApi -:::::- New status of dataconnect recieved : true
...
Support Bundle
Database Connectivity and Queries Executed cannot be tracked from ISE Logs.
To track Top Queries from ISE, you need to generate a Support Bundle in MnT selecting Include Debug Logs:
This Support Bundle contains AWR Reports, located at \support\logs\oracle\support_awr_addm_xxxx.txt, where you can check the Top Queries.
Scripts
| News coming soon !!! |
References
What's New in ISE 3.2 - Part 2 - Data Connect - YouTube
Cisco ISE Administrator Guide, Release 3.2 - Data Connect
Cisco ISE Administrator Guide, Release 3.4 - Data Connect
How to Get Data Out of ISE - YouTube
Thomas Howard - ISE Python Scripts - ISEQL - GitHub
Configure ISE 3.2 Data Connect Integration with Splunk
Cisco Identity Service Engine (ISE) Big Encyclopedic Resources Guide (BERG) - Data Connect