Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
8221
Views
2
Helpful
0
Comments

ISE Monitoring API Examples

thomas
Cisco Employee
Cisco Employee

‎03-23-2023 05:56 PM - edited ‎04-03-2024 10:12 AM

 

ISE Monitoring API Examples

 

Content

 

 

Introduction

The ISE Monitoring REST API allows allow you to retrieve active and historic RADIUS session details using from the ISE MNT Monitoring (MNT) nodes in your deployment.
There are several things to understand about the ISE Monitoring APIs before trying to use them:

  • These APIs must be used against an ISE MNT node or service. They will not work on a dedicated PAN node!
  • These APIs are available with ISE versions < 3.0 using HTTPS on port 9443 (https://ise.example.com:9443/...) .
    ISE versions 3.0+ may use the ISE API Gateway without needing to specify the port (https://ise.example.com/...
  • The API REST endpoints - the URL path to the resource (/admin/API/mnt/Session/ActiveList) - are case-sensitive
  • The only API response format is XML - JSON is not supported!
    Any conversion from XML to JSON or other format must be done by you.

 

MNT API Summary

The ISE Monitoring REST API supports both HTTP PUT and HTTP GET calls however this document will only use HTTPS GET calls. These APIs use path parameters in the URL as noted by the {}’s below

 

Session Counters

https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount
https://$ISE_PMNT/admin/API/mnt/Session/PostureCount
https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount

 

Session Lists

https://$ISE_PMNT/admin/API/mnt/Session/ActiveList
https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{START_TIME}/{END_TIME}

 

Session Detail Queries

https://$ISE_PMNT/admin/API/mnt/Session/UserName/{USERNAME}
https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/{MAC}
https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/{NAD_IP}
https://$ISE_PMNT/admin/API/mnt/Session/EndPointIPAddress/{NAD_IP}
https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/{Audit-Session-ID}/0

 

Change of Authorization (COA)

https://$ISE_PMNT/admin/API/mnt/Version
https://$ISE_PMNT/admin/API/mnt/FailureReasons
https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/{MAC}/{SECONDS}/{RECORDS}>/All
https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/{MAC}/{SECONDS}
https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/{PSN}/{MAC}/{reauth-type}/{NAD_IP}/{ENDPOINT_IP}
https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/{PSN_NAME}/{MAC}/{DISCONNECT}/{NAD_IP}/{ENDPOINT_IP}

 

Requirements

Enable the ISE REST APIs

The ISE REST APIs - also known as External RESTful Services (ERS) - are disabled by default for security. You must enable it:

  1. Login to your ISE PAN using the admin or other SuperAdmin user.
  2. Navigate to Administration > System > Settings and select API Settings from the left panel.
  3. Under the API Service Settings tab:
    1. Enable the ERS APIs (Read/Write)
    2. Enable the Open API (Read/Write)
    3. Do not Enable CSRF Check unless you know why and how to use the tokens.
  4. Select Save to save your changes.

 

API Role-Based Access Control (RBAC)

To use the ISE Monitoring APIs, the user must be a member of the ISE SuperAdmin or MnT Admin groups. For non-SuperAdmin users that want to use both ISE ERS and Monitoring APIs, they must be a member of both ERS Admin and MnT Admin groups.

 

cURL

The examples below utilize the command line utility cURL. This is because cURL is the most universal and flexible choice for quickly doing HTTP/S-based REST calls natively in Linux and macOS and may be easily added to Windows.

To quickly test if curl is working with your ISE MNT node, try the following :

curl --insecure \
     --header 'Accept: application/xml' \
     --user admin:C1sco12345 \
     https://ise.example.com/admin/API/mnt/Version

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<product name="Cisco Identity Services Engine">
  <version>3.2.0.542</version>
  <type_of_node>0</type_of_node>
</product>

Frequently used command line options with curl:

cURL Option Description
-k, --insecure Accept insecure connections. Useful if you are playing with a demo installation of ISE using a self-signed certificate.
-H, --header {header}

Header to include in the request. Use one per header.
-i, --include Include the HTTP result headers in the output.
-s, --silent Disable the progress bar output for clean output when piping the output to other utilities like xq
-u, --user {username:password} Specify the username & password to authenticate the API user
-d, --data '{content}' The data payload to send, as a string or file, typically with JSON or XML content.

 

xq (XML Query)

Most of the examples below will also utilize the command line utility xq to pretty-print the XML output of the Monitoring APIs. Without it, you will get a long, single line dump of unformatted and unhighlighted XML that is difficult to visually parse. We think you will like xq!

Pipe the output of curl into xq (" | xq"):

curl --insecure \
  --header 'Accept: application/xml' \
  --user admin:C1sco12345 \
  https://ise.example.com/admin/API/mnt/Version | xq

Example output of the https://ise/admin/API/mnt/Session/ActiveList API without xq :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><activeList noOfActiveSession="1"><activeSession><user_name>thomas</user_name><calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id><nas_ip_address>10.80.60.150</nas_ip_address><acct_session_id>2F0B6ADDB4353BAE</acct_session_id><server>ise</server><framed_ip_address>10.251.204.55</framed_ip_address><framed_ipv6_address/></activeSession></activeList>

Example output of the https://ise/admin/API/mnt/Session/ActiveList API with xq :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
  <activeSession>
    <user_name>thomas</user_name>
    <calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
    <nas_ip_address>10.80.60.150</nas_ip_address>
    <acct_session_id>2F0B6ADDB4353BAE</acct_session_id>
    <server>ise</server>
    <framed_ip_address>10.251.204.55</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

 

Using Environment Variables

In the above example, we showed you the ISE admin username and password C1sco12345 in the clear on the command line. It is a bad security practice to do API work with your passwords to security applications like ISE exposed for anyone to see over your shoulder or in your command line history. For this reason, we will utilize environment variables in our command line work as a best practice with our ISE REST API usernames and passwords for all further examples.

The fastest to use environment variables in your command line scripts is to create temporary environment variables using the export command (or set command on Windows) in your terminal:

export ISE_PPAN=ise-ppan.example.com    # large ISE deployments use the PAN node for ERS APIs
export ISE_PMNT=ise-pmnt.example.com    # large ISE deployments use the MNT node for MNT APIs
export ISE_REST_USERNAME=admin
export ISE_REST_PASSWORD=C1sco12345

You may also add the lines above to an ise-env.sh file in a .secrets folder in your home directory then, when you want to use them in your terminal session, run:

source ~/.secrets/ise-env.sh

You may view and verify your current environment variables using the following commands and access them in scripts or on the command line by prefixing them with a `$`:

env                            
printenv ISE_REST_PASSWORD
echo $ISE_REST_PASSWORD

The same example cURL command above using environment variables might look like this:

curl --insecure \
     --header 'Accept: application/xml' \
     --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
     --request GET https://$ISE_PMNT/admin/API/mnt/Version

If you want to verify your environment variable values, use the echo command to help you troubleshoot!

> echo https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/$PSN/$MAC/$DISCONNECT/$NAD_IP/$ENDPOINT_IP

https://ise.securitydemo.net/admin/API/mnt/CoA/Disconnect/ise/BA:4B:FB:77:B8:BF/0//10.251.204.55

 

Session Counter APIs

 

Active Sessions Counter

Use the ActiveCount API call to retrieve a count of all currently active sessions.

https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount

Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveCount \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
  <count>0</count>
</sessionCount>

 

Posture Sessions Counter

Use the PostureCount API call to retrieve a count of all currently active sessions using posture:

https://$ISE_PMNT/admin/API/mnt/Session/PostureCount

Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/PostureCount \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
  <count>0</count>
</sessionCount>

 

Profiler Sessions Counter

Use the ProfilerCount API call to retrieve a count of all currently active sessions using profilng:

https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount

Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/ProfilerCount \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionCount>
  <count>1</count>
</sessionCount>

 

Active Session Lists

Get a list of all active RADIUS sessions:

https://$ISE_PMNT/admin/API/mnt/Session/ActiveList

Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
  <activeSession>
    <user_name>thomas</user_name>
    <calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
    <nas_ip_address>10.80.60.150</nas_ip_address>
    <acct_session_id>351E07BC138D77F8</acct_session_id>
    <server>ise</server>
    <framed_ip_address>10.251.204.55</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

 

Authenticated Sessions List

Get a list of all authenticated sessions between start and end timestamps:

https://$ISE_PMNT/admin/API/mnt/Session/AuthList/{'null'|{START_TIME}/{'null'|{END_TIME}
  • null/endtime : Lists all active authenticated sessions before the specified end time
  • starttime/null : Lists all active authenticated sessions after the specified start time
  • starttime/endtime : Lists all active authenticated sessions between the specified start time and end time
    where {START_TIME} and {END_TIME} have the format: YYYY-MM-DD hh:mm:ss.s

⚠ When putting the start/end times in a curl URL, you must replace the space between the date and time with a `%20` for URL encoding. For example, to see all authenticated session for January 1, 2024:
  https://ise.example.com/admin/API/mnt/Session/AuthList/2024-01-01%2000:00:00/2024-01-02%2000:00:00
Failure to do this will return an error: Error in generating active session list with time. Invalid end time format.

null/null Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/null/null \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
  <activeSession>
    <user_name>thomas</user_name>
    <calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
    <nas_ip_address>10.80.60.150</nas_ip_address>
    <acct_session_id>351E07BC138D77F8</acct_session_id>
    <server>ise</server>
    <framed_ip_address>10.251.204.55</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

 

START_TIME and END_TIME Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/AuthList/2024-01-01%2000:00:00/2024-01-02%2000:00:00 \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<activeList noOfActiveSession="1">
  <activeSession>
    <user_name>thomas</user_name>
    <calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
    <nas_ip_address>10.80.60.150</nas_ip_address>
    <acct_session_id>351E07BC138D77F8</acct_session_id>
    <server>ise</server>
    <framed_ip_address>10.251.204.55</framed_ip_address>
    <framed_ipv6_address/>
  </activeSession>
</activeList>

 

Last Session by Attributes

The following detailed session attribute API calls let you quickly search the last session using these key attributes :

  • User name session search (UserName)
  • MAC address session search (MACAddress)
  • NAS IP address session search (IPAddress associated with a target Monitoring ISE node)
  • Endpoint IP address session search (EndPointIPAddress)
  • Audit session ID search (SessionID)

These APIs all return many attributes:

  • passed or failed : Authentication status results: Passed|Failed
  • user_name : User name
  • nas_ip_address : IP address/hostname for the network access device
  • calling_station_id : endpoint MAC address
  • acs_timestamp : Time stamp that is associated with the Cisco ISE authentication request
  • execution_steps : List of message codes for each diagnostic message logged while processing the request
  • message_code : Identifier of the audit message that defines the processed request result
  • orig_calling_station_id : endpoint MAC address
  • cpmsession_id : ID of the authentication session
  • destination_ip_address : IP address of the ISE server
  • device_ip_address : IP Address of the network access device
  • identity_group : A logical group consisting of related users and hosts
  • network_device_name : name of the network access device as defined in ISE
  • acs_server : Name of the Cisco ISE appliance
  • authentication_method : Identifies the method used in authentication
  • authentication_protocol : the authentication protocol used for authentication request
  • framed_ip_address : the configured IP Address of the endpoint
  • auth_acs_timestamp : the time of authentication
  • execution_steps : the execution step numbers within ISE for troubleshooting
  • response : ???
  • posture_status : ???
  • selected_azn_profiles : Identifies the profile used in authorization
  • service_type : Indicates a framed user
  • message_code : the resulting ISE message code of the authentication request
  • auth_acsview_timestamp : the time of authentication
  • auth_id : ???
  • identity_store : the external identity store used for authentication
  • location : the network access device group (NDG) location as defined in ISE
  • device_type : the network access device group (NDG) device-type as defined in ISE
  • respone_time : the time to complete the authentication & authorization request in ISE
  • other_attr_string : a list of other attributes included in the request
  • acct_id : ???
  • acct_acs_timestamp : the time of accounting start
  • acct_acsview_timestamp : the time of accounting start
  • acct_session_id : ID of the accounting session
  • acct_status_type : the accounting message type (start/stop)
  • acct_input_octets : current count of octets passed by the endpoint
  • acct_output_octets : current count of octets passed by the endpoint
  • acct_input_packets : current count of octets passed by the endpoint
  • acct_output_packets : current count of octets passed by the endpoint
  • acct_authentic : protocol used to authenticat (RADIUS)?
  • acct_delay_time : ???
  • event_timestamp : ???
  • started : true or false
  • stopped : true or false
  • endpoint_policy : ???

 

MAC Address Session Search

Get the active RADIUS session for the specified MAC address :

https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/{MAC}

Must use the MAC address format XX:XX:XX:XX:XX:XX

Example:

export MAC=BA:4B:FB:77:B8:BF

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/MACAddress/$MAC \
  | xq

 

User Name Session Search

Get a list of all active RADIUS sessions for the specified username:

https://$ISE_PMNT/admin/API/mnt/Session/UserName/{USERNAME}

Example:

export USERNAME=thomas

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/UserName/$USERNAME \
  | xq

Example response for a session:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<sessionParameters>
<passed http://www.w3.org/2001/XMLSchema-instance:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</passed>
<failed xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</failed>
<user_name>thomas</user_name>
<nas_ip_address>10.80.60.150</nas_ip_address>
<calling_station_id>76:58:CE:FE:BF:4C</calling_station_id>
<orig_calling_station_id>76-58-CE-FE-BF-4C</orig_calling_station_id>
<cpmsession_id>c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s</cpmsession_id>
<destination_ip_address>198.18.133.27</destination_ip_address>
<device_ip_address>10.80.60.150</device_ip_address>
<identity_group>User Identity Groups:Employee,Unknown</identity_group>
<network_device_name>lab-mr46-1</network_device_name>
<acs_server>ISE</acs_server>
<authentication_method>dot1x</authentication_method>
<authentication_protocol>PEAP (EAP-MSCHAPv2)</authentication_protocol>
<framed_ip_address>10.138.142.152</framed_ip_address>
<auth_acs_timestamp>2023-11-01T16:41:47.714Z</auth_acs_timestamp>
<execution_steps>11001,11017,11117,15049,15008,11507,12500,11006,11001,11018,12301,12300,11006,11001,11018,12302,61025,12319,12800,12805,12806,12807,12808,12810,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12305,11006,11001,11018,12304,12319,12810,12812,12803,12804,12801,12802,12816,12310,12305,11006,11001,11018,12304,12313,11521,12305,11006,11001,11018,12304,11522,11806,12305,11006,11001,11018,12304,11808,15041,15048,22072,15013,24210,24212,22037,11824,12305,11006,11001,11018,12304,11810,11814,11519,12314,12305,11006,11001,11018,12304,24715,15036,24209,24211,15048,15048,15048,15016,22081,22080,12306,61026,11503,11002</execution_steps>
<response>{Class=CACS:c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s:ISE/488071013/48; MS-MPPE-Send-Key=****; MS-MPPE-Recv-Key=****; LicenseTypes=1; }</response>
<posture_status/>
<selected_azn_profiles>PermitAccess</selected_azn_profiles>
<service_type>Framed</service_type>
<message_code>5200</message_code>
<auth_acsview_timestamp>2023-11-01T16:41:47.714Z</auth_acsview_timestamp>
<auth_id>1698696460153375</auth_id>
<identity_store>Internal Users</identity_store>
<location>All Locations</location>
<device_type>All Device Types</device_type>
<response_time>87</response_time>
<other_attr_string>:!:ConfigVersionId=74:!:DestinationPort=1812:!:Protocol=Radius:!:NAS-Port=1:!:Framed-MTU=1400:!:State=64CPMSessionID=c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s;26SessionID=ISE/488071013/48;:!:Acct-Session-Id=8894534E474CEFFF:!:Connect-Info=CONNECT 54.00 Mbps / 802.11ax / RSSI: 54 / Channel: 36:!:undefined-186=00:0f:ac:04:!:undefined-187=00:0f:ac:04:!:undefined-188=00:0f:ac:01:!:NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c:!:IsThirdPartyDeviceFlow=false:!:AcsSessionID=ISE/488071013/48:!:SelectedAuthenticationIdentityStores=Internal Users:!:SelectedAuthenticationIdentityStores=All_AD_Join_Points:!:SelectedAuthenticationIdentityStores=Guest Users:!:AuthenticationStatus=AuthenticationPassed:!:IdentityPolicyMatchedRule=Dot1X:!:AuthorizationPolicyMatchedRule=Basic_Authenticated_Access:!:EndPointMACAddress=76-58-CE-FE-BF-4C:!:ISEPolicySetName=Default:!:IdentitySelectionMatchedRule=Dot1X:!:StepLatency=1=0;2=1;3=0;4=0;5=8;6=0;7=1;8=50;9=0;10=1;11=0;12=0;13=37;14=0;15=0;16=0;17=1;18=0;19=0;20=0;21=0;22=10;23=0;24=0;25=1;26=29;27=0;28=1;29=0;30=0;31=24;32=0;33=1;34=0;35=0;36=32;37=0;38=1;39=0;40=0;41=31;42=0;43=0;44=0;45=0;46=29;47=0;48=0;49=0;50=0;51=3016;52=0;53=0;54=0;55=0;56=5;57=0;58=0;59=0;60=0;61=0;62=0;63=0;64=0;65=25;66=0;67=0;68=1;69=0;70=0;71=0;72=27;73=0;74=1;75=0;76=0;77=0;78=0;79=28;80=0;81=1;82=0;83=0;84=4;85=6;86=0;87=0;88=9;89=0;90=0;91=0;92=0;93=25;94=0;95=0;96=0;97=0;98=0;99=1;100=0;101=0;102=28;103=0;104=0;105=0;106=1;107=0;108=3;109=9;110=10;111=1;112=3;113=1;114=0;115=0;116=0;117=0;118=2:!:TotalAuthenLatency=3465:!:ClientLatency=3378:!:TLSCipher=ECDHE-RSA-AES256-GCM-SHA384:!:TLSVersion=TLSv1.2:!:DTLSSupport=Unknown:!:HostIdentityGroup=Endpoint Identity Groups:Unknown:!:Network Device Profile=Cisco:!:Location=Location#All Locations:!:Device Type=Device Type#All Device Types:!:IPSEC=IPSEC#Is IPSEC Device#No:!:Name=User Identity Groups:Employee:!:Name=Endpoint Identity Groups:Unknown:!:EnableFlag=Enabled:!:StepData="84= Normalised Radius.RadiusFlowType","85=All_User_ID_Stores","86=Internal Users","109= Radius.NAS-Port-Type","110= EndPoints.LogicalProfile","111= Network Access.AuthenticationStatus"=StepData:!:RADIUS Username=thomas:!:NAS-Identifier=2C-3F-0B-56-E3-6C:vap0:!:Device IP Address=10.80.60.150:!:CPMSessionID=c612851bIm5XhlVNlrvxYbo81pl4hrYvBBN6sHQvTW5wiN9RG5s:!:Called-Station-ID=2C-3F-0B-56-E3-6C:.corp:!:CiscoAVPair=AuthenticationIdentityStore=Internal Users,FQSubjectName=9273fe30-8c01-11e6-996c-525400b48521#thomas,UniqueSubjectID=01a78479d83d16a34091e1d792dc0f2e66fb6a65</other_attr_string>
<acct_id>1698696460153376</acct_id>
<acct_acs_timestamp>2023-11-01T16:41:47.752Z</acct_acs_timestamp>
<acct_acsview_timestamp>2023-11-01T16:41:47.752Z</acct_acsview_timestamp>
<acct_session_id>8894534E474CEFFF</acct_session_id>
<acct_status_type>Start</acct_status_type>
<acct_input_octets>0</acct_input_octets>
<acct_output_octets>0</acct_output_octets>
<acct_input_packets>0</acct_input_packets>
<acct_output_packets>0</acct_output_packets>
<acct_authentic>RADIUS</acct_authentic>
<acct_delay_time>0</acct_delay_time>
<event_timestamp>1698856907</event_timestamp>
<started xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">true</started>
<stopped xsi:type="xs:boolean" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">false</stopped>
<endpoint_policy>Unknown</endpoint_policy>
</sessionParameters>

 

Cisco ISE Monitoring REST API doesn’t work when username contains a domain. The workaround is to change the API method from GET to POST. For example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request POST https://ise31.securitydemo.net/admin/API/mnt/Session/UserName \
  --data 'employee@example.com'

 

NAS IP Address Session Search

Get a list of all active RADIUS sessions for the specified network access device (NAD) NAS IP address:

https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/{NAD_IP}

IPv4 (n.n.n.n) or IPv6 (xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx) address is allowed.

Example:

export NAD_IP=10.80.60.151  # IPv4 or IPv6 address

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/IPAddress/$NAD_IP \
  | xq

 

Endpoint IP Address Session Search

Get the active RADIUS session for the specified endpoint IP address:

https://$ISE_PMNT/ise/mnt/api/Session/EndPointIPAddress/{ENDPOINT_IP}

Example:

export ENDPOINT_IP=10.251.204.55

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/ise/mnt/api/Session/EndPointIPAddress/$ENDPOINT_IP \
  | xq

 

Audit Session ID Search

Get the active RADIUS session with the specified audit-session-id:

https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/{AUDIT_SID}/0

⚠ Not all sessions may have an Audit Session ID. The Account Session ID is not the Audit Session ID.

Example:

export AUDIT_SID=

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Session/Active/SessionID/$AUDIT_SID/0 \
  | xq

 

Delete Stale Sessions

Delete a stale session by MAC address : 

https://$ISE_PMNT/admin/API/mnt/Session/Delete/MACAddress/{MAC}

Example:

export MAC=BA:4B:FB:77:B8:BF

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/MACAddress/$MAC \
  | xq

Delete a stale session by Session ID:

export SID=351E07BC138D77F8

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/SessionID/$SID \
  | xq

Delete all sessions on the Monitoring node, issue the following API call on the command line:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request DELETE https://$ISE_PMNT/admin/API/mnt/Session/Delete/All \
  | xq

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<mnt-rest-result>
  <http-code>200</http-code>
  <cpm-code>52092</cpm-code>
  <description>The software update was completed successfully</description>
  <module-name>MnT</module-name>
  <internal-error-info/>
  <requested-operation>Not Available</requested-operation>
  <resource-id>0</resource-id>
  <resource-name>MNT_RAD_SESS</resource-name>
  <status>SUCCESSFUL</status>
</mnt-rest-result>

 

API Calls for Troubleshooting

 

Node Version and Type

https://$ISE_PMNT/admin/API/mnt/Version

Example:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/Version \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<product name="Cisco Identity Services Engine">
  <version>3.2.0.542</version>
  <type_of_node>0</type_of_node>
</product>

 

Failure Reasons API Call

https://$ISE_PMNT/admin/API/mnt/FailureReasons

Example :

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  --request GET https://$ISE_PMNT/admin/API/mnt/FailureReasons \
  | xq

Response :

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<failureReasonList>
  <failureReason id="100001">
    <code>100001 AUTHMGR-5-FAIL Authorization failed for client</code>
    <cause>This may or may not be indicating a violation</cause>
    <resolution>Please review and resolve according to your organization's policy</resolution>
  </failureReason>
  <failureReason id="100002">
    <code>100002 AUTHMGR-5-SECURITY_VIOLATION Security violation on the interface</code>
    <cause>This may or may not be indicating a violation</cause>
    <resolution>Please review and resolve according to your organization's policy</resolution>
  </failureReason>
  <failureReason id="100003">
    <code>100003 AUTHMGR-5-UNAUTHORIZED Interface unauthorized</code>
    <cause>This may or may not be indicating a violation</cause>
    <resolution>Please review and resolve according to your organization's policy</resolution>
  </failureReason>

  ...

 

Authentication Status

The AuthStatus API takes this simple form with several required variables :

https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/{MAC}/{SECONDS}/{RECORDS}>/All

You may want to pre-define some additional environment variables to

export HOURS_1=3600
export HOURS_8=28800
export HOURS_24=86400
export DAYS_1=86400
export DAYS_7=604800
export WEEK_1=604800

Provide the last 10 authentications for MAC BA:4B:FB:77:B8:BF in the last 24 hours :

export MAC=BA:4B:FB:77:B8:BF
export SECONDS=$DAYS_1
export RECORDS=3

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/AuthStatus/MACAddress/$MAC/$SECONDS/$RECORDS/All \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<authStatusOutputList>
  <authStatusList key="BA:4B:FB:77:B8:BF">
    <authStatusElements>
    ...

 

Accounting Status

https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/{MAC}/{SECONDS}
  • calling_station_id : MAC address of the client
  • paks_in : Packets received count total
  • paks_out : Packets transmitted count total
  • bytes_in : Bytes received count total
  • bytes_out : Bytes transmitted count total
  • session_time : Duration of current sessions before expiration
  • server : the ISE Policy Service Node (PSN) that handled the endpoint

⚠ Configurable values range from 1-432000 seconds (5 days) Specifying 0 seconds, uses a default duration of 15 minutes (900 seconds)

Provide the accounting details for endopint BA:4B:FB:77:B8:BF from the last 24 hours :

export MAC=BA:4B:FB:77:B8:BF
export SECONDS=$DAYS_1
export RECORDS=3

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/AcctStatus/MACAddress/$MAC/$SECONDS \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<acctStatusOutputList>
  <acctStatusList macAddress="BA:4B:FB:77:B8:BF">
    <acctStatusElements>
      <calling_station_id>BA:4B:FB:77:B8:BF</calling_station_id>
      <paks_in>2332</paks_in>
      <paks_out>2510</paks_out>
      <bytes_in>333013</bytes_in>
      <bytes_out>828021</bytes_out>
      <session_time>7200</session_time>
      <server>ise</server>
    </acctStatusElements>
  </acctStatusList>
</acctStatusOutputList>

 

CoA Session Management

CoA session management API calls allow you to send reauthentication and disconnect commands to a specified session on a target Cisco Monitoring ISE node in your Cisco ISE deployment.

 

Session Reauthentication

  • Session reauthentication (Reauth)
  • Session disconnection (Disconnect)

The Session Reauthentication API Call constitutes the following types:

  • REAUTH_TYPE_DEFAULT = 0
  • REAUTH_TYPE_LAST = 1
  • REAUTH_TYPE_RERUN = 2
https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/{PSN_NAME}/{MAC}/{REAUTH_TYPE}
export COA_REAUTH_TYPE_DEFAULT=0
export COA_REAUTH_TYPE_LAST=1
export COA_REAUTH_TYPE_RERUN=2

export MAC=BA:4B:FB:77:B8:BF
export PSN_NAME=ise

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/CoA/Reauth/$PSN_NAME/$MAC/$COA_REAUTH_TYPE_DEFAULT \
  | xq

True indicates that the command was successfully executed. False means that the command was not executed (due to a variety of conditions).

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<remoteCoA requestType="reauth">
<results>true</results>
</remoteCoA>

 

Session Disconnect

https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/{PSN_NAME}/{MAC}/{DISCONNECT}/{NAD_IP}/{ENDPOINT_IP}

The Session Disconnect API call uses the following disconnect port options:

  • DYNAMIC_AUTHZ_PORT_DEFAULT = 0
  • DYNAMIC_AUTHZ_PORT_BOUNCE = 1
  • DYNAMIC_AUTHZ_PORT_SHUTDOWN = 2

Verify any Active Sessions:

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml' \
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD  \
  --request GET https://$ISE_PMNT/admin/API/mnt/Session/ActiveList \
  | xq 
export DYNAMIC_AUTHZ_PORT_DEFAULT=0
export DYNAMIC_AUTHZ_PORT_BOUNCE=1
export DYNAMIC_AUTHZ_PORT_SHUTDOWN=2

export DISCONNECT=$DYNAMIC_AUTHZ_PORT_DEFAULT
export ENDPOINT_IP=10.251.204.55
export NAD_IP=10.80.60.150
export PSN_NAME=ise

curl  --silent  --insecure  --location \
  --header 'Accept: application/xml'\
  --user $ISE_REST_USERNAME:$ISE_REST_PASSWORD \
  https://$ISE_PMNT/admin/API/mnt/CoA/Disconnect/$PSN_NAME/$MAC/$DISCONNECT/$NAD_IP/$ENDPOINT_IP \
  | xq

Response:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<remoteCoA requestType="disconnect">
<results>true</results>
</remoteCoA>

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents