Using the Session Counter API Calls
The following session counter API calls let you quickly gather a current count of session-related information on a target Cisco Monitoring ISE node in your Cisco ISE deployment:
-
Active sessions (ActiveCount)
-
Posture sessions (PostureCount)
-
Profiler sessions (ProfilerCount)
Active Sessions Counter
You can use the ActiveCount API call to retrieve a count of all currently active sessions. This section provides a schema file output example, a procedure for counting all active sessions by invoking the ActiveCount API call, and a sample of the active sessions data returned after this API call is issued.
ActiveCount API Output Schema
This sample schema file is the output of the ActiveCount API call for retrieving a count of the active sessions on the target Monitoring persona of an ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionCount" type="activeCount"/> <xs:complexType name="activeCount"> <xs:element name="count" type="xs:int"/>
Invoking the ActiveCount API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the ActiveCount API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the ActiveCount API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/<specific-api-call>):
https://acme123/ise/mnt/api/Session/ActiveCount
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents the target Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the ActiveCount API Call
The following example illustrates the data returned (number of active sessions) when you invoke an ActiveCount API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Posture Sessions Counter
You can use the PostureCount API call to retrieve a current count of all currently active Posture sessions. This section provides a schema file output example, a procedure for counting all currently active Posture sessions by invoking the PostureCount API call, and a sample of the Posture sessions data returned after this API call is issued.
PostureCount API Output Schema
This sample schema file is the output of the PostureCount API call for retrieving a count of the current active Posture sessions on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionCount" type="postureCount"/> <xs:complexType name="postureCount"> <xs:element name="count" type="xs:int"/>
Invoking the PostureCount API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the PostureCount API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the PostureCount API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/Session/<specific-api-call>):
https://acme123/ise/mnt/api/Session/PostureCount
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents the target Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the PostureCount API Call
The following example illustrates the data returned (number of current active Posture sessions) when you invoke a PostureCount API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Profiler Sessions Counter
You can use the ProfilerCount API call to retrieve a count of all currently active Profiler sessions. This section provides a schema file output example, a procedure for counting all currently active Profiler sessions by invoking the ProfilerCount API call, and a sample of the Profiler sessions data returned after this API call is issued.
ProfilerCount API Output Schema
This sample schema file is the output of the ProfilerCount API call for retrieving a count of the current active Profiler sessions on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionCount" type="profilerCount"/> <xs:complexType name="profilerCount"> <xs:element name="count" type="xs:int"/>
Invoking the ProfilerCount API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the ProfilerCount API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the ProfilerCount API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/Session/<specific-api-call>):
https://acme123/ise/mnt/api/Session/ProfilerCount
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the ProfilerCount API Call
The following example illustrates the data returned (number of active Profiler sessions) when you invoke a ProfilerCount API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below.
Using the Simple Session List API Calls
The following simple session list API calls let you quickly gather session-related information such as the MAC address, the network access switch (NAS) IP address, user name, and session ID associated with a current active session on a target Cisco Monitoring ISE node in your Cisco ISE deployment:
-
Active sessions list (ActiveList)
-
Authenticated sessions list (AuthList)
Active Sessions List
You can use the ActiveList API call to list all currently active sessions. This section provides a schema file output example, a procedure for listing all the active sessions by invoking the ActiveList API call, and a sample of the active session-related data returned after this API call is issued.
Note In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.
ActiveList API Output Schema
This sample schema file is the output of the ActiveList API call for retrieving a list of the current active sessions (and session-related information) on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="activeSessionList" type="simpleActiveSessionList"/> <xs:complexType name="simpleActiveSessionList"> <xs:element name="activeSession" type="simpleActiveSession" minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="noOfActiveSession" type="xs:int" use="required"/> <xs:complexType name="simpleActiveSession"> <xs:element name="user_name" type="xs:string" minOccurs="0"/> <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/> <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/> <xs:element name="server" type="xs:string" minOccurs="0"/>
Invoking the ActiveList API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the ActiveList API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the ActiveList API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/Session/<specific-api-call>):
https://acme123/ise/mnt/api/Session/ActiveList
Note You must carefully enter each API call in the URL Address field of a target node, because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the ActiveList API Call
The following example illustrates the session-related data returned from the list of active sessions when you invoke an ActiveList API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below. <activeSessionList noOfActiveSession="5"> <calling_station_id>00:0C:29:FA:EF:0A</calling_station_id> <server>HAREESH-R6-1-PDP2</server> <calling_station_id>70:5A:B6:68:F7:CC</calling_station_id> <server>HAREESH-R6-1-PDP2</server> <user_name>tom_wolfe</user_name> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000032</acct_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>graham_hancock</user_name> <calling_station_id>00:50:56:8E:28:BD</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>0000002C</acct_session_id> <audit_session_id>0ACB6BA10000002A165FD0C8</audit_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>ipepvpnuser</user_name> <calling_station_id>172.23.130.89</calling_station_id> <nas_ip_address>10.203.107.45</nas_ip_address> <acct_session_id>A2000070</acct_session_id> <server>HAREESH-R6-1-PDP2</server>
Authenticated Sessions List
You can use the AuthList API call to retrieve a list of all currently active authenticated sessions. This section provides a schema file output example, a procedure for listing all of the currently active authenticated sessions by invoking the AuthList API call, and a sample of the active authenticated sessions that are returned after this API call is issued.
Note In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.
AuthList API Output Schema
This sample schema file is the output of the AuthList API call for retrieving a list of all currently active authenticated sessions within a specified period of time (or for no specified time using the “null/null” parameter) on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="activeSessionList" type="simpleActiveSessionList"/> <xs:complexType name="simpleActiveSessionList"> <xs:element name="activeSession" type="simpleActiveSession" minOccurs="0" maxOccurs="unbounded"/> <xs:attribute name="noOfActiveSession" type="xs:int" use="required"/> <xs:complexType name="simpleActiveSession"> <xs:element name="user_name" type="xs:string" minOccurs="0"/> <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/> <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/> <xs:element name="server" type="xs:string" minOccurs="0"/>
Invoking the AuthList API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the AuthList API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the AuthList API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/Session/<specific-api-call>):
Note The first of the following two examples uses a defined starttime and null parameter, which displays a list of the currently active sessions that were authenticated after the specified start time. The second example uses the null/null parameter that displays a list of all currently active authenticated sessions. See Sample Data Returned from the AuthList API Call, which displays samples of the four parameter setting types for this API call.
https://acme123/ise/mnt/api/Session/AuthList/2010-12-14 15:33:15/null
https://acme123/ise/mnt/api/Session/AuthList/null/null
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the AuthList API Call
The following examples illustrate the list of currently active authenticated sessions that is returned when you invoke an AuthList API call on a target Cisco Monitoring ISE node using one of the supported parameter options.
Using the null/null Option
This XML file does not appear to have any style information associated with it. The document tree is shown below. <activeSessionList noOfActiveSession="3"> <user_name>ipepwlcuser</user_name> <calling_station_id>00:26:82:7B:D2:51</calling_station_id> <nas_ip_address>10.203.107.10</nas_ip_address> <audit_session_id>0acb6b0c000000174D07F487</audit_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>tom_wolfe</user_name> <calling_station_id>00:50:56:8E:28:BD</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000035</acct_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>graham_hancock</user_name> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000033</acct_session_id> <server>HAREESH-R6-1-PDP2</server>
Using the endtime/null Option
This XML file does not appear to have any style information associated with it. The document tree is shown below. <activeSessionList noOfActiveSession="3"> <user_name>ipepwlcuser</user_name> <calling_station_id>00:26:82:7B:D2:51</calling_station_id> <nas_ip_address>10.203.107.10</nas_ip_address> <audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>hunter_thompson</user_name> <calling_station_id>00:50:56:8E:28:BD</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000035</acct_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>bob_ludlum</user_name> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000033</acct_session_id> <server>HAREESH-R6-1-PDP2</server>
Using the null/starttime Option
This XML file does not appear to have any style information associated with it. The document tree is shown below. <activeSessionList noOfActiveSession="3"> <user_name>ipepwlcuser</user_name> <calling_station_id>00:26:82:7B:D2:51</calling_station_id> <nas_ip_address>10.203.107.10</nas_ip_address> <audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>bob_ludlum</user_name> <calling_station_id>00:50:56:8E:28:BD</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000035</acct_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>tom_wolfe</user_name> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000033</acct_session_id> <server>HAREESH-R6-1-PDP2</server>
Using the starttime/endtime Option
This XML file does not appear to have any style information associated with it. The document tree is shown below. <activeSessionList noOfActiveSession="3"> <user_name>ipepwlcuser</user_name> <calling_station_id>00:26:82:7B:D2:51</calling_station_id> <nas_ip_address>10.203.107.10</nas_ip_address> <audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>graham_hancock</user_name> <calling_station_id>00:50:56:8E:28:BD</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000035</acct_session_id> <server>HAREESH-R6-1-PDP2</server> <user_name>hunter_thompson</user_name> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_ip_address>10.203.107.161</nas_ip_address> <acct_session_id>00000033</acct_session_id> <server>HAREESH-R6-1-PDP2</server>
Using the Detailed Session Attribute API Calls
The following detailed session attribute API calls let you quickly search the latest session for key information, such as the following:
-
MAC address session search (MACAddress)
-
User name session search (UserName)
-
NAS IP address session search (IPAddress associated with a target Monitoring ISE node)
MAC Address Session Search
You can use the MACAddress API call to retrieve a specified MAC address from a current, active session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified MAC address by invoking the MACAddress API call, and a sample of the MAC address-related data returned after this API call is issued. This API call lists a variety of session-related information drawn from node database tables.
MACAddress API Output Schema
This sample schema file is the output of the MACAddress API call for retrieving a specified MAC address from the current active sessions on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionParameters" type="restsdStatus"/> <xs:complexType name="restsdStatus"> <xs:element name="passed" type="xs:anyType" minOccurs="0"/> <xs:element name="failed" type="xs:anyType" minOccurs="0"/> <xs:element name="user_name" type="xs:string" minOccurs="0"/> <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="failure_reason" type="xs:string" minOccurs="0"/> <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_port" type="xs:string" minOccurs="0"/> <xs:element name="identity_group" type="xs:string" minOccurs="0"/> <xs:element name="network_device_name" type="xs:string" minOccurs="0"/> <xs:element name="acs_server" type="xs:string" minOccurs="0"/> <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/> <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/> <xs:element name="access_service" type="xs:string" minOccurs="0"/> <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="authentication_method" type="xs:string" minOccurs="0"/> <xs:element name="execution_steps" type="xs:string" minOccurs="0"/> <xs:element name="radius_response" type="xs:string" minOccurs="0"/> <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/> <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/> <xs:element name="auth_id" type="xs:long" minOccurs="0"/> <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="message_code" type="xs:string" minOccurs="0"/> <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/> <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/> <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/> <xs:element name="identity_store" type="xs:string" minOccurs="0"/> <xs:element name="response" type="xs:string" minOccurs="0"/> <xs:element name="service_type" type="xs:string" minOccurs="0"/> <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/> <xs:element name="use_case" type="xs:string" minOccurs="0"/> <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/> <xs:element name="ad_domain" type="xs:string" minOccurs="0"/> <xs:element name="acs_username" type="xs:string" minOccurs="0"/> <xs:element name="radius_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_role" type="xs:string" minOccurs="0"/> <xs:element name="nac_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/> <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/> <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/> <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/> <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/> <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/> <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/> <xs:element name="other_attributes" type="xs:string" minOccurs="0"/> <xs:element name="response_time" type="xs:long" minOccurs="0"/> <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/> <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="acct_id" type="xs:long" minOccurs="0"/> <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/> <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/> <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_class" type="xs:string" minOccurs="0"/> <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/> <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/> <xs:element name="termination_action" type="xs:string" minOccurs="0"/> <xs:element name="session_timeout" type="xs:string" minOccurs="0"/> <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/> <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/> <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/> <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/> <xs:element name="security_group" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/> <xs:element name="started" type="xs:anyType" minOccurs="0"/> <xs:element name="stopped" type="xs:anyType" minOccurs="0"/> <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/> <xs:element name="type" type="xs:long" minOccurs="0"/> <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="vlan" type="xs:string" minOccurs="0"/> <xs:element name="dacl" type="xs:string" minOccurs="0"/> <xs:element name="authentication_type" type="xs:string" minOccurs="0"/> <xs:element name="interface_name" type="xs:string" minOccurs="0"/> <xs:element name="reason" type="xs:string" minOccurs="0"/> <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
Invoking the MACAddress API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the MACAddress API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the MACAddress API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/<specific-api-call>/<macaddress>):
https://acme123/ise/mnt/api/Session/MACAddress/0A:0B:0C:0D:0E:0F
Note Make sure that you specify the MAC address using the XX:XX:XX:XX:XX:XX format.
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the MACAddress API Call
The following example illustrates the session-related data returned from the list of active sessions when you invoke an ActiveList API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below. <passed xsi:type="xs:boolean">true</passed> <failed xsi:type="xs:boolean">false</failed> <user_name>hunter_thompson</user_name> <nas_ip_address>10.203.107.161</nas_ip_address> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_port>50115</nas_port> <identity_group>Profiled</identity_group> <network_device_name>Core-Switch</network_device_name> <acs_server>HAREESH-R6-1-PDP2</acs_server> <authen_protocol>Lookup</authen_protocol> Device Type#All Device Types,Location#All Locations <access_service>RADIUS</access_service> <auth_acs_timestamp>2010-12-15T02:11:12.359Z</auth_acs_timestamp> <authentication_method>mab</authentication_method> 11001,11017,11027,15008,15048,15004,15041,15004,15013,24209,24211,22037,15036,15048,15048,15004,15016,11022,11002 <audit_session_id>0ACB6BA1000000351BBFBF8B</audit_session_id> <nas_port_id>GigabitEthernet1/0/15</nas_port_id> <nac_policy_compliance>Pending</nac_policy_compliance> <auth_id>1291240762077361</auth_id> <auth_acsview_timestamp>2010-12-15T02:11:12.360Z</auth_acsview_timestamp> <message_code>5200</message_code> <acs_session_id>HAREESH-R6-1-PDP2/81148292/681</acs_session_id> <service_selection_policy>MAB</service_selection_policy> <identity_store>Internal Hosts</identity_store> {UserName=00-14-BF-5A-0C-03; User-Name=00-14-BF-5A-0C-03; State=ReauthSession:0ACB6BA1000000351BBFBF8B; Class=CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://HAREESH-R6-1-PDP2.cisco.com:8443/guestportal/gateway?sessionId=0ACB6BA1000000351BBFBF8B&action=cwa; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL-DENY-4ced8390; } <service_type>Call Check</service_type> <use_case>Host Lookup</use_case> <cisco_av_pair>audit-session-id=0ACB6BA1000000351BBFBF8B</cisco_av_pair> <acs_username>00:14:BF:5A:0C:03</acs_username> <radius_username>00:14:BF:5A:0C:03</radius_username> <selected_identity_store>Internal Hosts</selected_identity_store> <authentication_identity_store>Internal Hosts</authentication_identity_store> <identity_policy_matched_rule>Default</identity_policy_matched_rule> <nas_port_type>Ethernet</nas_port_type> <selected_azn_profiles>CWA</selected_azn_profiles> ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radius,Framed-MTU=1500,EAP-Key-Name=,CPMSessionID=0ACB6BA1000000351BBFBF8B,CPMSessionID=0ACB6BA1000000351BBFBF8B,EndPointMACAddress=00-14-BF-5A-0C-03,HostIdentityGroup=Endpoint Identity Groups:Profiled,Device Type=Device Type#All Device Types,Location=Location#All Locations,Model Name=Unknown,Software Version=Unknown,Device IP Address=10.203.107.161,Called-Station-ID=04:FE:7F:7F:C0:8F <response_time>77</response_time> <acct_id>1291240762077386</acct_id> <acct_acs_timestamp>2010-12-15T02:12:30.779Z</acct_acs_timestamp> <acct_acsview_timestamp>2010-12-15T02:12:30.780Z</acct_acsview_timestamp> <acct_session_id>00000038</acct_session_id> <acct_status_type>Interim-Update</acct_status_type> <acct_session_time>78</acct_session_time> <acct_input_octets>13742</acct_input_octets> <acct_output_octets>6277</acct_output_octets> <acct_input_packets>108</acct_input_packets> <acct_output_packets>66</acct_output_packets> CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681 <acct_delay_time>0</acct_delay_time> <started xsi:type="xs:boolean">false</started> <stopped xsi:type="xs:boolean">false</stopped>
User Name Session Search
You can use the UserName API call to retrieve a specified user name from a current, active session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified user name by invoking the UserName API call, and a sample of the user name-related data returned after this API call is issued. This API will list a variety of session-related information drawn from node database tables.
UserName API Output Schema
This sample schema file is the output of the UserName API call for retrieving a specified user name from the current active sessions on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionParameters" type="restsdStatus"/> <xs:complexType name="restsdStatus"> <xs:element name="passed" type="xs:anyType" minOccurs="0"/> <xs:element name="failed" type="xs:anyType" minOccurs="0"/> <xs:element name="user_name" type="xs:string" minOccurs="0"/> <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="failure_reason" type="xs:string" minOccurs="0"/> <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_port" type="xs:string" minOccurs="0"/> <xs:element name="identity_group" type="xs:string" minOccurs="0"/> <xs:element name="network_device_name" type="xs:string" minOccurs="0"/> <xs:element name="acs_server" type="xs:string" minOccurs="0"/> <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/> <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/> <xs:element name="access_service" type="xs:string" minOccurs="0"/> <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="authentication_method" type="xs:string" minOccurs="0"/> <xs:element name="execution_steps" type="xs:string" minOccurs="0"/> <xs:element name="radius_response" type="xs:string" minOccurs="0"/> <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/> <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/> <xs:element name="auth_id" type="xs:long" minOccurs="0"/> <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="message_code" type="xs:string" minOccurs="0"/> <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/> <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/> <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/> <xs:element name="identity_store" type="xs:string" minOccurs="0"/> <xs:element name="response" type="xs:string" minOccurs="0"/> <xs:element name="service_type" type="xs:string" minOccurs="0"/> <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/> <xs:element name="use_case" type="xs:string" minOccurs="0"/> <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/> <xs:element name="ad_domain" type="xs:string" minOccurs="0"/> <xs:element name="acs_username" type="xs:string" minOccurs="0"/> <xs:element name="radius_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_role" type="xs:string" minOccurs="0"/> <xs:element name="nac_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/> <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/> <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/> <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/> <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/> <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/> <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/> <xs:element name="other_attributes" type="xs:string" minOccurs="0"/> <xs:element name="response_time" type="xs:long" minOccurs="0"/> <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/> <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="acct_id" type="xs:long" minOccurs="0"/> <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/> <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/> <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_class" type="xs:string" minOccurs="0"/> <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/> <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/> <xs:element name="termination_action" type="xs:string" minOccurs="0"/> <xs:element name="session_timeout" type="xs:string" minOccurs="0"/> <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/> <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/> <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/> <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/> <xs:element name="security_group" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/> <xs:element name="started" type="xs:anyType" minOccurs="0"/> <xs:element name="stopped" type="xs:anyType" minOccurs="0"/> <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/> <xs:element name="type" type="xs:long" minOccurs="0"/> <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="vlan" type="xs:string" minOccurs="0"/> <xs:element name="dacl" type="xs:string" minOccurs="0"/> <xs:element name="authentication_type" type="xs:string" minOccurs="0"/> <xs:element name="interface_name" type="xs:string" minOccurs="0"/> <xs:element name="reason" type="xs:string" minOccurs="0"/> <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
Invoking the UserName API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the UserName API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the UserName API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/<specific-api-call>/<username>):
https://acme123/ise/mnt/api/Session/UserName/graham_hancock
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the UserName API Call
The following example illustrates the session-related data returned from the list of active sessions when you invoke a UserName API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below. <passed xsi:type="xs:boolean">true</passed> <failed xsi:type="xs:boolean">false</failed> <user_name>graham_hancock</user_name> <nas_ip_address>10.203.107.161</nas_ip_address> <calling_station_id>00:14:BF:5A:0C:03</calling_station_id> <nas_port>50115</nas_port> <identity_group>Profiled</identity_group> <network_device_name>Core-Switch</network_device_name> <acs_server>HAREESH-R6-1-PDP2</acs_server> <authen_protocol>Lookup</authen_protocol> Device Type#All Device Types,Location#All Locations <access_service>RADIUS</access_service> <auth_acs_timestamp>2010-12-15T02:11:12.359Z</auth_acs_timestamp> <authentication_method>mab</authentication_method> 11001,11017,11027,15008,15048,15004,15041,15004,15013,24209,24211,22037,15036,15048,15048,15004,15016,11022,11002 <audit_session_id>0ACB6BA1000000351BBFBF8B</audit_session_id> <nas_port_id>GigabitEthernet1/0/15</nas_port_id> <nac_policy_compliance>Pending</nac_policy_compliance> <auth_id>1291240762077361</auth_id> <auth_acsview_timestamp>2010-12-15T02:11:12.360Z</auth_acsview_timestamp> <message_code>5200</message_code> <acs_session_id>HAREESH-R6-1-PDP2/81148292/681</acs_session_id> <service_selection_policy>MAB</service_selection_policy> <identity_store>Internal Hosts</identity_store> {UserName=graham_hancock; User-Name=graham_hancock; State=ReauthSession:0ACB6BA1000000351BBFBF8B; Class=CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681; Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; cisco-av-pair=url-redirect=https://HAREESH-R6-1-PDP2.cisco.com:8443/guestportal/gateway?sessionId=0ACB6BA1000000351BBFBF8B&action=cwa; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL-DENY-4ced8390; } <service_type>Call Check</service_type> <use_case>Host Lookup</use_case> <cisco_av_pair>audit-session-id=0ACB6BA1000000351BBFBF8B</cisco_av_pair> <acs_username>graham_hancock</acs_username> <radius_username>00:14:BF:5A:0C:03</radius_username> <selected_identity_store>Internal Hosts</selected_identity_store> <authentication_identity_store>Internal Hosts</authentication_identity_store> <identity_policy_matched_rule>Default</identity_policy_matched_rule> <nas_port_type>Ethernet</nas_port_type> <selected_azn_profiles>CWA</selected_azn_profiles> ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radius,Framed-MTU=1500,EAP-Key-Name=,CPMSessionID=0ACB6BA1000000351BBFBF8B,CPMSessionID=0ACB6BA1000000351BBFBF8B,EndPointMACAddress=00-14-BF-5A-0C-03,HostIdentityGroup=Endpoint Identity Groups:Profiled,Device Type=Device Type#All Device Types,Location=Location#All Locations,Model Name=Unknown,Software Version=Unknown,Device IP Address=10.203.107.161,Called-Station-ID=04:FE:7F:7F:C0:8F <response_time>77</response_time> <acct_id>1291240762077386</acct_id> <acct_acs_timestamp>2010-12-15T02:12:30.779Z</acct_acs_timestamp> <acct_acsview_timestamp>2010-12-15T02:12:30.780Z</acct_acsview_timestamp> <acct_session_id>00000038</acct_session_id> <acct_status_type>Interim-Update</acct_status_type> <acct_session_time>78</acct_session_time> <acct_input_octets>13742</acct_input_octets> <acct_output_octets>6277</acct_output_octets> <acct_input_packets>108</acct_input_packets> <acct_output_packets>66</acct_output_packets> CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681 <acct_delay_time>0</acct_delay_time> <started xsi:type="xs:boolean">false</started> <stopped xsi:type="xs:boolean">false</stopped>
NAS IP Address Session Search
You can use the IPAddress API call to retrieve a specified NAS IP address from a current session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified NAS IP address by invoking the IPAddress API call, and a sample of the NAS IP address-related data returned after this API call is issued. This API will list a variety of session-related information drawn from node database tables.
IPAddress API Output Schema
This sample schema file is the output of the IPAddress API call for retrieving a specified NAS IP address from the current active sessions on the target Cisco Monitoring ISE node:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="sessionParameters" type="restsdStatus"/> <xs:complexType name="restsdStatus"> <xs:element name="passed" type="xs:anyType" minOccurs="0"/> <xs:element name="failed" type="xs:anyType" minOccurs="0"/> <xs:element name="user_name" type="xs:string" minOccurs="0"/> <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="failure_reason" type="xs:string" minOccurs="0"/> <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_port" type="xs:string" minOccurs="0"/> <xs:element name="identity_group" type="xs:string" minOccurs="0"/> <xs:element name="network_device_name" type="xs:string" minOccurs="0"/> <xs:element name="acs_server" type="xs:string" minOccurs="0"/> <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/> <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/> <xs:element name="access_service" type="xs:string" minOccurs="0"/> <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="authentication_method" type="xs:string" minOccurs="0"/> <xs:element name="execution_steps" type="xs:string" minOccurs="0"/> <xs:element name="radius_response" type="xs:string" minOccurs="0"/> <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/> <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/> <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/> <xs:element name="auth_id" type="xs:long" minOccurs="0"/> <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="message_code" type="xs:string" minOccurs="0"/> <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/> <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/> <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/> <xs:element name="identity_store" type="xs:string" minOccurs="0"/> <xs:element name="response" type="xs:string" minOccurs="0"/> <xs:element name="service_type" type="xs:string" minOccurs="0"/> <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/> <xs:element name="use_case" type="xs:string" minOccurs="0"/> <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/> <xs:element name="ad_domain" type="xs:string" minOccurs="0"/> <xs:element name="acs_username" type="xs:string" minOccurs="0"/> <xs:element name="radius_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_role" type="xs:string" minOccurs="0"/> <xs:element name="nac_username" type="xs:string" minOccurs="0"/> <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/> <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/> <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/> <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/> <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/> <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/> <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/> <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/> <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/> <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/> <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/> <xs:element name="other_attributes" type="xs:string" minOccurs="0"/> <xs:element name="response_time" type="xs:long" minOccurs="0"/> <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/> <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/> <xs:element name="acct_id" type="xs:long" minOccurs="0"/> <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/> <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/> <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/> <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/> <xs:element name="acct_class" type="xs:string" minOccurs="0"/> <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/> <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/> <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/> <xs:element name="termination_action" type="xs:string" minOccurs="0"/> <xs:element name="session_timeout" type="xs:string" minOccurs="0"/> <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/> <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/> <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/> <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/> <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/> <xs:element name="security_group" type="xs:string" minOccurs="0"/> <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/> <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/> <xs:element name="started" type="xs:anyType" minOccurs="0"/> <xs:element name="stopped" type="xs:anyType" minOccurs="0"/> <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/> <xs:element name="type" type="xs:long" minOccurs="0"/> <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/> <xs:element name="vlan" type="xs:string" minOccurs="0"/> <xs:element name="dacl" type="xs:string" minOccurs="0"/> <xs:element name="authentication_type" type="xs:string" minOccurs="0"/> <xs:element name="interface_name" type="xs:string" minOccurs="0"/> <xs:element name="reason" type="xs:string" minOccurs="0"/> <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
Invoking the NAS IPAddress API Call
Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.
To issue the NAS IPAddress API call, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node.
For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:
https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
Step 2 Enter the IPAddress API call in the URL Address field of the target node by replacing the “/admin/” component with the API call component (/ise/mnt/api/<specific-api-call>/<nasipaddress>):
https://acme123/ise/mnt/api/Session/IPAddress/10.10.10.10
Note Make sure that you specify the NAS IP address using the xxx.xxx.xxx.xxx format.
Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of “mnt” in the API call convention represents a Cisco Monitoring ISE node.
Step 3 Press
Enter
to issue the API call.
Sample Data Returned from the IPAddress API Call
The following example illustrates the session-related data returned from the list of active sessions when you invoke an IPAddress API call on a target Cisco Monitoring ISE node:
This XML file does not appear to have any style information associated with it. The document tree is shown below. <passed xsi:type="xs:boolean">true</passed> <failed xsi:type="xs:boolean">false</failed> <user_name>ipepvpnuser</user_name> <nas_ip_address>10.10.10.10</nas_ip_address> <calling_station_id>172.23.130.90</calling_station_id> <nas_port>1015</nas_port> <identity_group>iPEP-VPN-Group</identity_group> <network_device_name>iPEP-HA-Routed</network_device_name> <acs_server>HAREESH-R6-1-PDP2</acs_server> <authen_protocol>PAP_ASCII</authen_protocol> Device Type#All Device Types,Location#All Locations <access_service>RADIUS</access_service> <auth_acs_timestamp>2010-12-15T19:57:29.885Z</auth_acs_timestamp> <authentication_method>PAP_ASCII</authentication_method> 11001,11017,15008,15048,15048,15004,15041,15004,15013,24210,24212,22037,15036,15048,15048,15004,15016,11002 <audit_session_id>0acb6be4000000044D091DA9</audit_session_id> <nac_policy_compliance>NotApplicable</nac_policy_compliance> <auth_id>1291240762083580</auth_id> <auth_acsview_timestamp>2010-12-15T19:57:29.887Z</auth_acsview_timestamp> <message_code>5200</message_code> <acs_session_id>HAREESH-R6-1-PDP2/81148292/693</acs_session_id> <service_selection_policy>iPEP-VPN</service_selection_policy> <identity_store>Internal Users</identity_store> {User-Name=ipepvpnuser; State=ReauthSession:0acb6be4000000044D091DA9; Class=CACS:0acb6be4000000044D091DA9:HAREESH-R6-1-PDP2/81148292/693; Termination-Action=RADIUS-Request; } <service_type>Framed</service_type> audit-session-id=0acb6be4000000044D091DA9,ipep-proxy=true <acs_username>ipepvpnuser</acs_username> <radius_username>ipepvpnuser</radius_username> <selected_identity_store>Internal Users</selected_identity_store> <authentication_identity_store>Internal Users</authentication_identity_store> <identity_policy_matched_rule>Default</identity_policy_matched_rule> <nas_port_type>Virtual</nas_port_type> <selected_azn_profiles>iPEP-Unknown-Auth-Profile</selected_azn_profiles> <tunnel_details>Tunnel-Client-Endpoint=(tag=0) 172.23.130.90</tunnel_details> ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radius,Framed-Protocol=PPP,Proxy-State=Cisco Secure ACS9e733142-070a-11e0-c000-000000000000-2906094480-3222,CPMSessionID=0acb6be4000000044D091DA9,CPMSessionID=0acb6be4000000044D091DA9,Device Type=Device Type#All Device Types,Location=Location#All Locations,Model Name=Unknown,Software Version=Unknown,Device IP Address=10.203.107.228,Called-Station-ID=172.23.130.94 <response_time>20</response_time> <acct_id>1291240762083582</acct_id> <acct_acs_timestamp>2010-12-15T19:57:30.281Z</acct_acs_timestamp> <acct_acsview_timestamp>2010-12-15T19:57:30.283Z</acct_acsview_timestamp> <acct_session_id>F1800007</acct_session_id> <acct_status_type>Start</acct_status_type> CACS:0acb6be4000000044D091DA9:HAREESH-R6-1-PDP2/81148292/693 <acct_delay_time>0</acct_delay_time> <framed_protocol>PPP</framed_protocol> <started xsi:type="xs:boolean">true</started> <stopped xsi:type="xs:boolean">false</stopped>
Removing Stale Sessions
Some devices, such as Wireless Lan Controllers (WLCs), may allow stale sessions to linger. In such cases, you can use the HTTP
DELETE
API call to manually delete the inactive sessions. To do so, use
cURL
, a free 3rd-party command line tool for transferring data with URL (HTTP, HTTPS) syntax.
Note GNU Wget, the free utility for retrieving files using HTTP and HTTPS, does not support the HTTP DELETE API call.
To remove a stale sessions, complete the following steps:
Step 1 Log into the target Cisco Monitoring ISE node from the command line.
Note API calls are case-sensitive, and must be entered carefully. The variable <mntnode> represents a Cisco Monitoring ISE node.
Step 2 To manually delete a stale session for a MAC address, issue the following API call on the command line:
curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/MACAddress/<madaddress>
Step 3 To manually delete a stale session for a session ID, issue the following API call on the command line:
curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/SessionID/<sid#>
Step 4 To manually delete all sessions, issue the following API call on the command line:
curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/All