Cisco Identity Services Engine API Reference Guide, Release 1.1.x
Using Query APIs for Session Management
Downloads: This chapterpdf (PDF - 288.0KB) The complete bookPDF (PDF - 1.47MB) | Feedback

Using the Query APIs for Session Management

Table Of Contents

Using the Query APIs for Session Management

Using the Session Counter API Calls

Active Sessions Counter

ActiveCount API Output Schema

Invoking the ActiveCount API Call

Sample Data Returned from the ActiveCount API Call

Posture Sessions Counter

PostureCount API Output Schema

Invoking the PostureCount API Call

Sample Data Returned from the PostureCount API Call

Profiler Sessions Counter

ProfilerCount API Output Schema

Invoking the ProfilerCount API Call

Sample Data Returned from the ProfilerCount API Call

Using the Simple Session List API Calls

Active Sessions List

ActiveList API Output Schema

Invoking the ActiveList API Call

Sample Data Returned from the ActiveList API Call

Authenticated Sessions List

AuthList API Output Schema

Invoking the AuthList API Call

Sample Data Returned from the AuthList API Call

Using the Detailed Session Attribute API Calls

MAC Address Session Search

MACAddress API Output Schema

Invoking the MACAddress API Call

Sample Data Returned from the MACAddress API Call

User Name Session Search

UserName API Output Schema

Invoking the UserName API Call

Sample Data Returned from the UserName API Call

NAS IP Address Session Search

IPAddress API Output Schema

Invoking the NAS IPAddress API Call

Sample Data Returned from the IPAddress API Call

Endpoint IP Address Session Search

EndPointIPAddress API Output Schema

Invoking the EndPointIPAddress API Call

Sample Data Returned from the EndPointIPAddress API Call

Removing Stale Sessions


Using the Query APIs for Session Management


This chapter provides examples and describes using the following individual session management REST API calls that are supported in this release of Cisco ISE. The session management API calls provide the means for retrieving important session-related information from within the Cisco Monitoring ISE node in your Cisco ISE deployment.

The following sections provide API output schema file examples, procedures for issuing each API call, and a sample of the data returned by each API call:

Using the Session Counter API Calls

Using the Simple Session List API Calls

Using the Detailed Session Attribute API Calls

Removing Stale Sessions

Using the Session Counter API Calls

The following session counter API calls let you quickly gather a current count of session-related information on a target Cisco Monitoring ISE node in your Cisco ISE deployment:

Active sessions (ActiveCount)

Posture sessions (PostureCount)

Profiler sessions (ProfilerCount)

Active Sessions Counter

You can use the ActiveCount API call to retrieve a count of all currently active sessions. This section provides a schema file output example, a procedure for counting all active sessions by invoking the ActiveCount API call, and a sample of the active sessions data returned after this API call is issued.

ActiveCount API Output Schema

This sample schema file is the output of the ActiveCount API call for retrieving a count of the active sessions on the target Monitoring persona of an ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionCount" type="activeCount"/>
  <xs:complexType name="activeCount">
    <xs:sequence>
      <xs:element name="count" type="xs:int"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Invoking the ActiveCount API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the ActiveCount API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the ActiveCount API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/<specific-api-call>):

https://acme123/ise/mnt/api/Session/ActiveCount

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents the target Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the ActiveCount API Call

The following example illustrates the data returned (number of active sessions) when you invoke an ActiveCount API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
-
<sessionCount>
<count>5</count>
</sessionCount>

Posture Sessions Counter

You can use the PostureCount API call to retrieve a current count of all currently active Posture sessions. This section provides a schema file output example, a procedure for counting all currently active Posture sessions by invoking the PostureCount API call, and a sample of the Posture sessions data returned after this API call is issued.

PostureCount API Output Schema

This sample schema file is the output of the PostureCount API call for retrieving a count of the current active Posture sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionCount" type="postureCount"/>
 
   
  <xs:complexType name="postureCount">
    <xs:sequence>
      <xs:element name="count" type="xs:int"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Invoking the PostureCount API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the PostureCount API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the PostureCount API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/Session/<specific-api-call>):

https://acme123/ise/mnt/api/Session/PostureCount

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents the target Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the PostureCount API Call

The following example illustrates the data returned (number of current active Posture sessions) when you invoke a PostureCount API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<sessionCount>
<count>3</count>
</sessionCount>

Profiler Sessions Counter

You can use the ProfilerCount API call to retrieve a count of all currently active Profiler sessions. This section provides a schema file output example, a procedure for counting all currently active Profiler sessions by invoking the ProfilerCount API call, and a sample of the Profiler sessions data returned after this API call is issued.

ProfilerCount API Output Schema

This sample schema file is the output of the ProfilerCount API call for retrieving a count of the current active Profiler sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionCount" type="profilerCount"/>
 
   
  <xs:complexType name="profilerCount">
    <xs:sequence>
      <xs:element name="count" type="xs:int"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Invoking the ProfilerCount API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the ProfilerCount API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the ProfilerCount API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/Session/<specific-api-call>):

https://acme123/ise/mnt/api/Session/ProfilerCount

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the ProfilerCount API Call

The following example illustrates the data returned (number of active Profiler sessions) when you invoke a ProfilerCount API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<sessionCount>
<count>1</count>
</sessionCount>

Using the Simple Session List API Calls

The following simple session list API calls let you quickly gather session-related information such as the MAC address, the network access switch (NAS) IP address, user name, and session ID associated with a current active session on a target Cisco Monitoring ISE node in your Cisco ISE deployment:

Active sessions list (ActiveList)

Authenticated sessions list (AuthList)

Active Sessions List

You can use the ActiveList API call to list all currently active sessions. This section provides a schema file output example, a procedure for listing all the active sessions by invoking the ActiveList API call, and a sample of the active session-related data returned after this API call is issued.


Note In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.


ActiveList API Output Schema

This sample schema file is the output of the ActiveList API call for retrieving a list of the current active sessions (and session-related information) on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="activeSessionList" type="simpleActiveSessionList"/>
 
   
<xs:complexType name="simpleActiveSessionList">
    <xs:sequence>
      <xs:element name="activeSession" type="simpleActiveSession" minOccurs="0" 
maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="noOfActiveSession" type="xs:int" use="required"/>
  </xs:complexType>
 
   
  <xs:complexType name="simpleActiveSession">
    <xs:sequence>
      <xs:element name="user_name" type="xs:string" minOccurs="0"/>
      <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="server" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>
 
   

Invoking the ActiveList API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the ActiveList API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the ActiveList API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/Session/<specific-api-call>):

https://acme123/ise/mnt/api/Session/ActiveList

Note You must carefully enter each API call in the URL Address field of a target node, because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the ActiveList API Call

The following example illustrates the session-related data returned from the list of active sessions when you invoke an ActiveList API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<activeSessionList noOfActiveSession="5">
-
<activeSession>
<calling_station_id>00:0C:29:FA:EF:0A</calling_station_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<calling_station_id>70:5A:B6:68:F7:CC</calling_station_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>tom_wolfe</user_name>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000032</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>graham_hancock</user_name>
<calling_station_id>00:50:56:8E:28:BD</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>0000002C</acct_session_id>
<audit_session_id>0ACB6BA10000002A165FD0C8</audit_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>ipepvpnuser</user_name>
<calling_station_id>172.23.130.89</calling_station_id>
<nas_ip_address>10.203.107.45</nas_ip_address>
<acct_session_id>A2000070</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
</activeSessionList>

Authenticated Sessions List

You can use the AuthList API call to retrieve a list of all currently active authenticated sessions. This section provides a schema file output example, a procedure for listing all of the currently active authenticated sessions by invoking the AuthList API call, and a sample of the active authenticated sessions that are returned after this API call is issued.


Note In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.


AuthList API Output Schema

This sample schema file is the output of the AuthList API call for retrieving a list of all currently active authenticated sessions within a specified period of time (or for no specified time using the "null/null" parameter) on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="activeSessionList" type="simpleActiveSessionList"/>
 
   
<xs:complexType name="simpleActiveSessionList">
    <xs:sequence>
      <xs:element name="activeSession" type="simpleActiveSession" minOccurs="0" 
maxOccurs="unbounded"/>
    </xs:sequence>
    <xs:attribute name="noOfActiveSession" type="xs:int" use="required"/>
  </xs:complexType>
 
   
  <xs:complexType name="simpleActiveSession">
    <xs:sequence>
      <xs:element name="user_name" type="xs:string" minOccurs="0"/>
      <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="server" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>
 
   

Invoking the AuthList API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the AuthList API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash

Step 2 Enter the AuthList API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/Session/<specific-api-call>):


Note The first of the following two examples uses a defined starttime and null parameter, which displays a list of the currently active sessions that were authenticated after the specified start time. The second example uses the null/null parameter that displays a list of all currently active authenticated sessions. See Sample Data Returned from the AuthList API Call, which displays samples of the four parameter setting types for this API call.


https://acme123/ise/mnt/api/Session/AuthList/2010-12-14 15:33:15/null 

https://acme123/ise/mnt/api/Session/AuthList/null/null

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the AuthList API Call

The following examples illustrate the list of currently active authenticated sessions that is returned when you invoke an AuthList API call on a target Cisco Monitoring ISE node using one of the supported parameter options.

Using the null/null Option

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<activeSessionList noOfActiveSession="3">
-
<activeSession>
<user_name>ipepwlcuser</user_name>
<calling_station_id>00:26:82:7B:D2:51</calling_station_id>
<nas_ip_address>10.203.107.10</nas_ip_address>
<audit_session_id>0acb6b0c000000174D07F487</audit_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>tom_wolfe</user_name>
<calling_station_id>00:50:56:8E:28:BD</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000035</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>graham_hancock</user_name>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000033</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
</activeSessionList>

Using the endtime/null Option

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
 
   
-
<activeSessionList noOfActiveSession="3">
-
<activeSession>
<user_name>ipepwlcuser</user_name>
<calling_station_id>00:26:82:7B:D2:51</calling_station_id>
<nas_ip_address>10.203.107.10</nas_ip_address>
<audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>hunter_thompson</user_name>
<calling_station_id>00:50:56:8E:28:BD</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000035</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>bob_ludlum</user_name>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000033</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
</activeSessionList>

Using the null/starttime Option

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<activeSessionList noOfActiveSession="3">
-
<activeSession>
<user_name>ipepwlcuser</user_name>
<calling_station_id>00:26:82:7B:D2:51</calling_station_id>
<nas_ip_address>10.203.107.10</nas_ip_address>
<audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>bob_ludlum</user_name>
<calling_station_id>00:50:56:8E:28:BD</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000035</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>tom_wolfe</user_name>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000033</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
</activeSessionList>

Using the starttime/endtime Option

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
-
<activeSessionList noOfActiveSession="3">
-
<activeSession>
<user_name>ipepwlcuser</user_name>
<calling_station_id>00:26:82:7B:D2:51</calling_station_id>
<nas_ip_address>10.203.107.10</nas_ip_address>
<audit_session_id>0acb6b0c0000001F4D08085A</audit_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>graham_hancock</user_name>
<calling_station_id>00:50:56:8E:28:BD</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000035</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
-
<activeSession>
<user_name>hunter_thompson</user_name>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_ip_address>10.203.107.161</nas_ip_address>
<acct_session_id>00000033</acct_session_id>
<server>HAREESH-R6-1-PDP2</server>
</activeSession>
</activeSessionList>

Using the Detailed Session Attribute API Calls

The following detailed session attribute API calls let you quickly search the latest session for key information, such as the following:

MAC address session search (MACAddress)

User name session search (UserName)

NAS IP address session search (IPAddress associated with a target Monitoring ISE node)

Endpoint IP address session search (EndPointIPAddress)

MAC Address Session Search

You can use the MACAddress API call to retrieve a specified MAC address from a current, active session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified MAC address by invoking the MACAddress API call, and a sample of the MAC address-related data returned after this API call is issued. This API call lists a variety of session-related information drawn from node database tables.

MACAddress API Output Schema

This sample schema file is the output of the MACAddress API call for retrieving a specified MAC address from the current active sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionParameters" type="restsdStatus"/>
 
   
  <xs:complexType name="restsdStatus">
    <xs:sequence>
      <xs:element name="passed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="failed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="user_name" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="failure_reason" type="xs:string" minOccurs="0"/>
      <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_group" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_name" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_server" type="xs:string" minOccurs="0"/>
      <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/>
      <xs:element name="access_service" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="authentication_method" type="xs:string" minOccurs="0"/>
      <xs:element name="execution_steps" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_response" type="xs:string" minOccurs="0"/>
      <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_id" type="xs:long" minOccurs="0"/>
      <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="message_code" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="response" type="xs:string" minOccurs="0"/>
      <xs:element name="service_type" type="xs:string" minOccurs="0"/>
      <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="use_case" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/>
      <xs:element name="ad_domain" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_username" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_role" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/>
      <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/>
      <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="other_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="response_time" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/>
      <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_id" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_class" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/>
      <xs:element name="termination_action" type="xs:string" minOccurs="0"/>
      <xs:element name="session_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/>
      <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/>
      <xs:element name="security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="started" type="xs:anyType" minOccurs="0"/>
      <xs:element name="stopped" type="xs:anyType" minOccurs="0"/>
      <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/>
      <xs:element name="type" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="vlan" type="xs:string" minOccurs="0"/>
      <xs:element name="dacl" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_type" type="xs:string" minOccurs="0"/>
      <xs:element name="interface_name" type="xs:string" minOccurs="0"/>
      <xs:element name="reason" type="xs:string" minOccurs="0"/>
      <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>
 
   

Invoking the MACAddress API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the MACAddress API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the MACAddress API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/<specific-api-call>/<macaddress>):

https://acme123/ise/mnt/api/Session/MACAddress/0A:0B:0C:0D:0E:0F

Note Make sure that you specify the MAC address using the XX:XX:XX:XX:XX:XX format.



Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the MACAddress API Call

The following example illustrates the session-related data returned from the list of active sessions when you invoke an ActiveList API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
 
   
-
<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>hunter_thompson</user_name>
<nas_ip_address>10.203.107.161</nas_ip_address>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_port>50115</nas_port>
<identity_group>Profiled</identity_group>
<network_device_name>Core-Switch</network_device_name>
<acs_server>HAREESH-R6-1-PDP2</acs_server>
<authen_protocol>Lookup</authen_protocol>
-
<network_device_groups>
Device Type#All Device Types,Location#All Locations
</network_device_groups>
<access_service>RADIUS</access_service>
<auth_acs_timestamp>2010-12-15T02:11:12.359Z</auth_acs_timestamp>
<authentication_method>mab</authentication_method>
-
<execution_steps>
11001,11017,11027,15008,15048,15004,15041,15004,15013,24209,24211,22037,15036,15048,15048,
15004,15016,11022,11002
</execution_steps>
<audit_session_id>0ACB6BA1000000351BBFBF8B</audit_session_id>
<nas_port_id>GigabitEthernet1/0/15</nas_port_id>
<nac_policy_compliance>Pending</nac_policy_compliance>
<auth_id>1291240762077361</auth_id>
<auth_acsview_timestamp>2010-12-15T02:11:12.360Z</auth_acsview_timestamp>
<message_code>5200</message_code>
<acs_session_id>HAREESH-R6-1-PDP2/81148292/681</acs_session_id>
<service_selection_policy>MAB</service_selection_policy>
<identity_store>Internal Hosts</identity_store>
-
<response>
{UserName=00-14-BF-5A-0C-03; User-Name=00-14-BF-5A-0C-03; 
State=ReauthSession:0ACB6BA1000000351BBFBF8B; 
Class=CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681; 
Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; 
cisco-av-pair=url-redirect=https://HAREESH-R6-1-PDP2.cisco.com:8443/guestportal/gateway?se
ssionId=0ACB6BA1000000351BBFBF8B&action=cwa; 
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL-DENY-4ced8390; }
</response>
<service_type>Call Check</service_type>
<use_case>Host Lookup</use_case>
<cisco_av_pair>audit-session-id=0ACB6BA1000000351BBFBF8B</cisco_av_pair>
<acs_username>00:14:BF:5A:0C:03</acs_username>
<radius_username>00:14:BF:5A:0C:03</radius_username>
<selected_identity_store>Internal Hosts</selected_identity_store>
<authentication_identity_store>Internal Hosts</authentication_identity_store>
<identity_policy_matched_rule>Default</identity_policy_matched_rule>
<nas_port_type>Ethernet</nas_port_type>
<selected_azn_profiles>CWA</selected_azn_profiles>
-
<other_attributes>
ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radiu
s,Framed-MTU=1500,EAP-Key-Name=,CPMSessionID=0ACB6BA1000000351BBFBF8B,CPMSessionID=0ACB6BA
1000000351BBFBF8B,EndPointMACAddress=00-14-BF-5A-0C-03,HostIdentityGroup=Endpoint Identity 
Groups:Profiled,Device Type=Device Type#All Device Types,Location=Location#All 
Locations,Model Name=Unknown,Software Version=Unknown,Device IP 
Address=10.203.107.161,Called-Station-ID=04:FE:7F:7F:C0:8F
</other_attributes>
<response_time>77</response_time>
<acct_id>1291240762077386</acct_id>
<acct_acs_timestamp>2010-12-15T02:12:30.779Z</acct_acs_timestamp>
<acct_acsview_timestamp>2010-12-15T02:12:30.780Z</acct_acsview_timestamp>
<acct_session_id>00000038</acct_session_id>
<acct_status_type>Interim-Update</acct_status_type>
<acct_session_time>78</acct_session_time>
<acct_input_octets>13742</acct_input_octets>
<acct_output_octets>6277</acct_output_octets>
<acct_input_packets>108</acct_input_packets>
<acct_output_packets>66</acct_output_packets>
-
<acct_class>
CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681
</acct_class>
<acct_delay_time>0</acct_delay_time>
<started xsi:type="xs:boolean">false</started>
<stopped xsi:type="xs:boolean">false</stopped>
</sessionParameters>

User Name Session Search

You can use the UserName API call to retrieve a specified user name from a current, active session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified user name by invoking the UserName API call, and a sample of the user name-related data returned after this API call is issued. This API will list a variety of session-related information drawn from node database tables.

UserName API Output Schema

This sample schema file is the output of the UserName API call for retrieving a specified user name from the current active sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionParameters" type="restsdStatus"/>
 
   
  <xs:complexType name="restsdStatus">
    <xs:sequence>
      <xs:element name="passed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="failed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="user_name" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="failure_reason" type="xs:string" minOccurs="0"/>
      <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_group" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_name" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_server" type="xs:string" minOccurs="0"/>
      <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/>
      <xs:element name="access_service" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="authentication_method" type="xs:string" minOccurs="0"/>
      <xs:element name="execution_steps" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_response" type="xs:string" minOccurs="0"/>
      <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_id" type="xs:long" minOccurs="0"/>
      <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="message_code" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="response" type="xs:string" minOccurs="0"/>
      <xs:element name="service_type" type="xs:string" minOccurs="0"/>
      <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="use_case" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/>
      <xs:element name="ad_domain" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_username" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_role" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/>
      <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/>
      <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="other_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="response_time" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/>
      <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_id" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_class" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/>
      <xs:element name="termination_action" type="xs:string" minOccurs="0"/>
      <xs:element name="session_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/>
      <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/>
      <xs:element name="security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="started" type="xs:anyType" minOccurs="0"/>
      <xs:element name="stopped" type="xs:anyType" minOccurs="0"/>
      <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/>
      <xs:element name="type" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="vlan" type="xs:string" minOccurs="0"/>
      <xs:element name="dacl" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_type" type="xs:string" minOccurs="0"/>
      <xs:element name="interface_name" type="xs:string" minOccurs="0"/>
      <xs:element name="reason" type="xs:string" minOccurs="0"/>
      <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>

Invoking the UserName API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the UserName API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the UserName API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/<specific-api-call>/<username>):

https://acme123/ise/mnt/api/Session/UserName/graham_hancock

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the UserName API Call

The following example illustrates the session-related data returned from the list of active sessions when you invoke a UserName API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
      
-
<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>graham_hancock</user_name>
<nas_ip_address>10.203.107.161</nas_ip_address>
<calling_station_id>00:14:BF:5A:0C:03</calling_station_id>
<nas_port>50115</nas_port>
<identity_group>Profiled</identity_group>
<network_device_name>Core-Switch</network_device_name>
<acs_server>HAREESH-R6-1-PDP2</acs_server>
<authen_protocol>Lookup</authen_protocol>
-
<network_device_groups>
Device Type#All Device Types,Location#All Locations
</network_device_groups>
<access_service>RADIUS</access_service>
<auth_acs_timestamp>2010-12-15T02:11:12.359Z</auth_acs_timestamp>
<authentication_method>mab</authentication_method>
-
<execution_steps>
11001,11017,11027,15008,15048,15004,15041,15004,15013,24209,24211,22037,15036,15048,15048,
15004,15016,11022,11002
</execution_steps>
<audit_session_id>0ACB6BA1000000351BBFBF8B</audit_session_id>
<nas_port_id>GigabitEthernet1/0/15</nas_port_id>
<nac_policy_compliance>Pending</nac_policy_compliance>
<auth_id>1291240762077361</auth_id>
<auth_acsview_timestamp>2010-12-15T02:11:12.360Z</auth_acsview_timestamp>
<message_code>5200</message_code>
<acs_session_id>HAREESH-R6-1-PDP2/81148292/681</acs_session_id>
<service_selection_policy>MAB</service_selection_policy>
<identity_store>Internal Hosts</identity_store>
-
<response>
{UserName=graham_hancock; User-Name=graham_hancock; 
State=ReauthSession:0ACB6BA1000000351BBFBF8B; 
Class=CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681; 
Termination-Action=RADIUS-Request; cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; 
cisco-av-pair=url-redirect=https://HAREESH-R6-1-PDP2.cisco.com:8443/guestportal/gateway?se
ssionId=0ACB6BA1000000351BBFBF8B&action=cwa; 
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-ACL-DENY-4ced8390; }
</response>
<service_type>Call Check</service_type>
<use_case>Host Lookup</use_case>
<cisco_av_pair>audit-session-id=0ACB6BA1000000351BBFBF8B</cisco_av_pair>
<acs_username>graham_hancock</acs_username>
<radius_username>00:14:BF:5A:0C:03</radius_username>
<selected_identity_store>Internal Hosts</selected_identity_store>
<authentication_identity_store>Internal Hosts</authentication_identity_store>
<identity_policy_matched_rule>Default</identity_policy_matched_rule>
<nas_port_type>Ethernet</nas_port_type>
<selected_azn_profiles>CWA</selected_azn_profiles>
-
<other_attributes>
ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radiu
s,Framed-MTU=1500,EAP-Key-Name=,CPMSessionID=0ACB6BA1000000351BBFBF8B,CPMSessionID=0ACB6BA
1000000351BBFBF8B,EndPointMACAddress=00-14-BF-5A-0C-03,HostIdentityGroup=Endpoint Identity 
Groups:Profiled,Device Type=Device Type#All Device Types,Location=Location#All 
Locations,Model Name=Unknown,Software Version=Unknown,Device IP 
Address=10.203.107.161,Called-Station-ID=04:FE:7F:7F:C0:8F
</other_attributes>
<response_time>77</response_time>
<acct_id>1291240762077386</acct_id>
<acct_acs_timestamp>2010-12-15T02:12:30.779Z</acct_acs_timestamp>
<acct_acsview_timestamp>2010-12-15T02:12:30.780Z</acct_acsview_timestamp>
<acct_session_id>00000038</acct_session_id>
<acct_status_type>Interim-Update</acct_status_type>
<acct_session_time>78</acct_session_time>
<acct_input_octets>13742</acct_input_octets>
<acct_output_octets>6277</acct_output_octets>
<acct_input_packets>108</acct_input_packets>
<acct_output_packets>66</acct_output_packets>
-
<acct_class>
CACS:0ACB6BA1000000351BBFBF8B:HAREESH-R6-1-PDP2/81148292/681
</acct_class>
<acct_delay_time>0</acct_delay_time>
<started xsi:type="xs:boolean">false</started>
<stopped xsi:type="xs:boolean">false</stopped>
</sessionParameters>

NAS IP Address Session Search

You can use the IPAddress API call to retrieve a specified NAS IP address from a current session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified NAS IP address by invoking the IPAddress API call, and a sample of the NAS IP address-related data returned after this API call is issued. This API will list a variety of session-related information drawn from node database tables.

IPAddress API Output Schema

This sample schema file is the output of the IPAddress API call for retrieving a specified NAS IP address from the current active sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
 
   
  <xs:element name="sessionParameters" type="restsdStatus"/>
 
   
  <xs:complexType name="restsdStatus">
    <xs:sequence>
      <xs:element name="passed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="failed" type="xs:anyType" minOccurs="0"/>
      <xs:element name="user_name" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="failure_reason" type="xs:string" minOccurs="0"/>
      <xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_group" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_name" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_server" type="xs:string" minOccurs="0"/>
      <xs:element name="authen_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="network_device_groups" type="xs:string" minOccurs="0"/>
      <xs:element name="access_service" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="authentication_method" type="xs:string" minOccurs="0"/>
      <xs:element name="execution_steps" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_response" type="xs:string" minOccurs="0"/>
      <xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_identifier" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_id" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/>
      <xs:element name="auth_id" type="xs:long" minOccurs="0"/>
      <xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="message_code" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="authorization_policy" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="response" type="xs:string" minOccurs="0"/>
      <xs:element name="service_type" type="xs:string" minOccurs="0"/>
      <xs:element name="cts_security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="use_case" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/>
      <xs:element name="ad_domain" type="xs:string" minOccurs="0"/>
      <xs:element name="acs_username" type="xs:string" minOccurs="0"/>
      <xs:element name="radius_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_role" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_username" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/>
      <xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/>
      <xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/>
      <xs:element name="nas_port_type" type="xs:string" minOccurs="0"/>
      <xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/>
      <xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/>
      <xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/>
      <xs:element name="tunnel_details" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="other_attributes" type="xs:string" minOccurs="0"/>
      <xs:element name="response_time" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/>
      <xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_id" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_status_type" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_session_time" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/>
      <xs:element name="acct_class" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_authentic" type="xs:string" minOccurs="0"/>
      <xs:element name="termination_action" type="xs:string" minOccurs="0"/>
      <xs:element name="session_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="idle_timeout" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/>
      <xs:element name="event_timestamp" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/>
      <xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/>
      <xs:element name="security_group" type="xs:string" minOccurs="0"/>
      <xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="framed_protocol" type="xs:string" minOccurs="0"/>
      <xs:element name="started" type="xs:anyType" minOccurs="0"/>
      <xs:element name="stopped" type="xs:anyType" minOccurs="0"/>
      <xs:element name="ckpt_id" type="xs:long" minOccurs="0"/>
      <xs:element name="type" type="xs:long" minOccurs="0"/>
      <xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
      <xs:element name="vlan" type="xs:string" minOccurs="0"/>
      <xs:element name="dacl" type="xs:string" minOccurs="0"/>
      <xs:element name="authentication_type" type="xs:string" minOccurs="0"/>
      <xs:element name="interface_name" type="xs:string" minOccurs="0"/>
      <xs:element name="reason" type="xs:string" minOccurs="0"/>
      <xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
    </xs:sequence>
  </xs:complexType>
</xs:schema>
 
   

Invoking the NAS IPAddress API Call


Note Make sure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the NAS IPAddress API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the IPAddress API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/<specific-api-call>/<nasipaddress>):

https://acme123/ise/mnt/api/Session/IPAddress/10.10.10.10

Note Make sure that you specify the NAS IP address using the xxx.xxx.xxx.xxx format.



Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the IPAddress API Call

The following example illustrates the session-related data returned from the list of active sessions when you invoke an IPAddress API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
-
<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>ipepvpnuser</user_name>
<nas_ip_address>10.10.10.10</nas_ip_address>
<calling_station_id>172.23.130.90</calling_station_id>
<nas_port>1015</nas_port>
<identity_group>iPEP-VPN-Group</identity_group>
<network_device_name>iPEP-HA-Routed</network_device_name>
<acs_server>HAREESH-R6-1-PDP2</acs_server>
<authen_protocol>PAP_ASCII</authen_protocol>
-
<network_device_groups>
Device Type#All Device Types,Location#All Locations
</network_device_groups>
<access_service>RADIUS</access_service>
<auth_acs_timestamp>2010-12-15T19:57:29.885Z</auth_acs_timestamp>
<authentication_method>PAP_ASCII</authentication_method>
-
<execution_steps>
11001,11017,15008,15048,15048,15004,15041,15004,15013,24210,24212,22037,15036,15048,15048,
15004,15016,11002
</execution_steps>
<audit_session_id>0acb6be4000000044D091DA9</audit_session_id>
<nac_policy_compliance>NotApplicable</nac_policy_compliance>
<auth_id>1291240762083580</auth_id>
<auth_acsview_timestamp>2010-12-15T19:57:29.887Z</auth_acsview_timestamp>
<message_code>5200</message_code>
<acs_session_id>HAREESH-R6-1-PDP2/81148292/693</acs_session_id>
<service_selection_policy>iPEP-VPN</service_selection_policy>
<identity_store>Internal Users</identity_store>
-
<response>
{User-Name=ipepvpnuser; State=ReauthSession:0acb6be4000000044D091DA9; 
Class=CACS:0acb6be4000000044D091DA9:HAREESH-R6-1-PDP2/81148292/693; 
Termination-Action=RADIUS-Request; }
</response>
<service_type>Framed</service_type>
-
<cisco_av_pair>
audit-session-id=0acb6be4000000044D091DA9,ipep-proxy=true
</cisco_av_pair>
<acs_username>ipepvpnuser</acs_username>
<radius_username>ipepvpnuser</radius_username>
<selected_identity_store>Internal Users</selected_identity_store>
<authentication_identity_store>Internal Users</authentication_identity_store>
<identity_policy_matched_rule>Default</identity_policy_matched_rule>
<nas_port_type>Virtual</nas_port_type>
<selected_azn_profiles>iPEP-Unknown-Auth-Profile</selected_azn_profiles>
<tunnel_details>Tunnel-Client-Endpoint=(tag=0) 172.23.130.90</tunnel_details>
-
<other_attributes>
ConfigVersionId=44,DestinationIPAddress=10.203.107.162,DestinationPort=1812,Protocol=Radiu
s,Framed-Protocol=PPP,Proxy-State=Cisco Secure 
ACS9e733142-070a-11e0-c000-000000000000-2906094480-3222,CPMSessionID=0acb6be4000000044D091
DA9,CPMSessionID=0acb6be4000000044D091DA9,Device Type=Device Type#All Device 
Types,Location=Location#All Locations,Model Name=Unknown,Software Version=Unknown,Device 
IP Address=10.203.107.228,Called-Station-ID=172.23.130.94
</other_attributes>
<response_time>20</response_time>
<acct_id>1291240762083582</acct_id>
<acct_acs_timestamp>2010-12-15T19:57:30.281Z</acct_acs_timestamp>
<acct_acsview_timestamp>2010-12-15T19:57:30.283Z</acct_acsview_timestamp>
<acct_session_id>F1800007</acct_session_id>
<acct_status_type>Start</acct_status_type>
-
<acct_class>
CACS:0acb6be4000000044D091DA9:HAREESH-R6-1-PDP2/81148292/693
</acct_class>
<acct_delay_time>0</acct_delay_time>
<framed_protocol>PPP</framed_protocol>
<started xsi:type="xs:boolean">true</started>
<stopped xsi:type="xs:boolean">false</stopped>
</sessionParameters>

Endpoint IP Address Session Search

You can use the EndPointIPAddress API call to retrieve session directory information from a current, active session. This section provides a schema file output example, a procedure for searching the node database for the latest active session that contains the specified IP address by invoking the EndPointIPAddress API call, and a sample of the endpoint-related data returned after this API call is issued. This API call lists a variety of session directory information drawn from node database tables.

EndPointIPAddress API Output Schema

This sample schema file is the output of the EndPointIPAddress API call for retrieving session directory information about a specified endpoint from the current active sessions on the target Cisco Monitoring ISE node:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="sessionParameters" type="restsdStatus"/>
<xs:complexType name="restsdStatus">
<xs:sequence>
<xs:element name="passed" type="xs:anyType" minOccurs="0"/>
<xs:element name="failed" type="xs:anyType" minOccurs="0"/>
<xs:element name="user_name" type="xs:string" minOccurs="0"/>
<xs:element name="nas_ip_address" type="xs:string" minOccurs="0"/>
<xs:element name="failure_reason" type="xs:string" minOccurs="0"/>
<xs:element name="calling_station_id" type="xs:string" minOccurs="0"/>
<xs:element name="nas_port" type="xs:string" minOccurs="0"/>
<xs:element name="identity_group" type="xs:string" minOccurs="0"/>
<xs:element name="network_device_name" type="xs:string" minOccurs="0"/>
<xs:element name="acs_server" type="xs:string" minOccurs="0"/>
<xs:element name="authen_protocol" type="xs:string" minOccurs="0"/>
<xs:element name="framed_ip_address" type="xs:string" minOccurs="0"/>
<xs:element name="network_device_groups" type="xs:string" minOccurs="0"/>
<xs:element name="access_service" type="xs:string" minOccurs="0"/>
<xs:element name="auth_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="authentication_method" type="xs:string" minOccurs="0"/>
<xs:element name="execution_steps" type="xs:string" minOccurs="0"/>
<xs:element name="radius_response" type="xs:string" minOccurs="0"/>
<xs:element name="audit_session_id" type="xs:string" minOccurs="0"/>
<xs:element name="nas_identifier" type="xs:string" minOccurs="0"/>
<xs:element name="nas_port_id" type="xs:string" minOccurs="0"/>
<xs:element name="nac_policy_compliance" type="xs:string" minOccurs="0"/>
<xs:element name="auth_id" type="xs:long" minOccurs="0"/>
<xs:element name="auth_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="message_code" type="xs:string" minOccurs="0"/>
<xs:element name="acs_session_id" type="xs:string" minOccurs="0"/>
<xs:element name="service_selection_policy" type="xs:string" minOccurs="0"/>
<xs:element name="authorization_policy" type="xs:string" minOccurs="0"/>
<xs:element name="identity_store" type="xs:string" minOccurs="0"/>
<xs:element name="response" type="xs:string" minOccurs="0"/>
<xs:element name="service_type" type="xs:string" minOccurs="0"/>
<xs:element name="cts_security_group" type="xs:string" minOccurs="0"/>
<xs:element name="use_case" type="xs:string" minOccurs="0"/>
<xs:element name="cisco_av_pair" type="xs:string" minOccurs="0"/>
<xs:element name="ad_domain" type="xs:string" minOccurs="0"/>
<xs:element name="acs_username" type="xs:string" minOccurs="0"/>
<xs:element name="radius_username" type="xs:string" minOccurs="0"/>
<xs:element name="nac_role" type="xs:string" minOccurs="0"/>
<xs:element name="nac_username" type="xs:string" minOccurs="0"/>
<xs:element name="nac_posture_token" type="xs:string" minOccurs="0"/>
<xs:element name="nac_radius_is_user_auth" type="xs:string" minOccurs="0"/>
<xs:element name="selected_posture_server" type="xs:string" minOccurs="0"/>
<xs:element name="selected_identity_store" type="xs:string" minOccurs="0"/>
<xs:element name="authentication_identity_store" type="xs:string" minOccurs="0"/>
<xs:element name="azn_exp_pol_matched_rule" type="xs:string" minOccurs="0"/>
<xs:element name="ext_pol_server_matched_rule" type="xs:string" minOccurs="0"/>
<xs:element name="grp_mapping_pol_matched_rule" type="xs:string" minOccurs="0"/>
<xs:element name="identity_policy_matched_rule" type="xs:string" minOccurs="0"/>
<xs:element name="nas_port_type" type="xs:string" minOccurs="0"/>
<xs:element name="query_identity_stores" type="xs:string" minOccurs="0"/>
<xs:element name="selected_azn_profiles" type="xs:string" minOccurs="0"/>
<xs:element name="sel_exp_azn_profiles" type="xs:string" minOccurs="0"/>
<xs:element name="selected_query_identity_stores" type="xs:string" minOccurs="0"/>
<xs:element name="eap_tunnel" type="xs:string" minOccurs="0"/>
<xs:element name="tunnel_details" type="xs:string" minOccurs="0"/>
<xs:element name="cisco_h323_attributes" type="xs:string" minOccurs="0"/>
<xs:element name="cisco_ssg_attributes" type="xs:string" minOccurs="0"/>
<xs:element name="other_attributes" type="xs:string" minOccurs="0"/>
<xs:element name="response_time" type="xs:long" minOccurs="0"/>
<xs:element name="nad_failure" type="xs:anyType" minOccurs="0"/>
<xs:element name="destination_ip_address" type="xs:string" minOccurs="0"/>
<xs:element name="acct_id" type="xs:long" minOccurs="0"/>
<xs:element name="acct_acs_timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="acct_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="acct_session_id" type="xs:string" minOccurs="0"/>
<xs:element name="acct_status_type" type="xs:string" minOccurs="0"/>
<xs:element name="acct_session_time" type="xs:long" minOccurs="0"/>
<xs:element name="acct_input_octets" type="xs:string" minOccurs="0"/>
<xs:element name="acct_output_octets" type="xs:string" minOccurs="0"/>
<xs:element name="acct_input_packets" type="xs:long" minOccurs="0"/>
<xs:element name="acct_output_packets" type="xs:long" minOccurs="0"/>
<xs:element name="acct_class" type="xs:string" minOccurs="0"/>
<xs:element name="acct_terminate_cause" type="xs:string" minOccurs="0"/>
<xs:element name="acct_multi_session_id" type="xs:string" minOccurs="0"/>
<xs:element name="acct_authentic" type="xs:string" minOccurs="0"/>
<xs:element name="termination_action" type="xs:string" minOccurs="0"/>
<xs:element name="session_timeout" type="xs:string" minOccurs="0"/>
<xs:element name="idle_timeout" type="xs:string" minOccurs="0"/>
<xs:element name="acct_interim_interval" type="xs:string" minOccurs="0"/>
<xs:element name="acct_delay_time" type="xs:string" minOccurs="0"/>
<xs:element name="event_timestamp" type="xs:string" minOccurs="0"/>
<xs:element name="acct_tunnel_connection" type="xs:string" minOccurs="0"/>
<xs:element name="acct_tunnel_packet_lost" type="xs:string" minOccurs="0"/>
<xs:element name="security_group" type="xs:string" minOccurs="0"/>
<xs:element name="cisco_h323_setup_time" type="xs:dateTime" minOccurs="0"/>
<xs:element name="cisco_h323_connect_time" type="xs:dateTime" minOccurs="0"/>
<xs:element name="cisco_h323_disconnect_time" type="xs:dateTime" minOccurs="0"/>
<xs:element name="framed_protocol" type="xs:string" minOccurs="0"/>
<xs:element name="started" type="xs:anyType" minOccurs="0"/>
<xs:element name="stopped" type="xs:anyType" minOccurs="0"/>
<xs:element name="ckpt_id" type="xs:long" minOccurs="0"/>
<xs:element name="type" type="xs:long" minOccurs="0"/>
<xs:element name="nad_acsview_timestamp" type="xs:dateTime" minOccurs="0"/>
<xs:element name="vlan" type="xs:string" minOccurs="0"/>
<xs:element name="dacl" type="xs:string" minOccurs="0"/>
<xs:element name="authentication_type" type="xs:string" minOccurs="0"/>
<xs:element name="interface_name" type="xs:string" minOccurs="0"/>
<xs:element name="reason" type="xs:string" minOccurs="0"/>
<xs:element name="endpoint_policy" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:schema>
 
   

Invoking the EndPointIPAddress API Call


Note Ensure that you have verified that the target node to which you are issuing an API call is a valid Cisco Monitoring ISE node. To verify the persona of a Cisco ISE node, see Verifying a Cisco Monitoring ISE Node.


To issue the EndPointIPAddress API call, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node.

For example, when you initially log into a Cisco Monitoring ISE node with the hostname of acme123, this would display the following URL Address field for this node:

https://acme123/admin/LoginAction.do#pageId=com_cisco_xmp_web_page_tmpdash
 
   

Step 2 Enter the EndPointIPAddress API call in the URL Address field of the target node by replacing the "/admin/" component with the API call component (/ise/mnt/api/Session/EndPointIPAddress/<endpoint_ip>):

https://acme123/ise/mnt/api/Session/EndPointIPAddress/A.B.C.D

Note You must carefully enter each API call in the URL Address field of a target node because these calls are case-sensitive. The use of "mnt" in the API call convention represents a Cisco Monitoring ISE node.


Step 3 Press Enter to issue the API call.


Sample Data Returned from the EndPointIPAddress API Call

The following example illustrates the session-related data returned from the list of active sessions when you invoke an EndPointIPAddress API call on a target Cisco Monitoring ISE node:

This XML file does not appear to have any style information associated with it. The 
document tree is shown below.
 
   
-
<sessionParameters>
<passed xsi:type="xs:boolean">true</passed>
<failed xsi:type="xs:boolean">false</failed>
<user_name>00:0C:29:95:A5:C1</user_name>
<nas_ip_address>10.77.152.139</nas_ip_address>
<calling_station_id>00:0C:29:95:A5:C1</calling_station_id>
<nas_port>50109</nas_port>
<identity_group>RegisteredDevices</identity_group>
<network_device_name>switch</network_device_name>
<acs_server>ise248</acs_server>
<authen_protocol>Lookup</authen_protocol>
<framed_ip_address>10.20.40.10</framed_ip_address>
-
<network_device_groups>
Device Type#All Device Types,Location#All Locations
</network_device_groups>
<access_service>RADIUS</access_service>
<auth_acs_timestamp>2012-03-13T17:02:22.169+05:30</auth_acs_timestamp>
<authentication_method>mab</authentication_method>
-
<execution_steps>
11001,11017,11027,15008,15048,15048,15004,15041,15006,15013,24209,24211,22037,15036,15048,
15004,15016,11022,11002
</execution_steps>
<audit_session_id>0A4D988B000000E337B8D983</audit_session_id>
<nas_port_id>GigabitEthernet1/0/9</nas_port_id>
<nac_policy_compliance>Pending</nac_policy_compliance>
<auth_id>1331101769985927</auth_id>
<auth_acsview_timestamp>2012-03-13T17:02:22.171+05:30</auth_acsview_timestamp>
<message_code>5200</message_code>
<acs_session_id>ise248/120476308/97</acs_session_id>
<service_selection_policy>MAB</service_selection_policy>
<authorization_policy>wired_redirect</authorization_policy>
<identity_store>Internal Endpoints</identity_store>
-
<response>
{UserName=00:0C:29:95:A5:C1; User-Name=00-0C-29-95-A5-C1; 
State=ReauthSession:0A4D988B000000E337B8D983; 
Class=CACS:0A4D988B000000E337B8D983:ise248/120476308/97; 
Termination-Action=RADIUS-Request; Tunnel-Type=(tag=1) VLAN; Tunnel-Medium-Type=(tag=1) 
802; Tunnel-Private-Group-ID=(tag=1) 30; 
cisco-av-pair=url-redirect-acl=ACL-WEBAUTH-REDIRECT; 
cisco-av-pair=url-redirect=https://ise248.cisco.com:8443/guestportal/gateway?sessionId=0A4
D988B000000E337B8D983&action=cwa; 
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-cwa_wired-4f570619; 
cisco-av-pair=profile-name=WindowsXP-Workstation; }
</response>
<service_type>Call Check</service_type>
<use_case>Host Lookup</use_case>
<cisco_av_pair>audit-session-id=0A4D988B000000E337B8D983</cisco_av_pair>
<acs_username>00:0C:29:95:A5:C1</acs_username>
<radius_username>00:0C:29:95:A5:C1</radius_username>
<selected_identity_store>Internal Endpoints</selected_identity_store>
<authentication_identity_store>Internal Endpoints</authentication_identity_store>
<identity_policy_matched_rule>Default</identity_policy_matched_rule>
<nas_port_type>Ethernet</nas_port_type>
<selected_azn_profiles>wired_cwa_redirect</selected_azn_profiles>
<response_time>17</response_time>
<destination_ip_address>10.77.152.248</destination_ip_address>
-
<other_attributes>
ConfigVersionId=15,DestinationPort=1812,Protocol=Radius,Framed-MTU=1500,EAP-Key-Name=,cisc
o-nas-port=GigabitEthernet1/0/9,CPMSessionID=0A4D988B000000E337B8D983,EndPointMACAddress=0
0-0C-29-95-A5-C1,EndPointMatchedProfile=WindowsXP-Workstation,HostIdentityGroup=Endpoint 
Identity Groups:RegisteredDevices,Device Type=Device Type#All Device 
Types,Location=Location#All Locations,Device IP 
Address=10.77.152.139,Called-Station-ID=EC:C8:82:55:2E:09
</other_attributes>
<acct_id>1331101769985928</acct_id>
<acct_acs_timestamp>2012-03-13T17:02:22.365+05:30</acct_acs_timestamp>
<acct_acsview_timestamp>2012-03-13T17:02:22.366+05:30</acct_acsview_timestamp>
<acct_session_id>000000FC</acct_session_id>
<acct_status_type>Interim-Update</acct_status_type>
<acct_session_time>16411</acct_session_time>
<acct_input_octets>3053882</acct_input_octets>
<acct_output_octets>2633472</acct_output_octets>
<acct_input_packets>20166</acct_input_packets>
<acct_output_packets>20297</acct_output_packets>
<acct_class>CACS:0A4D988B000000E337B8D983:ise248/120476308/97</acct_class>
<acct_delay_time>0</acct_delay_time>
<started xsi:type="xs:boolean">false</started>
<stopped xsi:type="xs:boolean">false</stopped>
<vlan>30</vlan>
<dacl>#ACSACL#-IP-cwa_wired-4f570619</dacl>
<endpoint_policy>WindowsXP-Workstation</endpoint_policy>
</sessionParameters>
 
   

Removing Stale Sessions

Some devices, such as Wireless Lan Controllers (WLCs), may allow stale sessions to linger. In such cases, you can use the HTTP DELETE API call to manually delete the inactive sessions. To do so, use cURL, a free 3rd-party command line tool for transferring data with URL (HTTP, HTTPS) syntax.


Note GNU Wget, the free utility for retrieving files using HTTP and HTTPS, does not support the HTTP DELETE API call.


To remove a stale sessions, complete the following steps:


Step 1 Log into the target Cisco Monitoring ISE node from the command line.


Note API calls are case-sensitive, and must be entered carefully. The variable <mntnode> represents a Cisco Monitoring ISE node.


Step 2 To manually delete a stale session for a MAC address, issue the following API call on the command line:

curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/MACAddress/<madaddress>
 
   

Step 3 To manually delete a stale session for a session ID, issue the following API call on the command line:

curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/SessionID/<sid#>
 
   

Step 4 To manually delete all sessions, issue the following API call on the command line:

curl -X DELETE https://<mntnode>/ise/mnt/api/Session/Delete/All