Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
204
Views
4
Helpful
2
Replies

Cisco ISE Endpoint Report Outdated

unknowingstudent
Level 1
Level 1

‎05-15-2024 12:58 AM - last edited on ‎05-15-2024 01:12 AM by Cisco Employee

Hey together,

I am trying to export an Endpoint-Report from my Cisco ISE (3.2.0.542). Therefore I am using CLI and "application configure ise -> 16". The problem is that this Report is not up-to-date. Every Endpoint that connected at some point to the network is listed there and a new Endpoint will be added there correctly. If an Endpoint reconnects and get´s assigned a new Authorization Policy however, this is not updated in the Report, even after Reauthentication, Port Bounce on the Switch or CoA Session Termination with Port Bounce.

On the Webinterface Dashbaord every Endpoint is up-to-date with its correct Authorization Policy. Anyone has an Idea how I can get an up-to-date report including the applied Policies of Endpoints automatically? The ISE API does not provide such detailed information as far as I can see.

Thank you very much. 

2 Replies 2

thomas
Cisco Employee
Cisco Employee

‎05-15-2024 07:47 AM

File a bug with the Cisco TAC or make an ISE Wish @ https://cs.co/ise-wish for these. You will need to be very specific about which attributes are not updated based on your experience.

Alternatively try using the ISE Data Connect interface with SQL using the endpoints_data table and others as shown in

How to Get Data Out of ISE 2024-04-02

 ISE Data Connect

52:07: Demo: ISE Data Connect SQL Queries

iseql.py --help
iseql.py "SELECT view_name FROM user_views ORDER BY view_name ASC"
iseql.py "SELECT view_name FROM RADIUS_ACCOUNTING"
iseql.py "SELECT status,username,is_admin,password_never_expires FROM network_access_users"
iseql.py "select  location, sum(passed_count) as passed, sum(failed_count) as failed, sum(passed_count) + sum(failed_count) as total, round(to_char(((sum(failed_count) / (sum(passed_count) + sum(failed_count))) * 100)), 2) as failed_percentage, round(to_char(sum(total_response_time)/(sum(passed_count) + sum(failed_count))), 2) as total_response_time, max(max_response_time) as max_response_time from radius_authentication_summary group by location"

Arne Bier
VIP
VIP

‎05-15-2024 04:30 PM

I second what Thomas says about SQL via REST API - it's the new killer feature to get live data out of your Monitoring nodes. SQL is not everyone's cup of tea, but it's a lot simpler than having to learn fancy API calls and mess with python. The iseql.py is perfect for issuing quick (or also complex) SQL statements that produce really useful out. The Cisco Developer page has excellent examples that you should try out to get a feel for this.

I will add, that some of the examples in the Cisco Developer assume you have a small data set, and therefore the queries can take a LOOOONG time to start producing output. I googled around a bit and found some useful addenda to these commands, to restrict the output a bit - e.g. to restrict the time/date range and then only return the first ten records - mostly to see if this is the data you want - if you don't do this in production, then you can wait minutes, and get data that is quite outdated:

select * from radius_authentication_summary where timestamp >= to_timestamp('2024-05-10 13:00:00', 'yyyy-mm-dd hh24:mi:ss') fetch first 10 rows only

Or, to find a unique list of usernames starting with the letter "L" - I have not found any other way to perform string operations, but regexp is one way

select username from radius_authentication_summary where regexp_like (username, '^L') group by username

 

Customers Also Viewed These Support Documents