ISE MnT API

Monitoring and Troubleshooting API. Query active sessions, authentication history, and issue Change of Authorization (CoA) requests.

Overview

Base URL

https://ise-01.inside.domusdigitalis.dev:443/admin/API/mnt/

Auth

Basic Auth (same credentials as ERS)

Format

XML (default) — pipe through xq for JSON

Port

443 (not 9060 — separate from ERS)

Target

MnT node (same as PAN in standalone, dedicated node in distributed)

MnT returns XML. Use xq (from python-yq package) to convert to JSON. Install: pacman -S python-yq (Arch) or pip install yq.

Environment Setup

# Scoped (preferred — 45 vars)
dsource d000 dev/network/ise

# Full (legacy — 120 vars)
dsource d000 dev/network

Key Endpoints

Path Purpose

Path	Purpose
`/Version`	ISE version and node type
`/FailureReasons`	All authentication failure codes
`/Session/ActiveCount`	Total active session count
`/Session/ActiveList`	All active sessions
`/Session/MACAddress/{mac}`	Session by MAC (reliable)
`/Session/EndPointIPAddress/{ip}`	Session by IP (unreliable — use MAC when possible)
`/Session/UserName/{user}`	Sessions by username (must match exact cert CN for EAP-TLS)
`/AuthStatus/MACAddress/{mac}/{seconds}/{count}/All`	Authentication history by MAC
`/CoA/Reauth/{nas_ip}/{mac}/{type}`	Force re-authentication (target is switch/WLC, not ISE)
`/CoA/Disconnect/{nas_ip}/{mac}/{type}`	Disconnect / port bounce (target is switch/WLC, not ISE)

/Version

ISE version and node type

/FailureReasons

All authentication failure codes

/Session/ActiveCount

Total active session count

/Session/ActiveList

All active sessions

/Session/MACAddress/{mac}

Session by MAC (reliable)

/Session/EndPointIPAddress/{ip}

Session by IP (unreliable — use MAC when possible)

/Session/UserName/{user}

Sessions by username (must match exact cert CN for EAP-TLS)

/AuthStatus/MACAddress/{mac}/{seconds}/{count}/All

Authentication history by MAC

/CoA/Reauth/{nas_ip}/{mac}/{type}

Force re-authentication (target is switch/WLC, not ISE)

/CoA/Disconnect/{nas_ip}/{mac}/{type}

Disconnect / port bounce (target is switch/WLC, not ISE)

Examples — curl + xq

Version

Get ISE version

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Version" \
  | xq -C '.'

Active Sessions

List all active sessions

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/ActiveList" \
  | xq -C '.'

Active sessions as a table (IP, MAC, username)

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/ActiveList" \
  | xq -r '.activeList.activeSession[] | "\(.framed_ip_address)\t\(.calling_station_id)\t\(.user_name)"' \
  | column -t -s $'\t'

Session by MAC — Full Dump

Full session detail for an endpoint

MAC="14:F6:D8:7B:31:80"

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/MACAddress/${MAC}" \
  | xq -C '.'

Session by MAC — Operational Summary

Extract key fields only

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/MACAddress/${MAC}" \
  | xq -C '.sessionParameters | {
    user_name,
    calling_station_id,
    identity_group,
    authentication_method,
    authentication_protocol,
    framed_ip_address,
    nas_ip_address,
    network_device_name,
    selected_azn_profiles,
    acs_server,
    auth_acs_timestamp,
    endpoint_policy,
    acct_status_type,
    acct_session_id
  }'

Session by MAC — Certificate and Policy Deep Dive

Parse cert, TLS, and policy details from the session attributes

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/MACAddress/${MAC}" \
  | xq -r '.sessionParameters.other_attr_string' \
  | tr ':!:' '\n' \
  | grep -P '^(Issuer - Common|Subject - Common|Days to Expiry|ISEPolicySetName|AuthorizationPolicyMatchedRule|IdentityPolicyMatchedRule|TLSVersion|HostIdentityGroup=Endpoint)|cisco-wlan-ssid='

Reverse Lookup: IP → MAC

Find the MAC for an IP from the active session list

TARGET_IP="10.50.10.107"

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/ActiveList" \
  | xq -r ".activeList.activeSession[] | select(.framed_ip_address==\"${TARGET_IP}\") | .calling_station_id"

Authentication History

Last 10 auth events for a MAC in the past 24 hours

MAC="14:F6:D8:7B:31:80"

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/AuthStatus/MACAddress/${MAC}/86400/10/All" \
  | xq -C '.'

Failure Reasons

List failure reasons (first 5)

curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/FailureReasons" \
  | xq -C '.failureReasonList.failureReason[:5]'

CoA — Reauth

Get NAS IP from session, then send CoA

MAC="14:F6:D8:7B:31:80"

NAS_IP=$(curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/Session/MACAddress/${MAC}" \
  | xq -r '.sessionParameters.nas_ip_address')

echo "NAS: ${NAS_IP}"

# Type: 0=default, 1=last, 2=rerun
curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  -X PUT \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/CoA/Reauth/${NAS_IP}/${MAC}/2" \
  | xq -C '.'

CoA — Disconnect

Port bounce or shutdown

# Type: 0=default, 1=port_bounce, 2=port_shutdown
curl -sS \
  --cacert "${ISE_CA_CERT}" \
  -u "${ISE_MNT_USER}:${ISE_MNT_PASS}" \
  -X PUT \
  "https://${ISE_MNT_FQDN}:${ISE_MNT_PORT}/admin/API/mnt/CoA/Disconnect/${NAS_IP}/${MAC}/1" \
  | xq -C '.'

Port shutdown (type=2) disables the switch port. Requires manual re-enable.

netapi Commands

netapi ise mnt sessions
netapi ise mnt session "14:F6:D8:7B:31:80"
netapi ise mnt auth-status "14:F6:D8:7B:31:80"
netapi ise mnt count
netapi ise mnt version
netapi ise mnt failure-reasons
netapi ise mnt coa --mac "14:F6:D8:7B:31:80" --action reauth
netapi ise mnt coa --mac "14:F6:D8:7B:31:80" --action disconnect

Learnings

MnT Gotchas (tested 2026-04-15)

MnT returns XML — always pipe through xq for JSON output
IP lookup path is Session/EndPointIPAddress/, not Session/IPAddress/
IP and username lookups are unreliable — MAC is the only reliable key
CoA target is the NAS IP (switch/WLC), not the ISE node
CoA types: reauth (0=default, 1=last, 2=rerun), disconnect (0=default, 1=port_bounce, 2=port_shutdown)
Username for EAP-TLS is the certificate CN, not a login name
Session other_attr_string contains cert details, TLS version, policy matches — parse with tr ':!:' '\n' | grep -P