ISE DataConnect Query Codex
Quick-reference SQL patterns for ISE DataConnect (Oracle JDBC on port 2484). Run via netapi ise dc query or netapi ise dc --format json query.
Quick Start
# Load credentials
ds d000 dev/network
# List available SQL files (48 queries, 9 categories)
netapi ise dc query --list
# Run a query file
netapi ise dc query --file mschapv2_migration_enhanced
# Run with JSON output
netapi ise dc --format json query --file active-sessions | jq '.'
# Run inline SQL
netapi ise dc query "SELECT * FROM endpoints FETCH FIRST 5 ROWS ONLY"
# Filter by category
netapi ise dc query --list --file migrationBuilt-In Commands (No SQL Needed)
| Command | Purpose |
|---|---|
|
Auth method distribution (MAB, dot1x, PEAP, etc.) |
|
Endpoint inventory with rich formatting |
|
Recent authentications (live RADIUS log) |
|
Failed authentications |
|
Endpoint counts by profiler policy |
|
Endpoint counts by device type |
|
Hourly authentication trends |
|
Full session view (endpoint + auth + session) |
|
Authentication timeline for a MAC |
|
NAS (switch/WLC) health by success rate |
|
Top failure reasons with counts |
|
Endpoints not seen in N days |
|
Top users by auth count |
|
Posture assessment events |
|
RADIUS accounting (session duration, bytes) |
|
TACACS+ device admin events |
|
ISE configuration changes |
|
Change of Authorization events |
SQL File Library (48 queries)
Endpoints
-- Simple inventory
-- File: endpoints/endpoint-inventory-simple.sql
SELECT mac_address, endpoint_profile, identity_group
FROM endpoints
FETCH FIRST 100 ROWS ONLY-- Endpoints by profiler policy
-- File: endpoints/endpoints-by-profile.sql
SELECT endpoint_profile, COUNT(*) as count
FROM endpoints
GROUP BY endpoint_profile
ORDER BY count DESC-- Stale endpoints (not seen in N days)
-- File: endpoints/endpoints-no-sessions.sql
SELECT mac_address, endpoint_profile, last_seen
FROM endpoints
WHERE last_seen < SYSDATE - 30Authentication
-- Auth method breakdown
-- File: auth/ise-auth-methods.sql
SELECT authentication_method, COUNT(*) as total,
SUM(CASE WHEN passed = 1 THEN 1 ELSE 0 END) as passed,
SUM(CASE WHEN failed = 1 THEN 1 ELSE 0 END) as failed
FROM radius_authentications
WHERE timestamp > SYSDATE - 1
GROUP BY authentication_method
ORDER BY total DESC-- Failed auths last 24h
-- File: auth/ise-failed-auths-24h.sql
SELECT username, mac_address, failure_reason, nas_ip_address, timestamp
FROM radius_authentications
WHERE failed = 1 AND timestamp > SYSDATE - 1
ORDER BY timestamp DESC-- Hourly activity pattern
-- File: auth/ise-hourly-activity.sql
SELECT TO_CHAR(timestamp, 'HH24') as hour,
COUNT(*) as total,
SUM(CASE WHEN passed = 1 THEN 1 ELSE 0 END) as passed,
SUM(CASE WHEN failed = 1 THEN 1 ELSE 0 END) as failed
FROM radius_authentications
WHERE timestamp > SYSDATE - 1
GROUP BY TO_CHAR(timestamp, 'HH24')
ORDER BY hourSessions
-- Active sessions with traffic data
-- File: sessions/active-sessions.sql
-- NOTE: Wireless shows 0 packets if accounting-interim not enabled on WLC
SELECT mac_address, username, nas_ip_address, ip_address,
input_packets, output_packets, total_mb,
session_start, update_count
FROM radius_accounting
WHERE stopped_flag = 0
ORDER BY session_start DESCMSCHAPv2 Migration
-- All MSCHAPv2 endpoints (THE report the team needs)
-- File: migration/mschapv2_migration_enhanced.sql
SELECT mac_address, endpoint_profile, username,
authentication_method, nas_ip_address,
COUNT(*) as auth_count
FROM radius_authentications
WHERE authentication_method LIKE '%mschap%'
AND timestamp > SYSDATE - 7
GROUP BY mac_address, endpoint_profile, username,
authentication_method, nas_ip_address
ORDER BY auth_count DESC-- Unique MSCHAPv2 devices
-- File: migration/mschapv2_unique_devices.sql
SELECT DISTINCT mac_address, endpoint_profile
FROM radius_authentications
WHERE authentication_method LIKE '%mschap%'
AND timestamp > SYSDATE - 30Network Devices
-- Switch activity summary
-- File: network/ise-switch-activity.sql
SELECT nas_ip_address, COUNT(*) as total_auths,
COUNT(DISTINCT mac_address) as unique_macs
FROM radius_authentications
WHERE timestamp > SYSDATE - 1
GROUP BY nas_ip_address
ORDER BY total_auths DESC-- Hub detection (multiple MACs on one port)
-- File: network/ise-hub-detection.sql
SELECT nas_ip_address, nas_port_id,
COUNT(DISTINCT mac_address) as mac_count,
LISTAGG(DISTINCT mac_address, ', ') as macs
FROM radius_authentications
WHERE timestamp > SYSDATE - 1
GROUP BY nas_ip_address, nas_port_id
HAVING COUNT(DISTINCT mac_address) > 1
ORDER BY mac_count DESCProfiler
-- Profiler summary (device type distribution)
-- File: profiler/profiler-endpoints-master.sql
SELECT endpoint_profile, COUNT(*) as count
FROM profiler_endpoints
GROUP BY endpoint_profile
ORDER BY count DESCDiagnostics
-- Discover available tables/views
-- File: diagnostic/discover-schema.sql
SELECT table_name FROM all_tables
WHERE owner = 'ISENODE'
ORDER BY table_name-- MAC format check (ISE uses uppercase colon-separated)
-- File: diagnostic/diagnostic-mac-formats.sql
SELECT DISTINCT mac_address,
LENGTH(mac_address) as len,
SUBSTR(mac_address, 3, 1) as separator
FROM endpoints
FETCH FIRST 20 ROWS ONLYjq Patterns for JSON Output
# Get just MACs and profiles
netapi ise dc --format json query --file endpoints/endpoint-inventory-simple | \
jq '.[] | {mac: .mac_address, profile: .endpoint_profile}'
# Count by auth method
netapi ise dc --format json auth-methods | \
jq '.[] | "\(.auth_method): \(.total) (\(.success_pct)%)"'
# Filter active sessions by device
netapi ise dc --format json query --file sessions/active-sessions | \
jq '.[] | select(.network_device == "Home-3560CX-01") | {mac: .mac_address, mb: .total_mb}'
# MSCHAPv2 unique MAC count
netapi ise dc --format json query --file migration/mschapv2_unique_devices | \
jq 'length'
# Export to CSV
netapi ise dc --format json query --file endpoints/endpoint-inventory-simple | \
jq -r '.[] | [.mac_address, .endpoint_profile] | @csv'Environment Setup
# Home lab
ds d000 dev/network
netapi ise dc test
# CHLA
ds d001 dev/network
netapi ise dc test