netapi Integration
1. Overview
netapi is the unified network automation CLI for Domus Digitalis infrastructure. It provides consistent command-line access to all network services, replacing manual GUI operations with scriptable, repeatable commands.
|
Full CLI Reference: See domus-netapi-docs component (114 pages of command documentation) |
2. Supported Platforms
| Platform | Commands | Use Cases |
|---|---|---|
ISE |
|
Policy management, session monitoring, DataConnect queries |
pfSense |
|
DNS automation, firewall rules, DHCP management |
WLC (C9800) |
|
WLAN management, client troubleshooting, policy profiles |
IOS Switches |
|
Show commands, configuration, IBNS 2.0 |
Vault |
|
PKI certificate issuance, secrets management |
Synology |
|
Backup status, storage monitoring |
Keycloak |
|
Realm backup, user management |
KVM |
|
VM management, snapshots |
3. Quick Start
3.2. Common Commands
Check ISE sessions:
netapi ise mnt sessionsCheck specific endpoint:
netapi ise mnt session <mac-address>Query switch:
netapi ios exec "show access-session"Issue certificate from Vault:
netapi vault pki-issue hostname.{domain} --role domus-serverCheck pfSense DNS:
netapi pfsense dns list4. ISE Commands
4.1. ERS API (Configuration)
# Policy sets
netapi ise get-policy-sets
netapi ise get-policy-set "Domus-Wired 802.1X"
# Authorization
netapi ise get-authz-profiles
netapi ise get-authz-profile "Linux_EAPTLS_Permit"
netapi ise get-dacls
netapi ise get-dacl "LINUX_RESEARCH_HARDENED"
# Create/update dACL
netapi ise create-dacl DACL_NAME --file /path/to/acl.txt --descr "Description"
netapi ise update-authz-profile "Profile" --dacl DACL_NAME --reauth-timer 3600
# Network devices
netapi ise get-nads
netapi ise get-nad "Switch-01"4.2. MNT API (Monitoring)
# Active sessions
netapi ise mnt sessions
netapi ise mnt session <mac-address>
# Authentication logs
netapi ise mnt auth-logs <mac-address> --limit 10
# Change of Authorization
netapi ise mnt coa <mac-address>4.3. DataConnect (Analytics)
DataConnect provides direct Oracle SQL access to ISE’s database - bypassing the limited ERS/MnT APIs for raw access to authentication logs, session data, profiler information, and endpoint inventory.
|
Why DataConnect over ERS/MnT?
|
4.3.1. Basic Commands
# Test DataConnect connectivity
netapi ise dc test# Authentication statistics
netapi ise dc stats --hours 24# Recent failed authentications
netapi ise dc failed --hours 4 --limit 20# Full session view (identity + profiler + auth history)
netapi ise dc session <mac-address> --hours 72# Endpoint profiler breakdown
netapi ise dc profiler4.3.2. Database Views Reference
DataConnect exposes these Oracle views for raw SQL queries:
| View | Description & Key Fields |
|---|---|
|
All auth attempts: |
|
Session accounting: |
|
Endpoint inventory: |
|
Profiler data: |
|
NAD inventory: switches, WLCs |
4.3.3. Power Queries (Raw Oracle SQL)
Authentication Success Rate by Hour
netapi ise dc query "
SELECT
TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24') as hour,
COUNT(*) as total,
SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) as passed,
ROUND(SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) as success_pct
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24')
ORDER BY hour
"Top Failure Reasons
netapi ise dc query "
SELECT
FAILURE_REASON,
COUNT(*) as count,
ROUND(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER(), 1) as pct
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED != 'Pass' AND TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY FAILURE_REASON
ORDER BY count DESC
FETCH FIRST 10 ROWS ONLY
"Hub/Hypervisor Detection (Security)
Identify ports with multiple MACs - possible unauthorized hubs, hypervisors, or MAC spoofing:
netapi ise dc query "
SELECT
DEVICE_NAME as Switch,
NAS_PORT_ID as Port,
NAS_PORT_TYPE as Port_Type,
COUNT(DISTINCT CALLING_STATION_ID) as MAC_Count,
COUNT(*) as Auth_Events,
LISTAGG(DISTINCT CALLING_STATION_ID, '; ') WITHIN GROUP (ORDER BY CALLING_STATION_ID) as MACs,
CASE
WHEN NAS_PORT_TYPE LIKE '%Ethernet%' AND COUNT(DISTINCT CALLING_STATION_ID) > 2 THEN 'SUSPECTED HUB'
WHEN NAS_PORT_TYPE LIKE '%Ethernet%' AND COUNT(DISTINCT CALLING_STATION_ID) > 5 THEN 'LIKELY HYPERVISOR'
WHEN COUNT(DISTINCT CALLING_STATION_ID) > 10 THEN 'INVESTIGATE IMMEDIATELY'
ELSE 'Normal'
END as Risk_Level
FROM radius_authentications
WHERE TIMESTAMP >= (SYSDATE - 3)
AND NAS_PORT_ID IS NOT NULL
GROUP BY DEVICE_NAME, NAS_PORT_ID, NAS_PORT_TYPE
HAVING COUNT(DISTINCT CALLING_STATION_ID) > 1
ORDER BY MAC_Count DESC
"Roaming Devices (WiFi Troubleshooting)
Find devices that authenticated on multiple switches (roaming/mobile):
netapi ise dc query "
SELECT
CALLING_STATION_ID as MAC,
MAX(USERNAME) as Username,
MAX(ENDPOINT_PROFILE) as Device_Type,
COUNT(DISTINCT DEVICE_NAME) as Switch_Count,
COUNT(*) as Auth_Count,
LISTAGG(DISTINCT DEVICE_NAME, '; ') WITHIN GROUP (ORDER BY DEVICE_NAME) as Switches
FROM radius_authentications
WHERE TIMESTAMP >= (SYSDATE - 4/24)
GROUP BY CALLING_STATION_ID
HAVING COUNT(DISTINCT DEVICE_NAME) > 1
ORDER BY Switch_Count DESC
"Licensing Impact Analysis (30 Days)
Critical for license compliance and capacity planning:
netapi ise dc query "
SELECT
TRUNC(TIMESTAMP) as Date,
COUNT(DISTINCT CALLING_STATION_ID) as Unique_MACs_Per_Day,
COUNT(*) as Total_Auths,
COUNT(DISTINCT DEVICE_NAME) as Active_Switches,
COUNT(DISTINCT USERNAME) as Unique_Users
FROM radius_authentications
WHERE TIMESTAMP >= (SYSDATE - 30)
GROUP BY TRUNC(TIMESTAMP)
ORDER BY TRUNC(TIMESTAMP) DESC
"MSCHAPv2 Migration Query
Find all devices still using MSCHAPv2 (for EAP-TLS migration):
netapi ise dc query "
SELECT
CALLING_STATION_ID as MAC_Address,
USERNAME,
AUTHENTICATION_METHOD,
AUTHENTICATION_PROTOCOL,
DEVICE_NAME,
ENDPOINT_PROFILE,
MAX(TIMESTAMP) as Last_Auth
FROM radius_authentications
WHERE AUTHENTICATION_PROTOCOL LIKE '%MSCHAP%'
AND TIMESTAMP >= (SYSDATE - 30)
GROUP BY CALLING_STATION_ID, USERNAME, AUTHENTICATION_METHOD,
AUTHENTICATION_PROTOCOL, DEVICE_NAME, ENDPOINT_PROFILE
ORDER BY Last_Auth DESC
"Network Device Activity
Authentication load per switch/WLC:
netapi ise dc query "
SELECT
DEVICE_NAME as Switch,
NAS_IP_ADDRESS as IP,
COUNT(DISTINCT CALLING_STATION_ID) as Unique_Devices,
COUNT(*) as Total_Auths,
SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) as Success,
SUM(CASE WHEN FAILED = 1 THEN 1 ELSE 0 END) as Failed,
MAX(TIMESTAMP) as Last_Auth
FROM radius_authentications
WHERE TIMESTAMP >= (SYSDATE - 1)
AND DEVICE_NAME IS NOT NULL
GROUP BY DEVICE_NAME, NAS_IP_ADDRESS
ORDER BY Total_Auths DESC
"Session Duration by Endpoint
Data usage analysis:
netapi ise dc query "
SELECT
CALLING_STATION_ID as MAC,
COUNT(*) as sessions,
ROUND(AVG(ACCT_SESSION_TIME)/60, 1) as avg_minutes,
ROUND(SUM(ACCT_SESSION_TIME)/3600, 1) as total_hours,
SUM(ACCT_INPUT_OCTETS + ACCT_OUTPUT_OCTETS) as total_bytes
FROM RADIUS_ACCOUNTING
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
GROUP BY CALLING_STATION_ID
ORDER BY total_hours DESC
FETCH FIRST 20 ROWS ONLY
"4.3.4. Oracle SQL Tips
| Oracle Syntax | Meaning |
|---|---|
|
Last 24 hours |
|
Last 1 hour |
|
Last 7 days |
|
Limit results (Oracle 12c+) |
|
Concatenate values into comma-separated list |
|
Group by day (remove time portion) |
4.3.5. Environment Variables (DataConnect)
| Variable | Description | Default |
|---|---|---|
|
MnT node IP or hostname |
(required) |
|
Oracle TCPS port |
|
|
DataConnect username |
|
|
DataConnect password |
(required) |
|
Oracle service name |
|
5. Switch Commands
6. Vault PKI Commands
# Check Vault status
netapi vault status
# Unseal Vault
netapi vault unseal --auto
# Issue server certificate
netapi vault pki-issue server.{domain} --role domus-server --ttl 8760h
# Issue workstation certificate
netapi vault pki-issue workstation.{domain} --role domus-workstation -o /tmp/certs
# List issued certificates
netapi vault pki-list7. pfSense Commands
# DNS management
netapi pfsense dns list
netapi pfsense dns add-override inside.domusdigitalis.dev 10.50.1.50
# Interface status
netapi pfsense interfaces
# Firewall rules (read-only)
netapi pfsense firewall list8. WLC Commands
# List WLANs
netapi wlc get-wlans
# Policy profiles
netapi wlc policy-profiles
# Show detailed policy
netapi wlc run "show wireless profile policy detailed POLICY-NAME"
# Connected clients
netapi wlc clients9. Environment Variables
netapi uses environment variables loaded via dsource:
| Variable | Purpose |
|---|---|
|
ISE Primary Admin Node IP |
|
ERS API credentials |
|
pfSense API access |
|
Switch SSH credentials |
|
Vault server and token |
|
WLC RESTCONF credentials |
10. Integration with Documentation
The full netapi CLI reference is in the domus-netapi-docs component:
-
114 pages of command documentation
-
Every ISE ERS, MNT, DataConnect, and pxGrid command
-
pfSense, WLC, IOS, Vault command references
-
Examples with real output
When built via domus-docs aggregator, cross-component links work:
-
ISE ERS:
netapi::cli/ise/ers/index.adoc -
ISE MNT:
netapi::cli/ise/mnt/index.adoc -
ISE DataConnect:
netapi::cli/ise/dc/index.adoc -
pfSense:
netapi::cli/pfsense/index.adoc -
Vault:
netapi::cli/vault-commands.adoc