DataConnect Commands

Overview

DataConnect provides direct Oracle SQL access to ISE’s database - bypassing the limited ERS/MnT APIs to give you raw access to authentication logs, session data, profiler information, and endpoint inventory. This is where the real data lives.

Why DataConnect over ERS/MnT?

  • Real-time: Live data, not cached API responses

  • Complete: Access to ALL fields, not just what APIs expose

  • Flexible: Custom SQL for any query you can imagine

  • Historical: Query days/weeks of data, not just active sessions

  • Correlatable: JOIN across tables for deep analysis

DataConnect requires:

  • ISE 3.1+ with DataConnect enabled

  • Oracle TCPS port 2484 open

  • DataConnect user credentials (separate from ERS)

  • Runs on MnT node (not PAN) in distributed deployments

Commands

Command Description

dc test

Test DataConnect connectivity

dc stats

Authentication statistics (passed/failed counts)

dc recent

Recent authentication attempts

dc failed

Failed authentication attempts with failure reasons

dc session

Crown jewel - comprehensive session view

dc auth-history

Authentication timeline for specific MAC

dc endpoints

List/search endpoints with rich data

dc endpoint

Single endpoint detail view

dc profiler

Endpoint counts by profiler policy

dc device-types

Endpoint counts by device type

dc query

Execute raw SQL queries - unlimited power

dc nas

NAS (switch/WLC) health by auth success rate

dc top-failures

Top failure reasons with counts

dc trends

Hourly authentication trends

dc stale

Stale endpoints not seen in N days

dc users

Top users by authentication count

dc auth-methods

Authentication method distribution

dc accounting

Session duration and bytes transferred (data usage)

Operational Workflows

Morning Health Check (30 seconds)

#!/bin/bash
# morning-check.sh - Run daily before coffee

echo "═══════════════════════════════════════════════════════"
echo "  ISE Health Check - $(date '+%Y-%m-%d %H:%M')"
echo "═══════════════════════════════════════════════════════"

echo -e "\n📊 Overnight Stats (12h):"
netapi ise dc stats --hours 12

echo -e "\n❌ Recent Failures (4h):"
netapi ise dc failed --hours 4 --limit 10

echo -e "\n🔍 Unknown Devices:"
netapi ise dc --format json profiler | jq '.[] | select(.policy == "Unknown") | "\(.count) unknown endpoints"' -r

Troubleshooting Workflow

#!/bin/bash
# troubleshoot.sh <MAC> - Complete device investigation

MAC="${1:?Usage: troubleshoot.sh <MAC>}"

echo "═══════════════════════════════════════════════════════"
echo "  Investigating: $MAC"
echo "═══════════════════════════════════════════════════════"

# Step 1: Full session view (identity + profiler + session + auth history)
echo -e "\n📋 FULL SESSION VIEW:"
netapi ise dc session "$MAC" --hours 72

# Step 2: Check for failure patterns
echo -e "\n❌ FAILURE ANALYSIS:"
netapi ise dc --format json auth-history "$MAC" --hours 168 | jq '
  group_by(.status) |
  map({status: .[0].status, count: length}) |
  .[] | "\(.status): \(.count)"
' -r

# Step 3: Compare to similar devices
echo -e "\n🔄 SIMILAR DEVICES (same profiler policy):"
POLICY=$(netapi ise dc --format json endpoint "$MAC" | jq -r '.profiler_policy')
netapi ise dc endpoints --policy "$POLICY" --limit 5

Security Monitoring

#!/bin/bash
# security-scan.sh - Detect anomalies

echo "🔒 Security Scan - $(date)"

# 1. Brute force detection (>10 failures from same MAC in 1 hour)
echo -e "\n⚠️  Possible brute force (>10 failures/hour):"
netapi ise dc --format json failed --hours 1 | jq '
  group_by(.mac) |
  map(select(length > 10)) |
  map({mac: .[0].mac, failures: length, last_reason: .[-1].failure_reason})
'

# 2. New unknown devices
echo -e "\n🆕 New unknown devices (24h):"
netapi ise dc --format json endpoints --policy "Unknown" --limit 20 | jq '
  .[] | "\(.mac) | \(.ip // "no IP") | first seen: \(.first_seen)"
' -r

# 3. Failed certificate authentications (possible cert issues)
echo -e "\n🔐 Certificate auth failures:"
netapi ise dc --format json failed --hours 24 | jq '
  [.[] | select(.failure_reason | tostring | contains("24"))] |
  length as $count |
  "\($count) certificate-related failures"
' -r

Inventory & Compliance

#!/bin/bash
# inventory-report.sh - Weekly compliance report

echo "📊 Weekly Inventory Report - $(date '+%Y-%m-%d')"
echo "═══════════════════════════════════════════════════════"

# Device breakdown
echo -e "\n📱 Device Types:"
netapi ise dc device-types

echo -e "\n🏷️  Top 10 Profiler Policies:"
netapi ise dc --format json profiler | jq -r '
  sort_by(-.count) |
  .[0:10] |
  .[] |
  "\(.policy): \(.count)"
'

# Unknown/unmanaged devices (compliance risk)
echo -e "\n⚠️  Compliance Risks:"
UNKNOWN=$(netapi ise dc --format json profiler | jq '[.[] | select(.policy == "Unknown")] | .[0].count // 0')
echo "  Unknown devices: $UNKNOWN"

# Devices without recent auth (stale)
echo -e "\n💤 Stale endpoints (no auth in 7 days):"
netapi ise dc query "
SELECT COUNT(*) as stale_count
FROM ENDPOINTS_DATA
WHERE UPDATE_TIME < SYSDATE - 7
" 2>/dev/null

Environment Variables

Variable Description Default

ISE_DATACONNECT_HOST

MnT node IP or hostname

(required)

ISE_DATACONNECT_PORT

Oracle TCPS port

2484

ISE_DATACONNECT_USER

DataConnect username

dataconnect

ISE_DATACONNECT_PASS

DataConnect password

(required)

ISE_DATACONNECT_SERVICE

Oracle service name

cpm10

ISE_DATACONNECT_CA

Path to MnT SSL certificate

(optional)

INSECURE

Skip SSL verification

false

Setup via dsec

# Load secrets
dsource d000 dev/network

# Test connection
netapi ise dc test

# Verify with a query
netapi ise dc stats

Global Options

Option Values Description

--format, -f

table, json, yaml

Output format (default: table)

The --format flag must come before the subcommand:

# Correct syntax
netapi ise dc --format json stats
netapi ise dc -f yaml profiler

# WRONG - will error
netapi ise dc stats --format json

Database Views Reference

DataConnect exposes these Oracle views for raw SQL queries:

View Description & Key Fields

RADIUS_AUTHENTICATIONS

All auth attempts: TIMESTAMP_TIMEZONE, CALLING_STATION_ID (MAC), USERNAME, PASSED (varchar: 'Pass'/'Fail'), FAILURE_REASON, NAS_IP_ADDRESS, AUTHENTICATION_METHOD

RADIUS_ACCOUNTING

Session accounting: SESSION_ID, ACCT_STATUS_TYPE (Start/Stop), ACCT_SESSION_TIME, ACCT_INPUT_OCTETS, ACCT_OUTPUT_OCTETS, ACCT_TERMINATE_CAUSE

ENDPOINTS_DATA

Endpoint inventory: MAC_ADDRESS, HOSTNAME, ENDPOINT_IP, ENDPOINT_POLICY, IDENTITY_GROUP_ID

PROFILED_ENDPOINTS_SUMMARY

Profiler data: ENDPOINT_ID (MAC), ENDPOINT_PROFILE, IDENTITY_GROUP

NODE_LIST

ISE deployment: node information

NETWORK_DEVICES

NAD inventory: network access devices (switches, WLCs)

Power Queries

Authentication Success Rate by Hour (Trend Analysis)

netapi ise dc query "
SELECT
  TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24') as hour,
  COUNT(*) as total,
  SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) as passed,
  ROUND(SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) as success_pct
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24')
ORDER BY hour
"

Top Failure Reasons (What’s Breaking?)

netapi ise dc query "
SELECT
  FAILURE_REASON,
  COUNT(*) as count,
  ROUND(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER(), 1) as pct
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED != 'Pass' AND TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY FAILURE_REASON
ORDER BY count DESC
FETCH FIRST 10 ROWS ONLY
"

Endpoint Session Duration Analysis

netapi ise dc query "
SELECT
  p.ENDPOINT_PROFILE as device_type,
  COUNT(DISTINCT a.CALLING_STATION_ID) as unique_devices,
  ROUND(AVG(a.ACCT_SESSION_TIME)/3600, 1) as avg_session_hours,
  ROUND(MAX(a.ACCT_SESSION_TIME)/3600, 1) as max_session_hours
FROM RADIUS_ACCOUNTING a
JOIN PROFILED_ENDPOINTS_SUMMARY p ON a.CALLING_STATION_ID = p.ENDPOINT_ID
WHERE a.ACCT_STATUS_TYPE = 'Stop' AND a.TIMESTAMP_TIMEZONE > SYSDATE - 7
GROUP BY p.ENDPOINT_PROFILE
ORDER BY unique_devices DESC
FETCH FIRST 15 ROWS ONLY
"

NAS (Switch/WLC) Health

netapi ise dc query "
SELECT
  NAS_IP_ADDRESS,
  COUNT(*) as total_auths,
  SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) as passed,
  SUM(CASE WHEN PASSED != 'Pass' THEN 1 ELSE 0 END) as failed,
  ROUND(SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) as success_pct
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY NAS_IP_ADDRESS
HAVING COUNT(*) > 10
ORDER BY failed DESC
FETCH FIRST 20 ROWS ONLY
"

Integration Examples

Export to CSV (for Excel/Sheets)

# Full endpoint inventory to CSV
netapi ise dc --format json endpoints --limit 5000 | jq -r '
  ["MAC","Hostname","IP","Policy","Last Seen"],
  (.[] | [.mac, .hostname, .ip, .policy, .last_seen]) | @csv
' > endpoints.csv

Prometheus/Grafana Metrics

#!/bin/bash
# Push to Prometheus pushgateway
STATS=$(netapi ise dc --format json stats)
PASSED=$(echo "$STATS" | jq '.passed')
FAILED=$(echo "$STATS" | jq '.failed')

cat <<EOF | curl --data-binary @- http://pushgateway:9091/metrics/job/ise
ise_auth_passed_total $PASSED
ise_auth_failed_total $FAILED
EOF

Slack/Teams Alert

#!/bin/bash
# Alert if failure rate > 20%
STATS=$(netapi ise dc --format json stats --hours 1)
RATE=$(echo "$STATS" | jq '.success_rate')

if (( $(echo "$RATE < 80" | bc -l) )); then
  curl -X POST "$SLACK_WEBHOOK" -d "{
    \"text\": \"⚠️ ISE Auth Success Rate: ${RATE}% (last hour)\"
  }"
fi

DataConnect vs ERS vs MnT

Capability DataConnect ERS API MnT API

Historical data

Days/weeks

Current only

24h max

Custom queries

Full SQL

No

No

Real-time

Yes

Near real-time

Yes

Endpoint IP/hostname

Yes

No

Session only

Failure reasons

Yes (detailed)

No

Yes

Profiler certainty

Yes

No

No

Session accounting

Yes

No

Limited

Bulk export

Unlimited

Paginated

Limited

Rule of thumb:

  • ERS: Managing objects (create/update/delete endpoints, policies)

  • MnT: Active session operations (CoA, session lookup)

  • DataConnect: Analytics, reporting, troubleshooting, compliance