Session Lookup

Synopsis

netapi ise mnt session <MAC>
netapi ise mnt session-ip <IP>
netapi ise mnt session-user <USERNAME>

Description

Retrieve detailed session information for active endpoints. Three lookup methods available:

  • session - Lookup by MAC address (most common)

  • session-ip - Lookup by assigned IP address

  • session-user - Lookup by authenticated username

Commands

session (by MAC)

netapi ise mnt session 00:50:C2:39:F0:F7
netapi ise mnt session 70:15:FB:F8:47:EC

session-ip (by IP)

netapi ise mnt session-ip 10.50.10.45
netapi ise mnt session-ip 192.168.1.100

session-user (by username)

netapi ise mnt session-user jsmith
netapi ise mnt session-user DOMAIN\\jsmith

Sample Output

Session Details: 00:50:C2:39:F0:F7
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  MAC Address:        00:50:C2:39:F0:F7
  User Name:          00-50-C2-39-F0-F7
  NAS IP:             10.193.144.124
  NAS Port:           GigabitEthernet4/0/11
  Auth Method:        mab
  Auth Status:        PASSED

  Server Policies:
    VLAN:             751
    ACL:              xACSACLx-IP-TEST_Medical_Temp_Monitor-697290bb
    SGT:              Unknown

  Session Started:    2026-01-23T09:15:32Z
  Session Duration:   1h 34m

Troubleshooting Workflow

MAC="00:50:C2:39:F0:F7"

# [CHECK] Get session status
netapi ise mnt session $MAC

# [CHECK] If no session, check auth history
netapi ise mnt auth-status $MAC

# [CHECK] Get the dACL rules
# Extract ACL name from session, strip ISE prefix/suffix
netapi ise get-dacl TEST_Medical_Temp_Monitor

Key Fields

Field Significance

Auth Status

PASSED = authenticated, FAILED = check auth-status for reason

Auth Method

dot1x = 802.1X, mab = MAC Authentication Bypass

VLAN

Dynamic VLAN assigned by ISE authorization profile

ACL

Downloadable ACL (dACL) pushed to switch

SGT

Security Group Tag for TrustSec