DataConnect
Overview
DataConnect provides direct SQL access to ISE’s operational database for reporting and analytics.
Port: 2484 (TLS)
Authentication: Oracle credentials
Driver: oracledb (thin client)
Initialization
from netapi.vendors.cisco.ise import DataConnectClient
# From dsec secrets
client = DataConnectClient.from_dsec('home.lab.ise.dataconnect')
# Manual initialization
client = DataConnectClient(
host='ise-01.inside.domusdigitalis.dev',
port=2484,
service_name='cpm10',
username='dataconnect',
password='secret'
)Query Operations
CLI Commands
All commands support --format json for scripting.
Connection & Stats
netapi ise dc test # Test connection
netapi ise dc stats # Auth statistics (24h)
netapi ise dc stats --hours 168 # Last weekRADIUS Authentication
# Recent authentications
netapi ise dc recent # Last hour
netapi ise dc recent --hours 4 --status failed
netapi ise dc recent --mac 3C:EC:EF:43:50:42
# Failed authentications
netapi ise dc failed --hours 24
# Top failure reasons
netapi ise dc top-failures
netapi ise dc top-failures --hours 1 # Incident response
# Auth trends (hourly breakdown)
netapi ise dc trends --hours 48
# Auth method distribution
netapi ise dc auth-methodsEndpoint Analysis
# List endpoints
netapi ise dc endpoints
netapi ise dc endpoints --policy "Linux"
netapi ise dc endpoints --search "modestus"
# Single endpoint details
netapi ise dc endpoint 3C:EC:EF:43:50:42
netapi ise dc endpoint 3C:EC:EF:43:50:42 --with-auth
# Comprehensive session view (crown jewel)
netapi ise dc session 3C:EC:EF:43:50:42
# Auth history timeline
netapi ise dc auth-history 3C:EC:EF:43:50:42 --hours 48
# Stale endpoints (compliance)
netapi ise dc stale --days 30
netapi ise dc stale --days 90 # Dormant devicesProfiler
netapi ise dc profiler # Endpoints by profiler policy
netapi ise dc device-types # Endpoints by device typeNAS Health
netapi ise dc nas # Switch/WLC health by success rate
netapi ise dc nas --hours 48 --min 50 # Devices with 50+ authsUser Analysis
netapi ise dc users # Top users by auth count
netapi ise dc users --hours 168 # Last weekRADIUS Accounting
# Session duration and data usage
netapi ise dc accounting
netapi ise dc accounting --mac 3C:EC:EF:43:50:42
netapi ise dc accounting --min-bytes 1000000 # Sessions >1MBSample Output
Accounting (last 24h) ┏━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━┳━━━━━━━━┓ ┃ Time ┃ MAC ┃ User ┃ IP ┃ Duration ┃ In ┃ Out ┃ ┡━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━╇━━━━━━━━┩ │ 2026-01-24 │ 14:F6:D8:... │ modestus │ 10.50.10.5 │ 5h 17m │ 68.1MB │ 2.9GB │ │ 2026-01-24 │ 70:15:FB:... │ 70-15-.. │ 10.50.10.8 │ 3h 59m │ 158.0MB │ 45.1MB │ └────────────┴──────────────┴──────────┴────────────┴──────────┴─────────┴────────┘
TACACS+ (Device Admin)
# Device login events
netapi ise dc tacacs-auth
netapi ise dc tacacs-auth --status failed
netapi ise dc tacacs-auth --user admin
# Command authorization (audit trail)
netapi ise dc tacacs-commands
netapi ise dc tacacs-commands --user admin
netapi ise dc tacacs-commands --device core-sw
netapi ise dc tacacs-commands --command "show run"Sample Output
TACACS Commands (last 24h) ┏━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┓ ┃ Time ┃ User ┃ Status ┃ Device ┃ Command ┃ Args ┃ ┡━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━┩ │ 2026-01-24 │ admin │ Pass │ core-sw-01 │ show │ running-config │ │ 2026-01-24 │ admin │ Pass │ core-sw-01 │ configure │ terminal │ └────────────┴────────┴────────┴────────────┴─────────────┴──────────────────┘
Admin Audit
# ISE console logins
netapi ise dc admin-logins
netapi ise dc admin-logins --admin superadmin
netapi ise dc admin-logins --hours 168 # Last week
# Configuration changes
netapi ise dc config-changes
netapi ise dc config-changes --admin superadmin
netapi ise dc config-changes --type "Policy" # Policy changes onlySample Output
Admin Logins (last 24h) ┏━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓ ┃ Time ┃ Admin ┃ IP Address ┃ Interface ┃ Operation ┃ ┡━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩ │ 2026-01-24 │ evanusmodestus │ 10.50.10.111 │ GUI │ User logged out │ │ 2026-01-24 │ domus_ers_adm │ 169.254.4.27 │ ERS │ Admin auth success │ └────────────┴────────────────┴──────────────┴───────────┴─────────────────────┘
Threat & Security
# Threat-Centric NAC events (AMP, Qualys, Rapid7)
netapi ise dc threats
netapi ise dc threats --severity HIGH
netapi ise dc threats --hours 168
# Change of Authorization events
netapi ise dc coa-events
netapi ise dc coa-events --mac 3C:EC:EF:43:50:42Posture (Compliance)
netapi ise dc posture
netapi ise dc posture --status noncompliant
netapi ise dc posture --hours 168Sample Output
Posture Events (last 24h) ┏━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━┓ ┃ Time ┃ MAC ┃ User ┃ Status ┃ Policy ┃ AV ┃ ┡━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━╇━━━━━━━━┩ │ 2026-01-24 │ 14:F6:D8:... │ modestus │ Compliant │ Windows_Corp │ Yes │ │ 2026-01-24 │ 3C:EC:EF:... │ guest │ NonComplia │ Guest_Policy │ No │ └────────────┴──────────────┴──────────┴─────────────┴───────────────┴────────┘ 3 compliant | 1 non-compliant | 4 total
Troubleshooting
# Misconfigured NAS devices
netapi ise dc misconfigured-nas
netapi ise dc misconfigured-nas --hours 168
# Misconfigured supplicants (802.1X issues)
netapi ise dc misconfigured-supplicantsRaw SQL Queries
For complex analysis not covered by built-in commands:
# Basic query
netapi ise dc query "SELECT * FROM RADIUS_AUTHENTICATIONS FETCH FIRST 5 ROWS ONLY"
# Aggregations
netapi ise dc query "SELECT authentication_method, COUNT(*) as cnt
FROM RADIUS_AUTHENTICATIONS
GROUP BY authentication_method
ORDER BY cnt DESC"
# JSON output for scripting
netapi ise dc -f json query "SELECT nas_ip_address, COUNT(*) as auths
FROM RADIUS_AUTHENTICATIONS
GROUP BY nas_ip_address"Key tables:
| Table | Description |
|---|---|
|
Main auth log |
|
Session accounting |
|
Device admin auth |
|
Commands on devices |
|
ISE admin logins |
|
Config changes |
|
Threat events |
|
CoA events |
|
Posture results |
|
NAS issues |
|
Supplicant issues |
Oracle date shortcuts:
-
SYSDATE - 1= last 24 hours -
SYSDATE - 1/24= last hour -
SYSDATE - 7= last week
SSL Certificate Configuration
ISE DataConnect uses a self-signed Oracle certificate. You have two options:
Option 2: Certificate Verification (Production)
Extract and configure the ISE DataConnect certificate:
# Extract cert (creates dir if missing, skips if exists)
CERT=~/.secrets/certs/<domain>/ise/dataconnect.crt
[ -f "$CERT" ] || {
mkdir -p "$(dirname "$CERT")" && \
echo | openssl s_client -connect <mnt-host>:2484 2>&1 | \
sed -n '/BEGIN CERT/,/END CERT/p' > "$CERT"
}
# Verify the cert
openssl x509 -in "$CERT" -noout -issuer -subject -datesAdd to your secrets (network.env):
@ISE_DATACONNECT_HOST = {{ISE_MNT_IP}}
@ISE_DATACONNECT_USER = dataconnect
@ISE_DATACONNECT_PASS = <password>
@ISE_DATACONNECT_PORT = 2484
@ISE_DATACONNECT_SERVICE = cpm10
@ISE_DATACONNECT_DSN = tcps://{{ISE_DATACONNECT_HOST}}:{{ISE_DATACONNECT_PORT}}/{{ISE_DATACONNECT_SERVICE}}
@ISE_DATACONNECT_CA = ~/.secrets/certs/<domain>/ise/dataconnect.crtTest:
dsource <domain> dev/network && netapi ise dc test
# Expected: ✓ Connected to ISE DataConnectTroubleshooting
ORA-01017: Invalid username/password
The dataconnect account may be locked after failed attempts.
Fix: ISE Admin GUI → Administration → System → Settings → Data Connect → toggle Off/On, set new password.
SSL Certificate Verify Failed
If using ISE_DATACONNECT_CA and getting SSL errors:
-
Ensure the cert was extracted from the correct MnT node (not PAN)
-
DataConnect runs on MnT node in distributed deployments
-
Verify cert is valid:
openssl x509 -in $CERT -noout -dates
|
The client uses an empty |