Query Patterns

Overview

Production-tested SQL patterns for ISE DataConnect. Copy-paste ready with netapi CLI.

Setup

# Load credentials
dsource d000 dev/network

# DataConnect configuration
ISE_DC_HOST="${ISE_PAN_IP}"
ISE_DC_PORT="2484"
ISE_DC_SERVICE="cpm10"

# Test connection
netapi ise dc test

# Test DataConnect connection
netapi ise dc test

Authentication Analytics

Today’s Stats

# Authentication statistics for today
netapi ise dc --format json query "
  SELECT
    COUNT(*) as total,
    SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) as passed,
    SUM(CASE WHEN PASSED = 0 THEN 1 ELSE 0 END) as failed
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > TRUNC(SYSDATE)
"

# Quick auth stats (netapi shortcut)
netapi ise dc stats

Recent Authentications

# Recent authentications (last 10)
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') as time,
    CALLING_STATION_ID as mac,
    USERNAME,
    PASSED,
    AUTHENTICATION_METHOD
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1/24
  ORDER BY TIMESTAMP_TIMEZONE DESC
  FETCH FIRST 10 ROWS ONLY
"

# Recent authentications (netapi shortcut)
netapi ise dc recent --limit 10

Failed Authentications

# Failed authentications (last hour)
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') as time,
    CALLING_STATION_ID as mac,
    USERNAME,
    FAILURE_REASON
  FROM RADIUS_AUTHENTICATIONS
  WHERE PASSED = 0
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1/24
  ORDER BY TIMESTAMP_TIMEZONE DESC
"

# Failed authentications (netapi shortcut)
netapi ise dc failed --hours 1

Top Failure Reasons

# Top failure reasons (last 24h)
netapi ise dc --format json query "
  SELECT
    FAILURE_REASON,
    COUNT(*) as count
  FROM RADIUS_AUTHENTICATIONS
  WHERE PASSED = 0
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1
  GROUP BY FAILURE_REASON
  ORDER BY count DESC
  FETCH FIRST 10 ROWS ONLY
"

# Top failure reasons (netapi shortcut)
netapi ise dc top-failures

Hourly Trend

# Hourly authentication trend (last 24h)
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24') as hour,
    COUNT(*) as total,
    SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) as passed,
    SUM(CASE WHEN PASSED = 0 THEN 1 ELSE 0 END) as failed
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
  GROUP BY TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24')
  ORDER BY hour
"

# Auth trends (netapi shortcut)
netapi ise dc trends --hours 24

Success Rate by Method

# Authentication methods distribution
netapi ise dc --format json query "
  SELECT
    AUTHENTICATION_METHOD,
    COUNT(*) as count,
    ROUND(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER(), 1) as percentage
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
  GROUP BY AUTHENTICATION_METHOD
  ORDER BY count DESC
"

# Auth methods breakdown (netapi shortcut)
netapi ise dc auth-methods

Endpoint Analytics

Endpoint Auth History

# Authentication history for specific endpoint
MAC="C8:5B:76:C6:59:62"
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'YYYY-MM-DD HH24:MI:SS') as timestamp,
    POLICY_SET_NAME,
    AUTHENTICATION_METHOD,
    PASSED,
    FAILURE_REASON
  FROM RADIUS_AUTHENTICATIONS
  WHERE CALLING_STATION_ID = '${MAC}'
  ORDER BY TIMESTAMP_TIMEZONE DESC
  FETCH FIRST 20 ROWS ONLY
"

# Endpoint auth history (netapi shortcut)
netapi ise dc auth-history "C8:5B:76:C6:59:62"

Endpoint Profiling

# Endpoint profiling data
netapi ise dc --format json query "
  SELECT
    MAC_ADDRESS,
    ENDPOINT_POLICY,
    STATIC_ASSIGNMENT,
    CREATE_TIME
  FROM ENDPOINTS
  WHERE ENDPOINT_POLICY LIKE '%Linux%'
  FETCH FIRST 20 ROWS ONLY
"

# Endpoint profiling (netapi shortcut)
netapi ise dc profiler --policy "Linux"

Stale Endpoints

# Stale endpoints (no auth in 30 days)
netapi ise dc --format json query "
  SELECT
    e.MAC_ADDRESS,
    e.ENDPOINT_POLICY,
    MAX(r.TIMESTAMP_TIMEZONE) as last_auth
  FROM ENDPOINTS e
  LEFT JOIN RADIUS_AUTHENTICATIONS r ON e.MAC_ADDRESS = r.CALLING_STATION_ID
  GROUP BY e.MAC_ADDRESS, e.ENDPOINT_POLICY
  HAVING MAX(r.TIMESTAMP_TIMEZONE) < SYSDATE - 30 OR MAX(r.TIMESTAMP_TIMEZONE) IS NULL
  ORDER BY last_auth NULLS FIRST
  FETCH FIRST 50 ROWS ONLY
"

# Stale endpoints (netapi shortcut)
netapi ise dc stale --days 30

Network Device Analytics

NAS Usage

# Authentications by NAS (network device)
netapi ise dc --format json query "
  SELECT
    NAS_IP_ADDRESS,
    NAS_PORT_TYPE,
    COUNT(*) as auths
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
  GROUP BY NAS_IP_ADDRESS, NAS_PORT_TYPE
  ORDER BY auths DESC
  FETCH FIRST 20 ROWS ONLY
"

# NAS usage (netapi shortcut)
netapi ise dc nas

Policy Analytics

Policy Set Usage

# Policy set usage (last 7 days)
netapi ise dc --format json query "
  SELECT
    POLICY_SET_NAME,
    COUNT(*) as hits,
    SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) as passed,
    SUM(CASE WHEN PASSED = 0 THEN 1 ELSE 0 END) as failed,
    ROUND(SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) as success_pct
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 7
  GROUP BY POLICY_SET_NAME
  ORDER BY hits DESC
"

User Analytics

User Authentications

# Authentications by user (last 24h)
netapi ise dc --format json query "
  SELECT
    USERNAME,
    COUNT(*) as auths,
    COUNT(DISTINCT CALLING_STATION_ID) as devices
  FROM RADIUS_AUTHENTICATIONS
  WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
  AND USERNAME IS NOT NULL
  GROUP BY USERNAME
  ORDER BY auths DESC
  FETCH FIRST 20 ROWS ONLY
"

# User authentication summary (netapi shortcut)
netapi ise dc users

EAP-TLS Only

# EAP-TLS authentications only
netapi ise dc --format json query "
  SELECT
    TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') as time,
    CALLING_STATION_ID as mac,
    USERNAME,
    PASSED
  FROM RADIUS_AUTHENTICATIONS
  WHERE AUTHENTICATION_METHOD = 'EAP-TLS'
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1
  ORDER BY TIMESTAMP_TIMEZONE DESC
  FETCH FIRST 20 ROWS ONLY
"

Reference

Available Views

# List available DataConnect views
netapi ise dc --format json query "
  SELECT view_name
  FROM all_views
  WHERE owner = 'ISEDATA'
  ORDER BY view_name
"

View Columns

# Get columns for a specific view
netapi ise dc --format json query "
  SELECT column_name, data_type
  FROM all_tab_columns
  WHERE table_name = 'RADIUS_AUTHENTICATIONS'
  AND owner = 'ISEDATA'
  ORDER BY column_id
"

Performance Tips

Tip Reason

Tip	Reason
Always filter by time	Tables can have millions of rows
Use `FETCH FIRST N ROWS`	Limit result set size
Index columns	TIMESTAMP_TIMEZONE, CALLING_STATION_ID are indexed
Avoid `SELECT *`	Fetch only needed columns

Always filter by time

Tables can have millions of rows

Use FETCH FIRST N ROWS

Limit result set size

Index columns

TIMESTAMP_TIMEZONE, CALLING_STATION_ID are indexed

Avoid SELECT *

Fetch only needed columns