MnT API Reference
Monitoring and Troubleshooting (MnT) API - Real-time session visibility and Change of Authorization.
Overview
| Port | 443 (Admin interface) |
|---|---|
Protocol |
HTTPS |
Authentication |
Basic Auth |
Content Type |
|
Base URL |
|
MnT API returns XML by default. Use |
Setup
# Load credentials
dsource d000 dev/network
# Test connectivity (returns XML)
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Version"Endpoints
| Endpoint | Description |
|---|---|
|
All active sessions |
|
Count of active sessions |
|
Session by MAC address |
|
Session by IP address |
|
Sessions by username |
|
Auth status by MAC |
|
Auth status by username |
|
Disconnect session (CoA) |
|
Reauthenticate session (CoA) |
|
All failure reason codes |
Active Sessions
Get All Active Sessions
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveList"Response (XML)
<?xml version="1.0" encoding="UTF-8"?>
<activeSessionList>
<activeSession>
<user_name>evanusmodestus</user_name>
<calling_station_id>28:92:00:89:EF:77</calling_station_id>
<framed_ip_address>10.50.10.45</framed_ip_address>
<nas_ip_address>10.50.1.2</nas_ip_address>
<nas_port_id>GigabitEthernet1/0/1</nas_port_id>
<audit_session_id>0A32010200001234ABCDEF</audit_session_id>
<acct_session_id>00000001</acct_session_id>
<server>ise-01</server>
<session_state>AUTHENTICATED</session_state>
</activeSession>
</activeSessionList>Convert to JSON
# Using xmltodict (Python)
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveList" \
| python3 -c "import sys,xmltodict,json; print(json.dumps(xmltodict.parse(sys.stdin.read()),indent=2))"
# Using xq (from yq package)
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveList" \
| xq .Session by Identifier
Authentication Status
Auth Status by MAC
MAC="28:92:00:89:EF:77"
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/AuthStatus/MACAddress/${MAC}"Change of Authorization (CoA)
|
CoA operations require the Policy Service Node (PSN) hostname, not the PAN. |
Disconnect Session
PSN="ise-01" # Policy Service Node hostname
MAC="28:92:00:89:EF:77"
NAS_IP="10.50.1.2"
DEST_IP="10.50.10.45" # Endpoint IP
PORT_ID="GigabitEthernet1/0/1"
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
-X GET \
"https://${ISE_PAN_FQDN}/admin/API/mnt/CoA/Disconnect/${PSN}/${MAC}/${NAS_IP}/${DEST_IP}/${PORT_ID}"Response (Success)
<?xml version="1.0" encoding="UTF-8"?>
<remoteCoA>
<results>true</results>
</remoteCoA>Reauthenticate Session
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
-X GET \
"https://${ISE_PAN_FQDN}/admin/API/mnt/CoA/Reauth/${PSN}/${MAC}/${NAS_IP}/${DEST_IP}/${PORT_ID}"Simplified CoA (Using Audit Session ID)
# First, get the session details
MAC="28:92:00:89:EF:77"
SESSION=$(curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/MACAddress/${MAC}")
# Extract required fields (using xmllint or xq)
PSN=$(echo "$SESSION" | xq -r '.activeSession.server')
NAS_IP=$(echo "$SESSION" | xq -r '.activeSession.nas_ip_address')
DEST_IP=$(echo "$SESSION" | xq -r '.activeSession.framed_ip_address')
PORT_ID=$(echo "$SESSION" | xq -r '.activeSession.nas_port_id')
# Execute CoA
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/CoA/Disconnect/${PSN}/${MAC}/${NAS_IP}/${DEST_IP}/${PORT_ID}"Failure Reasons
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/FailureReasons"Response (Partial)
<?xml version="1.0" encoding="UTF-8"?>
<failureReasonList>
<failureReason>
<code>11001</code>
<cause>Could not locate Network Device</cause>
<resolution>Verify NAD exists in ISE</resolution>
</failureReason>
<failureReason>
<code>22040</code>
<cause>Wrong password</cause>
<resolution>Check user credentials</resolution>
</failureReason>
</failureReasonList>Version Information
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Version"Response
<?xml version="1.0" encoding="UTF-8"?>
<product>
<name>Cisco Identity Services Engine</name>
<version>3.4.0.608</version>
<type_of_node>PRIMARY PAN</type_of_node>
</product>Helper Functions
#!/bin/bash
# ISE MnT Functions
mnt_active_sessions() {
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveList"
}
mnt_session_count() {
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/ActiveCount" \
| grep -oP '(?<=<count>)\d+'
}
mnt_session_by_mac() {
local MAC="$1"
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/Session/MACAddress/${MAC}"
}
mnt_coa_disconnect() {
local MAC="$1"
# Get session info
local SESSION=$(mnt_session_by_mac "$MAC")
local PSN=$(echo "$SESSION" | xq -r '.activeSession.server // empty')
local NAS_IP=$(echo "$SESSION" | xq -r '.activeSession.nas_ip_address // empty')
local DEST_IP=$(echo "$SESSION" | xq -r '.activeSession.framed_ip_address // empty')
local PORT_ID=$(echo "$SESSION" | xq -r '.activeSession.nas_port_id // empty')
[ -z "$PSN" ] && echo "No active session" && return 1
curl -sk -u "${ISE_API_USER}:${ISE_API_PASS}" \
"https://${ISE_PAN_FQDN}/admin/API/mnt/CoA/Disconnect/${PSN}/${MAC}/${NAS_IP}/${DEST_IP}/${PORT_ID}"
}netapi CLI Equivalent
| curl | netapi |
|---|---|
Active sessions |
|
Session count |
|
Session by MAC |
|
CoA disconnect |
|
CoA reauth |
|
Auth logs |
|
See Also
-
DataConnect - SQL-based session queries