Identity Source Views
Overview
Identity source views expose ISE’s external identity store configurations including Active Directory, LDAP, RADIUS tokens, and internal users. Use for identity store inventory and troubleshooting authentication issues.
EXT_ID_SRC_ACTIVE_DIRECTORY
Active Directory join points - AD domain configurations.
Key Columns
| Column | Type | Description |
|---|---|---|
|
VARCHAR2 |
AD join point UUID |
|
VARCHAR2 |
Join point name |
|
VARCHAR2 |
Description |
|
VARCHAR2 |
AD domain name |
|
VARCHAR2 |
AD scope names |
|
VARCHAR2 |
Domain whitelist enabled |
|
VARCHAR2 |
Allowed for authentication |
|
CLOB |
Advanced configuration JSON |
EXT_ID_SRC_LDAP
LDAP identity stores - LDAP server configurations.
Key Columns
| Column | Type | Description |
|---|---|---|
|
VARCHAR2 |
LDAP store UUID |
|
VARCHAR2 |
LDAP store name |
|
VARCHAR2 |
Description |
|
VARCHAR2 |
Primary LDAP server |
|
VARCHAR2 |
Secondary LDAP server |
|
NUMBER |
LDAP port (389/636) |
|
VARCHAR2 |
User object class |
|
VARCHAR2 |
User object type |
|
VARCHAR2 |
Username attribute (sAMAccountName, uid) |
|
VARCHAR2 |
Search base DN |
|
VARCHAR2 |
Bind user DN |
|
VARCHAR2 |
LDAPS enabled |
NETWORK_ACCESS_USERS
Internal identity store users - locally defined users.
Key Columns
| Column | Type | Description |
|---|---|---|
|
VARCHAR2 |
User UUID |
|
VARCHAR2 |
Username |
|
VARCHAR2 |
User description |
|
VARCHAR2 |
Email address |
|
VARCHAR2 |
Account enabled |
|
VARCHAR2 |
Password expiry disabled |
|
TIMESTAMP |
Last password change |
|
VARCHAR2 |
Identity group membership |
|
VARCHAR2 |
First name |
|
VARCHAR2 |
Last name |
|
TIMESTAMP |
Account creation date |
|
TIMESTAMP |
Account expiration date |
Common Queries
All Internal Users
netapi ise dc query "
SELECT
NAME,
EMAIL,
ENABLED,
IDENTITY_GROUP,
TO_CHAR(CREATION_DATE, 'YYYY-MM-DD') AS created
FROM NETWORK_ACCESS_USERS
ORDER BY NAME
"Disabled Accounts
netapi ise dc query "
SELECT
NAME,
EMAIL,
IDENTITY_GROUP,
TO_CHAR(PASSWORD_CHANGED_DATE, 'YYYY-MM-DD') AS last_pw_change
FROM NETWORK_ACCESS_USERS
WHERE ENABLED = 'false'
ORDER BY NAME
"Users by Identity Group
netapi ise dc query "
SELECT
IDENTITY_GROUP,
COUNT(*) AS user_count,
SUM(CASE WHEN ENABLED = 'true' THEN 1 ELSE 0 END) AS enabled,
SUM(CASE WHEN ENABLED = 'false' THEN 1 ELSE 0 END) AS disabled
FROM NETWORK_ACCESS_USERS
GROUP BY IDENTITY_GROUP
ORDER BY user_count DESC
"Expiring Passwords (Next 30 Days)
netapi ise dc query "
SELECT
NAME,
EMAIL,
TO_CHAR(PASSWORD_CHANGED_DATE, 'YYYY-MM-DD') AS last_change,
ROUND(SYSDATE - PASSWORD_CHANGED_DATE) AS days_since_change
FROM NETWORK_ACCESS_USERS
WHERE ENABLED = 'true'
AND PASSWORD_NEVER_EXPIRES = 'false'
AND PASSWORD_CHANGED_DATE < SYSDATE - 60
ORDER BY PASSWORD_CHANGED_DATE ASC
"USER_IDENTITY_GROUPS
User identity group definitions - internal user groups.
netapi ise dc query "
SELECT
NAME,
DESCRIPTION,
PARENT
FROM USER_IDENTITY_GROUPS
ORDER BY NAME
"ENDPOINT_IDENTITY_GROUPS
Endpoint identity group definitions - endpoint groups.
netapi ise dc query "
SELECT
NAME,
DESCRIPTION,
PARENT,
SYSTEM_DEFINED
FROM ENDPOINT_IDENTITY_GROUPS
ORDER BY NAME
"Other Identity Sources
EXT_ID_SRC_CERT_AUTH_PROFILE
Certificate authentication profiles.
netapi ise dc query "
SELECT
NAME,
DESCRIPTION,
ALLOWED_AS_USER_NAME
FROM EXT_ID_SRC_CERT_AUTH_PROFILE
ORDER BY NAME
"EXT_ID_SRC_RADIUS_TOKEN
RADIUS token servers (RSA, etc.).
netapi ise dc query "
SELECT
NAME,
DESCRIPTION,
SERVER_HOST,
SERVER_PORT
FROM EXT_ID_SRC_RADIUS_TOKEN
ORDER BY NAME
"Identity Store Usage
Auth Results by Identity Store
netapi ise dc query "
SELECT
IDENTITY_STORE,
COUNT(*) AS auth_count,
SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) AS passed,
SUM(CASE WHEN PASSED = 'Fail' THEN 1 ELSE 0 END) AS failed,
ROUND(SUM(CASE WHEN PASSED = 'Pass' THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) AS success_pct
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
AND IDENTITY_STORE IS NOT NULL
GROUP BY IDENTITY_STORE
ORDER BY auth_count DESC
"Users Authenticated by Store
netapi ise dc query "
SELECT
IDENTITY_STORE,
COUNT(DISTINCT USERNAME) AS unique_users,
COUNT(DISTINCT CALLING_STATION_ID) AS unique_endpoints
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED = 'Pass'
AND TIMESTAMP_TIMEZONE > SYSDATE - 7
AND IDENTITY_STORE IS NOT NULL
GROUP BY IDENTITY_STORE
ORDER BY unique_users DESC
"Identity Store Failures
netapi ise dc query "
SELECT
IDENTITY_STORE,
FAILURE_REASON,
COUNT(*) AS failures,
COUNT(DISTINCT USERNAME) AS unique_users
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED = 'Fail'
AND TIMESTAMP_TIMEZONE > SYSDATE - 1
AND IDENTITY_STORE IS NOT NULL
GROUP BY IDENTITY_STORE, FAILURE_REASON
ORDER BY failures DESC
FETCH FIRST 20 ROWS ONLY
"Identity Store Inventory
Complete Identity Source Overview
netapi ise dc query "
SELECT
'Active Directory' AS store_type,
COUNT(*) AS count
FROM EXT_ID_SRC_ACTIVE_DIRECTORY
UNION ALL
SELECT
'LDAP' AS store_type,
COUNT(*) AS count
FROM EXT_ID_SRC_LDAP
UNION ALL
SELECT
'Internal Users' AS store_type,
COUNT(*) AS count
FROM NETWORK_ACCESS_USERS
UNION ALL
SELECT
'SAML Providers' AS store_type,
COUNT(*) AS count
FROM EXT_ID_SRC_SAML_ID_PROVIDERS
UNION ALL
SELECT
'RADIUS Token' AS store_type,
COUNT(*) AS count
FROM EXT_ID_SRC_RADIUS_TOKEN
UNION ALL
SELECT
'Certificate Profiles' AS store_type,
COUNT(*) AS count
FROM EXT_ID_SRC_CERT_AUTH_PROFILE
"See Also
-
RADIUS Authentication - Auth with identity data
-
Policy & Authorization - Policy definitions
-
SQL Cookbook - More query patterns