Monitoring Patterns & Workflows
Overview
This page demonstrates advanced monitoring patterns combining MnT API, DataConnect, and shell pipelines for real-time ISE visibility.
|
Prerequisites
Load ISE credentials before running commands: This exports |
MnT Command Reference
| Command | Description | Status |
|---|---|---|
|
List all active sessions |
|
|
Get session by MAC address |
|
|
Send Change of Authorization (reauth/disconnect) |
|
|
Get authentication status by MAC |
|
|
Get authentication logs |
|
|
Get session count |
|
|
List failure reason codes |
|
|
Get ISE MnT API version |
Real-Time Session Monitoring
Active Sessions Dashboard
# All active sessions - table format
netapi ise mnt sessions
# JSON with jq filtering
netapi ise mnt sessions --format json | \
jq '.[] | {mac: .calling_station_id, ip: .framed_ip_address, user: .user_name, method: .auth_method}'Session Count by Authentication Method
netapi ise mnt sessions --format json | \
jq -r '.[].auth_method' | sort | uniq -c | sort -rnExample Output
42 EAP-TLS
18 MAB
7 PEAP
2 EAP-FASTSessions by Policy Set
netapi ise mnt sessions --format json | \
jq -r '.[].selected_authentication_policy' | sort | uniq -c | sort -rnSessions by NAS (Network Device)
netapi ise mnt sessions --format json | \
jq -r '.[].nas_ip_address' | sort | uniq -c | sort -rnChange of Authorization (CoA)
Force Reauthentication
# Reauth by MAC
netapi ise mnt coa --mac "C8:5B:76:C6:59:62" --action reauth
# Reauth by IP
netapi ise mnt coa --ip "10.50.10.100" --action reauthDisconnect Session
# Disconnect (port bounce)
netapi ise mnt coa --mac "C8:5B:76:C6:59:62" --action disconnect
# Disconnect all sessions from specific NAS
for mac in $(netapi ise mnt sessions --format json | \
jq -r '.[] | select(.nas_ip_address == "10.50.1.10") | .calling_station_id'); do
echo "Disconnecting $mac"
netapi ise mnt coa --mac "$mac" --action disconnect
doneAuthentication Status & Logs
DataConnect Analytics
DataConnect provides SQL access for deeper analytics.
Authentication Statistics
# Today's auth stats
netapi ise dc stats
# Custom query - top failures
netapi ise dc query "
SELECT FAILURE_REASON, COUNT(*) as failures
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED = 0 AND TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY FAILURE_REASON
ORDER BY failures DESC
FETCH FIRST 10 ROWS ONLY
"Endpoint Auth History
# Full history for endpoint
netapi ise dc auth-history "C8:5B:76:C6:59:62"
# Last 7 days
netapi ise dc query "
SELECT TIMESTAMP_TIMEZONE, POLICY_SET_NAME, PASSED, FAILURE_REASON
FROM RADIUS_AUTHENTICATIONS
WHERE CALLING_STATION_ID = 'C8:5B:76:C6:59:62'
AND TIMESTAMP_TIMEZONE > SYSDATE - 7
ORDER BY TIMESTAMP_TIMEZONE DESC
"Combined Monitoring Workflows
Troubleshoot Failed Authentication
#!/bin/bash
# troubleshoot-auth.sh - Full auth troubleshoot for endpoint
MAC="$1"
if [ -z "$MAC" ]; then
echo "Usage: $0 <MAC_ADDRESS>"
exit 1
fi
echo "=== Current Session ==="
netapi ise mnt session "$MAC" 2>/dev/null || echo "No active session"
echo -e "\n=== Recent Auth Attempts ==="
netapi ise mnt auth-logs --mac "$MAC" --limit 5
echo -e "\n=== Endpoint Profile ==="
netapi ise get-endpoint "$MAC" --format json 2>/dev/null | \
jq '{name, profileId, groupAssignment: .staticGroupAssignment}'
echo -e "\n=== DataConnect History (24h) ==="
netapi ise dc query "
SELECT TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI') as time,
PASSED, FAILURE_REASON
FROM RADIUS_AUTHENTICATIONS
WHERE CALLING_STATION_ID = '$MAC'
AND TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 10 ROWS ONLY
"Monitor Authentication Failures
#!/bin/bash
# watch-failures.sh - Real-time failure monitoring
while true; do
clear
echo "=== ISE Auth Failures (Last 15 min) ==="
echo "Time: $(date)"
echo
netapi ise dc query "
SELECT TO_CHAR(TIMESTAMP_TIMEZONE, 'HH24:MI:SS') as time,
CALLING_STATION_ID as MAC,
SUBSTR(FAILURE_REASON, 1, 40) as reason
FROM RADIUS_AUTHENTICATIONS
WHERE PASSED = 0
AND TIMESTAMP_TIMEZONE > SYSDATE - (15/1440)
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 20 ROWS ONLY
"
sleep 30
donePolicy Set Performance
#!/bin/bash
# policy-performance.sh - Compare policy set performance
echo "=== Policy Set Performance (24h) ==="
netapi ise dc query "
SELECT
POLICY_SET_NAME,
COUNT(*) as total,
SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) as passed,
SUM(CASE WHEN PASSED = 0 THEN 1 ELSE 0 END) as failed,
ROUND(SUM(CASE WHEN PASSED = 1 THEN 1 ELSE 0 END) * 100.0 / COUNT(*), 1) as success_pct
FROM RADIUS_AUTHENTICATIONS
WHERE TIMESTAMP_TIMEZONE > SYSDATE - 1
GROUP BY POLICY_SET_NAME
ORDER BY total DESC
"Session Inventory Export
# Export current sessions to CSV
netapi ise mnt sessions --format json | \
jq -r '["MAC","IP","User","Method","Policy","NAS"] as $h |
$h, (.[] | [.calling_station_id, .framed_ip_address, .user_name,
.auth_method, .selected_authentication_policy, .nas_ip_address]) |
@csv' > sessions-$(date +%Y%m%d).csvAlerting Patterns
High Failure Rate Alert
#!/bin/bash
# Check failure rate and alert if > 5%
STATS=$(netapi ise dc stats --format json)
TOTAL=$(echo "$STATS" | jq '.total_authentications')
FAILED=$(echo "$STATS" | jq '.failed_authentications')
RATE=$(echo "scale=2; $FAILED * 100 / $TOTAL" | bc)
if (( $(echo "$RATE > 5" | bc -l) )); then
echo "ALERT: High failure rate: ${RATE}% ($FAILED/$TOTAL)"
# Send to alerting system
fiNew Device Detection
#!/bin/bash
# Detect endpoints not in any group (potential rogues)
netapi ise mnt sessions --format json | \
jq -r '.[].calling_station_id' | while read mac; do
group=$(netapi ise get-endpoint "$mac" --format json 2>/dev/null | jq -r '.groupId // "NONE"')
if [ "$group" == "NONE" ] || [ "$group" == "null" ]; then
echo "ALERT: Unknown endpoint: $mac"
fi
done