Command Reference
Environment Variables
# ISE API credentials
export ISE_PAN_IP=10.50.1.21
export ISE_API_TOKEN=<base64-encoded-credentials>
export ISE_MNT_TOKEN=<base64-encoded-credentials>
# Switch credentials (via dsec)
eval "$(dsec source d000 dev/network)"Certificate Paths
| File | Path | Permissions |
|---|---|---|
Private Key |
/etc/ssl/private/workstation01.key |
600 root:root |
Certificate |
/etc/ssl/certs/workstation01.pem |
644 root:root |
CA Certificate |
/etc/ssl/certs/HOME-ROOT-CA.pem |
644 root:root |
wpa_supplicant config |
/etc/wpa_supplicant/wpa_supplicant-wired.conf |
600 root:root |
Systemd Services
# wpa_supplicant
sudo systemctl enable wpa_supplicant-wired@enp0s31f6
sudo systemctl start wpa_supplicant-wired@enp0s31f6
sudo systemctl status wpa_supplicant-wired@enp0s31f6
# ClamAV
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
sudo systemctl status clamav-daemon
# UFW
sudo ufw enable
sudo ufw statusnetapi ISE Commands
The netapi ise CLI automates ISE configuration and monitoring.
Network Access Conditions
# List all conditions
netapi ise get-conditions
# List posture conditions (Session dictionary)
netapi ise get-conditions --dict Session
# Get specific condition
netapi ise get-condition "Compliant_Devices"
# Create posture condition
netapi ise create-posture-condition "My_Compliant_Check" \
--attr PostureStatus --value Compliant
# Create generic condition (any dictionary)
netapi ise create-condition "My_Condition" \
--dict "Session" --attr "PostureStatus" --value "Compliant"
# Delete condition
netapi ise delete-condition "My_Condition"
netapi ise delete-condition "My_Condition" --forceDictionary Discovery
# List all ISE dictionaries
netapi ise get-dictionaries
# Get dictionary details (shows available attributes)
netapi ise get-dictionary Session
netapi ise get-dictionary RADIUSISE Session Verification
|
Always use |
Basic Session Information
# Get active sessions
netapi ise mnt sessions
# Get session by MAC address
netapi ise mnt session 98:bb:1e:1f:a7:13
# Get session by IP address
netapi ise mnt session-ip 10.50.10.100
# Get session by username
netapi ise mnt session-user modestus-razer$
# Get active session count
netapi ise mnt countDetailed Authorization Context
# Get comprehensive session view (includes auth rule, profile, DACL)
netapi ise dc session 98:bb:1e:1f:a7:13
# Get authentication history timeline
netapi ise dc auth-history 98:bb:1e:1f:a7:13
# Get recent authentication attempts
netapi ise dc recent --limit 10
# Get failed authentication attempts
netapi ise dc failed --limit 10Authorization Profile Management
# List all authorization profiles
netapi ise get-authz-profiles
# Get specific authorization profile details
netapi ise get-authz-profile Linux_EAPTLS_Admins
# Update VLAN assignment (use VLAN name, NOT number)
netapi ise update-authz-profile Linux_EAPTLS_Admins --vlan DATA_VLAN
# Update DACL assignment
netapi ise update-authz-profile Linux_EAPTLS_Admins --dacl LINUX_EAPTLS_PERMIT_ALL
# Update both VLAN and DACL
netapi ise update-authz-profile Linux_EAPTLS_Admins \
--vlan DATA_VLAN \
--dacl LINUX_EAPTLS_PERMIT_ALL
# Remove DACL from profile
netapi ise update-authz-profile Linux_EAPTLS_Admins --no-dacl|
CRITICAL: Always use switch VLAN names (e.g., Using numeric VLAN IDs will cause authorization to fail silently - the switch won’t apply the VLAN even though ISE shows success. Correct vs Incorrect
|
DACL Management
# List all DACLs
netapi ise get-dacls
# Get specific DACL content
netapi ise get-dacl LINUX_EAPTLS_PERMIT_ALL
# Create new DACL
netapi ise create-dacl LINUX_EAPTLS_PERMIT_ALL \
--acl "permit ip any any" \
--descr "Full network access for Linux Admin workstations"
# Delete DACL
netapi ise delete-dacl OLD_DACL_NAME