Cisco ISE services - cisco-pxgrid/pxgrid-rest-ws GitHub Wiki
Cisco ISE services with pxGrid support
Cisco ISE provides services via HTTP APIs and WebSocket with pxGrid support. Unless otherwise noted, HTTP APIs and WebSocket support starts from ISE 2.3
HTTP APIs
For consistency, all HTTP APIs use POST method. For JSON requests, even when there is no attributes, an empty JSON structure must be used. HTTP status code 204 signifies item not found.
WebSocket Pubsub service
The use of WebSocket is to compliment HTTP APIs with a push mechanism. The WebSocket connection of Cisco ISE implements a Pubsub messaging system, where STOMP is being used as the messaging protocol.
This WebSocket Pubsub service of ISE is presented as a separate service such that:
- Other ISE services do not need to implement the same pubsub logic
- Pubsub service can be managed separately
Because it is a separate service, client will require a second lookup to this pubsub service.
For example, ServiceLookup for service such as Session Directory returns an attribute wsPubsubService that contains the the pubsub service name.
This pubsub service name will be used in a second ServiceLookup.
pxGrid Policy
Each service can define its operations, but this is what generally used in Cisco ISE:
- For pubsub, service name is com.cisco.ise.pubsub, operation is "[subscribe|publish] [topic]"
- For REST, service name is the corresponding service, operation is either "gets" or "sets"
- ISE nodes belongs to "Internal" group, they will not be affected by these policies
Examples
Session Directory getSessionByIpAddress
This example to demostrate how to use getSessionByIpAddress from Session Directory service.
Refer to pxGrid consumer guide for information regarding ServiceLookup and AccessSecret APIs.
Request URL: [restBaseUrl]/getSessionByIpAddress
Request Method: POST
Content-Type: application/json
Accept: application/json
Authorization: Basic [nodeName]:[secret]
| Label | Description |
|---|---|
[restBaseUrl] |
Obtain by ServiceLookup of com.cisco.ise.session |
[nodeName] |
pxGrid node name |
[secret] |
Obtain via AccessSecret |
Session Directory subscription to session topic
WS URL: [wsUrl]
Authorization: Basic [nodeName]:[secret]
STOMP: SUBSCRIBE [sessionTopic]
| Label | Description |
|---|---|
[wsPubsubService] and [sessionTopic] |
Obtain by ServiceLookup of com.cisco.ise.session |
[wsUrl] |
Obtain by ServiceLookup of [wsPubsubService] |
[nodeName] |
pxGrid node name |
[secret] |
Obtain via AccessSecret |
Service reference guides
The followings are detailed reference guides for each service:
- Session Directory
- System Health
- Radius Failure
- TrustSec
- TrustSec SXP
- TrustSec configuration
- Profiler configuration
- ANC configuration
- MDM
- Endpoint
- Endpoint Asset (pxGrid Context-In)
- Pubsub
Limits
To protect the system, ISE pxGrid HTTP API has these limits:
- 50 concurrent API requests
- 5 authentication failures per source IP within the last 5 minutes