Session Directory - cisco-pxgrid/pxgrid-rest-ws GitHub Wiki

Service: com.cisco.ise.session

This service provides access to ISE Session Directory. There are 2 objects that can be accessed:

  • Session
  • UserGroup

UserGroup is being separated out from Session object because of its size and static nature.

Multiple nodes. Use one.

ServiceLookup may return more than one nodes providing this service. Each node is a replica of each other. In other words, connecting to one of these nodes is sufficient.

Go through the list of nodes until one succeed. If none of them work, sleep for retry. Redo ServiceLookup before retry as there maybe service updates.

Service properties

Name Description ISE version Example values
restBaseUrl The base URL for APIs 2.3 https://[ise-host1]:8910/pxgrid/ise/session
wsPubsubService The WebSocket Pubsub service name 2.3 com.cisco.ise.pubsub
sessionTopic Topic for session events 2.3 /topic/com.cisco.ise.session
sessionTopicAll Topic for session events 3.3p2, 3.4 /topic/com.cisco.ise.session.all
groupTopic Topic for user group events 2.3 /topic/com.cisco.ise.session.group
restBaseURL Deprecated This is deprecated from ISE 2.3 and will be removed in the future. Please use restBaseUrl, camelcase even for acronyms https://[ise-host1]:8910/pxgrid/ise/session

HTTP APIs

POST [restBaseUrl]/getSessions

This is used to get all sessions. A startTimestamp can be optionally used in the request to get sessions newer than the timestamp.

If no session is found, sessions will be an empty array.

Request
{
  "startTimestamp": ISO8601 Datetime (optional)
  "filter": JMESFilter for each session object. e.g. "nasIpAddress == '10.0.0.1'" (optional. since ISE 3.4)

}

Refer pxGrid filtering for more details on how to use filters.

Reponse
{
  "sessions": [ 
    array of session objects
  ]
}

POST [restBaseUrl]/getSessionsForRecovery (since ISE 3.0)

This is used to get sessions for recovery purpose in case of loss. Loss can be detected if published data has a gap in sequence number. The startTimestamp used in the request should be the timestamp attribute of the last message received. The endTimestamp is optional. It should be the timestamp attribute of the first message received after the gap in sequence. If not specified, the current time will be used.

If no session is found, sessions will have an empty array.

It is possible that the startTimestamp specified is out of the recoverable time range. In that case, a "416 Requested Range Not Satisfiable" will be returned and the client should clear cache and get all sessions with getSessions call.

Request
{
  "startTimestamp": ISO8601 Datetime,
  "endTimestamp": ISO8601 Datetime
}
Reponse
{
  "sessions": [ 
    array of session objects
  ]
}

POST [restBaseUrl]/getSessionByIpAddress

This query returns a session object if found. If not, HTTP status "204 No content" will be returned.

Request
{
  "ipAddress": string (required)
}
Reponse
{
  session object
}

POST [restBaseUrl]/getSessionByMacAddress

This query returns a session object if found. If not, HTTP status "204 No content" will be returned.

Request
{
  "macAddress": string (required)
}
Reponse
{
  session object
}

POST [restBaseUrl]/getUserGroups

This gets all user groups. These user groups represent only the groups of the users that have been authenticated by ISE.

If no user group is found, userGroups will have an empty array.

Request
{
  "filter": JMESFilter for each user group object (optional. since ISE 3.4)
  (e.g. "(groups[].name.contains(@, 'User Identity Groups: Employee')).contains(@, `true`)" )
}

Refer pxGrid filtering for more details on how to use filters.

Reponse
{
  "userGroups": [
    array of userGroup objects
  ]
}

POST [restBaseUrl]/getUserGroupByUserName

This query returns an array of group object.

If the user has no group association, groups will have an empty array.

If user does not exist, HTTP status "204 No content" will be returned.

Request
{
  "userName": string (required)
}
Reponse
{
  "groups": [ 
    array of group objects
  ]
}

WS STOMP messaging

sessionTopic

This topic provides events of Session Directory updates. Events are only published if all these are true:

  • Session has IP address.
  • A new session, or change in session attributes apart from timestamps and statictics.
  • Session updated by Radius Accounting, AD probe, profiler, posture and MDM syslogs.

For creating a cache of sessions, the getSessions query can be used to build the initial cache.

{
  "sequence": integer sequence number for loss detection (since ISE 3.0)
  "sessions": [ 
    array of session objects
  ]
}

Rate limits

The publish rate is limited to prevent overloading the consumers and networks. From ISE 2.3 to 2.7, the rate limit is 50 batched events per message and 4 msg/s, a total of 200 events/s. Since ISE 3.0, the rate limit has increased to 50 batched events per messages of 40 msg/s, a total of 2000 events/s.

sessionTopicAll (since ISE 3.3p2 and 3.4)

This topic is similar to sessionTopic except events are also published for sessions without IP address

userGroupTopic

This topic provides events for user groups updates. Only changes will be published. For creating a cache of user groups, the getUserGroups query can be used to build the initial cache.

{
  "userGroups": [
    array of userGroup objects
  ]
}

Objects

"session" object

Name Type Description ISE versions
timestamp ISO8601 Datetime The time that the session record was created or updated in ISE. 2.3
state String
  • "AUTHENTICATING"
  • "AUTHENTICATED"
  • "POSTURED"
  • "STARTED"
  • "DISCONNECTED": Terminated session
 2.3
macAddress String MAC address in uppercase colon separated format XX:XX:XX:XX:XX:XX 2.3
ipAddresses Array of strings IPv4 or IPv6 addresses 2.3
callingStationId String 2.3
calledStationId String 2.3
auditSessionId String This is Audit Session ID generated uniquely by switch/router for a given session. 2.3
userName String 2.3
nasIpAddress String IPv4 or IPv6 address 2.3
nasPortId String 2.3
nasPortType String 2.3
nasIdentifier String 2.3
selectedAuthzProfiles Array of strings 2.4p12, 2.6p5, 2.7p1, 3.0
postureStatus String Posture status of the endpoint. Compliant or NonCompliant 2.3
endpointProfile String 2.3
endpointOperatingSystem String 2.3
ctsSecurityGroup String This is the Trustsec security group name 2.3
adNormalizedUser String 2.3
adUserDomainName String 2.3
adHostDomainName String 2.3
adUserNetBiosName String 2.3
adHostNetBiosName String 2.3
adUserResolvedIdentities String 2.3
adUserResolvedDns String 2.3
adHostResolvedIdentities String 2.3
adHostResolvedDns String 2.3
adUserSamAccountName String 2.4p9 2.6p2 2.7
adHostSamAccountName String 2.4p9 2.6p2 2.7
adUserQualifiedName String 2.4p9 2.6p2 2.7
adHostQualifiedName String 2.4p9 2.6p2 2.7
providers Arrays of string Providers of this session information:
  • WMI
  • Agent
  • Syslog
  • Rest
  • Span
  • DHCP
  • EndPoint
 2.3
endpointCheckResult String 2.3
endpointCheckTime Datetime 2.3
identitySourcePortStart String Start of source port range of the virtual desktop environment 2.3
identitySourcePortEnd String End of source port range of the virtual desktop environment 2.3
identitySourcePortFirst String First source port of the virtual desktop environment 2.3
terminalServerAgentId String Terminal Server Agent ID 2.3
isMachineAuthentication String Determine if this is a machine or not:
  • true for a machine
  • false for not a machine
  • if not present for unknown type
 2.3
serviceType String 2.3
tunnelPrivateGroupId String 2.3
airespaceWlanId String 2.3
networkDeviceProfileName String 2.3
radiusFlowType String 2.3
ssid String 2.3
ancPolicy string The ANC policy applied to this endpoint 2.4
mdmMacAddress string 2.4
mdmOsVersion string 2.4
mdmRegistered boolean 2.4
mdmCompliant boolean 2.4
mdmDiskEncrypted boolean 2.4
mdmJailBroken boolean 2.4
mdmPinLocked boolean 2.4
mdmModel string 2.4
mdmManufacturer string 2.4
mdmImei string 2.4
mdmMeid string 2.4
mdmUdid string 2.4
mdmSerialNumber string 2.4
mdmLocation string 2.4
mdmDeviceManager string 2.4
mdmLastSyncTime string 2.4
virtualNetwork string 3.0

"userGroup" object

Name Type Description ISE version
userName String 2.3
groups array of group objects 2.3

"group" object

Name Type Description ISE version
name String 2.3
type String Type of group:
  • ACTIVE_DIRECTORY
  • IDENTITY
  • EXTERNAL
  • INTERESTING_ACTIVE_DIRECTORY
 2.3
Samples
"session" object
{
  "timestamp": "2017-06-29T13:22:46.788-07:00",
  "state": "STARTED",
  "userName": "user1",
  "callingStationId": "33:33:33:33:33:33",
  "auditSessionId": "101",
  "ipAddresses": ["1.2.3.4"],
  "macAddress": "33:33:33:33:33:33",
  "nasIpAddress": "172.21.170.242",
  "adNormalizedUser": "user1",
  "providers": ["None"],
  "endpointCheckResult": "none",
  "identitySourcePortStart": 0,
  "identitySourcePortEnd": 0,
  "identitySourcePortFirst": 0,
  "networkDeviceProfileName": "Cisco",
  "mdmMacAddress": "33:33:33:33:33:33",
  "mdmOsVersion": "9.3.5",
  "mdmRegistered": true,
  "mdmCompliant": true,
  "mdmDiskEncrypted": false,
  "mdmJailBroken": false,
  "mdmPinLocked": true,
  "mdmModel": "iPad mini",
  "mdmManufacturer": "Apple",
  "mdmImei": "dummy15",
  "mdmMeid": "dummy16",
  "mdmUdid": "dummy17",
  "mdmSerialNumber": "dummy18",
  "mdmDeviceManager": "sns"
}

"userGroup" object
{  
   "userName":"user1",
   "groups":[  
      {  
         "name":"User Identity Groups:Employee",
         "type":"IDENTITY"
      },
      {  
         "name":"Workstation",
         "type":"IDENTITY"
      }
   ]
}
⚠️ **GitHub.com Fallback** ⚠️