├── .gitignore
├── LICENSE
├── README.md
├── ciscoisesdk-test.py
├── cmdb-ci-generator.py
├── data
├── AD
│ └── ad_net_user_63k.bat
├── CSV
│ ├── identitygroups-dcloud-ens.csv
│ ├── identitygroups-default.csv
│ ├── identitygroups-medical.csv
│ ├── identitygroups-pseudoco.csv
│ ├── identitygroups-template.csv
│ ├── identitygroups-university.csv
│ ├── internalusers-dcloud-ens.csv
│ ├── internalusers-pseudoco.csv
│ ├── internalusers-template.csv
│ ├── networkdevicegroups-dcloud-ens.csv
│ ├── networkdevicegroups-default.csv
│ ├── networkdevicegroups-devicetypes.csv
│ ├── networkdevicegroups-medical.csv
│ ├── networkdevicegroups-operations.csv
│ ├── networkdevicegroups-pseudoco.csv
│ ├── networkdevicegroups-template.csv
│ ├── networkdevicegroups-university.csv
│ ├── networkdevices-template.csv
│ ├── networkdevices-thomas.csv
│ ├── sgts-default.csv
│ ├── sgts-medical.csv
│ ├── sgts-thomas.csv
│ └── trustsec-matrix-default.csv
├── SQL
│ ├── aaa_diagnostics.sql
│ ├── aaa_diagnostics_view.sql
│ ├── adapter_status.sql
│ ├── admin_users.sql
│ ├── administrator_login_counts.sql
│ ├── administrator_logins.sql
│ ├── authentications_like_location.sql
│ ├── authorization_profiles.sql
│ ├── change_configuration_audit.sql
│ ├── compliance_counts_by_username.sql
│ ├── compliant_endpoints_per_day.sql
│ ├── dc_table_columns.sql
│ ├── dc_tables.sql
│ ├── dc_views.sql
│ ├── devices_last_auth.sql
│ ├── endpoint_identity_groups.sql
│ ├── endpoint_purge_view.sql
│ ├── endpoints.sql
│ ├── endpoints_data.sql
│ ├── endpoints_last_auth.sql
│ ├── endpoints_profile_unknown.sql
│ ├── endpoints_random.sql
│ ├── failure_code_cause.sql
│ ├── guest_accounting.sql
│ ├── guest_devicelogin_audit.sql
│ ├── guest_sponsor_login_and_audit.sql
│ ├── key_performance_metrics.sql
│ ├── logical_profiles.sql
│ ├── logical_profiles_and_endpoints.sql
│ ├── misconfigured_nas_view.sql
│ ├── misconfigured_supplicants_view.sql
│ ├── network_access_users.sql
│ ├── network_device_groups.sql
│ ├── network_devices.sql
│ ├── node_list.sql
│ ├── openapi_operations.sql
│ ├── policy_sets.sql
│ ├── posture_agent_os_status_by_mac.sql
│ ├── posture_agent_versions.sql
│ ├── posture_assessment_by_condition.sql
│ ├── posture_assessment_by_endpoint.sql
│ ├── posture_assessment_by_username.sql
│ ├── posture_compliant_endpoints_per_day.sql
│ ├── posture_grace_period.sql
│ ├── posture_noncompliant_details.sql
│ ├── posture_noncompliant_endpoints_per_day.sql
│ ├── posture_noncompliant_users_with_date.sql
│ ├── primary_guest.sql
│ ├── profiled_endpoints_summary.sql
│ ├── profiling_endpoint_profiles_by_probe.sql
│ ├── profiling_endpoints_by_endpoint_profile.sql
│ ├── profiling_policies.sql
│ ├── pxgrid_direct_data.sql
│ ├── radius_accounting.sql
│ ├── radius_accounting_week.sql
│ ├── radius_acct.sql
│ ├── radius_acct_by_session_id.sql
│ ├── radius_acct_counts_by_day.sql
│ ├── radius_acct_counts_by_device.sql
│ ├── radius_acct_sessions.sql
│ ├── radius_acct_sessions_active.sql
│ ├── radius_acct_stops.sql
│ ├── radius_authentication_summary.sql
│ ├── radius_authentications.sql
│ ├── radius_authentications_week.sql
│ ├── radius_authorization_profiles.sql
│ ├── radius_auths.sql
│ ├── radius_auths_by.sql
│ ├── radius_auths_by_policy.sql
│ ├── radius_auths_by_security_group.sql
│ ├── radius_auths_by_sgt.sql
│ ├── radius_auths_failure_reason_counts.sql
│ ├── radius_auths_invalid.sql
│ ├── radius_auths_last_by_username.sql
│ ├── radius_auths_pass_fail_counts_by_username.sql
│ ├── radius_auths_password_failures.sql
│ ├── radius_auths_subject_not_found.sql
│ ├── radius_auths_summary.sql
│ ├── radius_errors.sql
│ ├── radius_errors_summary.sql
│ ├── radius_errors_view.sql
│ ├── registered_endpoints.sql
│ ├── security_group_acls.sql
│ ├── security_groups.sql
│ ├── system_diagnostics_view.sql
│ ├── system_summary.sql
│ ├── system_summary_daily.sql
│ ├── system_summary_last_hour.sql
│ ├── tacacs_accounting.sql
│ ├── tacacs_accounting_last_two_days.sql
│ ├── tacacs_authentication_summary.sql
│ ├── tacacs_authorizations.sql
│ ├── tacacs_command_accounting.sql
│ ├── tcnac_adapter_status.sql
│ ├── tcnac_vulnerability_assessment_failures.sql
│ ├── user_identity_groups.sql
│ └── user_password_changes.sql
└── YAML
│ ├── endpoint-example.yaml
│ ├── endpointgroup.yaml
│ ├── identitygroup.yaml
│ ├── internaluser.yaml
│ ├── networkdevicegroup-devicetypes.yaml
│ ├── networkdevicegroup-medical.yaml
│ ├── networkdevicegroup-other.yaml
│ ├── networkdevicegroup-pseudoco-locations.yaml
│ ├── networkdevicegroup-university.yaml
│ ├── sgacl-examples.yaml
│ └── sgt-default.yaml
├── html-anchor-validation.py
├── ise-api-enabled-aio.py
├── ise-api-enabled.py
├── ise-dc-enable.py
├── ise-delete.py
├── ise-endpoints-notifier.py
├── ise-endpoints-profile-unknown.py
├── ise-env.sh
├── ise-ers-count.py
├── ise-get-ers-raw.py
├── ise-get-ers.py
├── ise-get.py
├── ise-post-dacls.py
├── ise-post-endpoints.py
├── ise-post-ers-embedded.py
├── ise-post-ers-from-file.py
├── ise-post-internalusers.py
├── ise-up.sh
├── ise-version.py
├── ise-walk.py
├── isedc.py
├── isedc_reports.py
├── iseql.py
├── iseql_notebook.ipynb
├── mac.py
├── make-ise-endpoint.py
├── meraki-show.py
├── my_network_device.json
├── pyenv-install.sh
├── pyenv-uninstall.sh
├── requirements.txt
├── tests
├── test_isedc.py
└── test_mac.py
└── toys
├── test_pkg_datetime.py
└── test_pkg_time.py
/.gitignore:
--------------------------------------------------------------------------------
1 | # dot files and directories
2 | .git
3 | .vscode
4 | .cache
5 | .resources
6 | .*
7 |
8 | # Environments
9 | .env
10 | env/
11 | ENV/
12 |
13 | # macOS Files
14 | .DS_Store
15 |
16 | # Python Virtual Environments
17 | Pipfile*
18 | .venv
19 | venv/
20 |
21 | # Incomplete
22 | *⚠*
23 | *🚧*
24 | *💡*
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2022 Thomas Howard
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/ciscoisesdk-test.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Test ciscoisesdk ISE Python library.
4 |
5 | Examples:
6 | ciscoisesdk_test.py
7 | ciscoisesdk_test.py -i
8 | ciscoisesdk_test.py -itv
9 |
10 | Requires setting the these environment variables using the `export` command:
11 | export IDENTITY_SERVICES_ENGINE_USERNAME=admin
12 | export IDENTITY_SERVICES_ENGINE_PASSWORD=ISEisC00L
13 | export IDENTITY_SERVICES_ENGINE_DEBUG=False
14 | export IDENTITY_SERVICES_ENGINE_BASE_URL='https://ise.domain.com'
15 |
16 | You may add these `export` lines to a text file, customize them, and load with `source`:
17 | source ise.sh
18 |
19 | """
20 | __author__ = "Thomas Howard"
21 | __email__ = "thomas@cisco.com"
22 | __license__ = "MIT - https://mit-license.org/"
23 |
24 | import argparse
25 | import requests
26 | import json
27 | import os
28 | import sys
29 | import time
30 | from ciscoisesdk import IdentityServicesEngineAPI
31 | import ciscoisesdk
32 |
33 |
34 | def remove_ise_ids_and_links(resources: list = []):
35 | """
36 | Remove `id` and 'link' attributes to flatten ISE JSON data.
37 | """
38 | new_resources = []
39 | for r in resources:
40 | key, r = r.popitem() # unwrap ISE object name
41 | if type(r) == ciscoisesdk.models.mydict.MyDict:
42 | if r.get("id"):
43 | del r["id"]
44 | if r.get("link"):
45 | del r["link"]
46 | new_resources.append(r)
47 | return new_resources
48 |
49 |
50 | def main():
51 | """
52 | Entrypoint for packaged script.
53 | """
54 | global args # promote to global scope for use in other functions
55 | argp = argparse.ArgumentParser(description=__doc__, formatter_class=argparse.RawTextHelpFormatter)
56 | argp.add_argument("-i", "--insecure", action="store_true", default=False, help="ignore cert checks")
57 | argp.add_argument("-t", "--timer", action="store_true", default=False, help="show response timer")
58 | argp.add_argument("-v", "--verbose", action="store_true", default=False, help="Verbosity; multiple allowed")
59 | args = argp.parse_args()
60 |
61 | if args.verbose >= 3:
62 | print(f"ⓘ env: {env}")
63 | if args.timer:
64 | global start_time
65 | start_time = time.time()
66 |
67 | env = {k: v for (k, v) in os.environ.items() if k.startswith("ISE_")} # Load Environment Variables
68 |
69 | ise = IdentityServicesEngineAPI(
70 | base_url=f"https://{env['ISE_PPAN']}", # IDENTITY_SERVICES_ENGINE_BASE_URL
71 | username=env["ISE_USERNAME"], # IDENTITY_SERVICES_ENGINE_USERNAME
72 | password=env["ISE_PASSWORD"], # IDENTITY_SERVICES_ENGINE_PASSWORD
73 | verify=(False if env["ISE_CERT_VERIFY"][0:1].lower() in ["f", "n"] else True),
74 | )
75 |
76 | sgts = ise.security_groups.get_security_groups()
77 | print(f"SGTs JSON:\n{json.dumps(sgts.response, indent=2)}", file=sys.stderr)
78 |
79 | sgts = sgts.response["SearchResult"]["resources"]
80 | print(f"SGT resources JSON:\n{json.dumps(sgts, indent=2)}", file=sys.stderr)
81 |
82 | sgt_ids = list(map(lambda x: x["id"], sgts))
83 | print(f"SGT IDs List:\n{sgt_ids}", file=sys.stderr)
84 |
85 | # Use the IDs to get all SGT details
86 | sgt_details = [ise.security_groups.get_security_group_by_id(id).response for id in sgt_ids]
87 | sgt_details = remove_ise_ids_and_links(sgt_details)
88 | print(f"SGT Details:\n{sgt_details}", file=sys.stderr)
89 |
90 | nads = ise.network_device.get_all()
91 | print(f"NADS:\n{nads.response}", file=sys.stderr)
92 |
93 | if args.timer:
94 | duration = time.time() - start_time
95 | print(f"\n 🕒 {duration} seconds\n", file=sys.stderr)
96 |
97 |
98 | if __name__ == "__main__":
99 | """
100 | Run from script
101 | """
102 | main()
103 |
--------------------------------------------------------------------------------
/data/CSV/identitygroups-dcloud-ens.csv:
--------------------------------------------------------------------------------
1 | Identity Group Name,Identity Group Description,Identity Group Max Sessions,Identity Group Max Sessions for User in Group
2 | Corporate,Corporate E&S group,0,0
3 | Education,Education E&S group,0,0
4 | Enterprise,Enterprise E&S group,0,0
5 | Federal,Federal E&S group,0,0
6 | Healthcare,Healthcare E&S group,0,0
7 | Helpdesk,Helpdesk E&S group,0,0
8 | Network_Admins,Network_Admins E&S group,0,0
9 | Security_Admins,Security_Admins E&S group,0,0
10 | Tier2_Users,Tier2_Users E&S group,0,0
11 | Tier1_Users,Tier1_Users E&S group,0,0
--------------------------------------------------------------------------------
/data/CSV/identitygroups-default.csv:
--------------------------------------------------------------------------------
1 | Identity Group Name,Identity Group Description,Identity Group Max Sessions,Identity Group Max Sessions for User in Group
2 | ALL_ACCOUNTS (default),Default ALL_ACCOUNTS (default) User Group,0,0
3 | Employee,Default Employee User Group,0,0
4 | GROUP_ACCOUNTS (default),Default GROUP_ACCOUNTS (default) User Group,0,0
5 | GuestType_Contractor (default),Identity group mirroring the guest type ,0,0
6 | GuestType_Daily (default),Identity group mirroring the guest type ,0,0
7 | GuestType_SocialLogin (default),Identity group mirroring the guest type ,0,0
8 | GuestType_Weekly (default),Identity group mirroring the guest type ,0,0
9 | OWN_ACCOUNTS (default),Default OWN_ACCOUNTS (default) User Group,0,0
10 |
--------------------------------------------------------------------------------
/data/CSV/identitygroups-pseudoco.csv:
--------------------------------------------------------------------------------
1 | Identity Group Name,Identity Group Description,Identity Group Max Sessions,Identity Group Max Sessions for User in Group
2 | HR,HR,0,0
3 | Finance,Finance,0,0
4 | Sales,Sales,0,0
5 | Marketing,Marketing,0,0
6 | IT,IT,0,0
7 | Security,Security,0,0
8 | Engineering,Engineering,0,0
9 | Design,Design,0,0
10 | Manufacturing ,Manufacturing ,0,0
11 | Executive,Executive,0,0
12 | Vendor,Vendor,0,0
13 | Partner,Partner,0,0
14 | Integrator,Integrator,0,0
15 | Provider,Provider,0,0
16 | Developer,Developer,0,0
17 | Consultant,Consultant,0,0
18 | Manufacturer,Manufacturer,0,0
19 | Distributor,Distributor,0,0
20 |
--------------------------------------------------------------------------------
/data/CSV/identitygroups-template.csv:
--------------------------------------------------------------------------------
1 | Identity Group Name,Identity Group Description,Identity Group Max Sessions,Identity Group Max Sessions for User in Group
2 |
--------------------------------------------------------------------------------
/data/CSV/identitygroups-university.csv:
--------------------------------------------------------------------------------
1 | Identity Group Name,Identity Group Description,Identity Group Max Sessions,Identity Group Max Sessions for User in Group
2 | Anthropology and Geography,Anthropology and Geography,0,0
3 | Aerospace,Aerospace,0,0
4 | Agricultural Business,Agricultural Business,0,0
5 | Agriculture,Agriculture,0,0
6 | Agricultural Science,Agricultural Science,0,0
7 | Architecture,Architecture,0,0
8 | Architectural Engineering,Architectural Engineering,0,0
9 | Art and Design,Art and Design,0,0
10 | Animal Science,Animal Science,0,0
11 | Biochemistry,Biochemistry,0,0
12 | Biomedical,Biomedical,0,0
13 | Biological Sciences,Biological Sciences,0,0
14 | Business,Business,0,0
15 | Civil Engineering,Civil Engineering,0,0
16 | Comparative Ethnic Studies,Comparative Ethnic Studies,0,0
17 | Chemistry,Chemistry,0,0
18 | Construction Management,Construction Management,0,0
19 | Construction,Construction,0,0
20 | Computer Engineering,Computer Engineering,0,0
21 | City and Regional Planning,City and Regional Planning,0,0
22 | Computer Science,Computer Science,0,0
23 | Economics,Economics,0,0
24 | Electrical Engineering,Electrical Engineering,0,0
25 | Engineering,Engineering,0,0
26 | English,English,0,0
27 | Ethnic Studies,Ethnic Studies,0,0
28 | Food Science,Food Science,0,0
29 | General Engineering,General Engineering,0,0
30 | History,History,0,0
31 | Industrial Engineering,Industrial Engineering,0,0
32 | Industrial Technology,Industrial Technology,0,0
33 | Journalism,Journalism,0,0
34 | Kinesiology,Kinesiology,0,0
35 | Landscape Architecture,Landscape Architecture,0,0
36 | Languages,Languages,0,0
37 | Law,Law,0,0
38 | Liberal Studies,Liberal Studies,0,0
39 | Manufacturing Engineering,Manufacturing Engineering,0,0
40 | Materials Engineering,Materials Engineering,0,0
41 | Microbiology,Microbiology,0,0
42 | Mechanical Engineering,Mechanical Engineering,0,0
43 | Marine Sciences,Marine Sciences,0,0
44 | Music,Music,0,0
45 | Mathematics,Mathematics,0,0
46 | Natural Resources Management,Natural Resources Management,0,0
47 | Nutrition,Nutrition,0,0
48 | Environmental Engineering,Environmental Engineering,0,0
49 | Environmental Sciences,Environmental Sciences,0,0
50 | Public Health,Public Health,0,0
51 | Philosophy,Philosophy,0,0
52 | Physics,Physics,0,0
53 | Plant Sciences,Plant Sciences,0,0
54 | Political Science,Political Science,0,0
55 | Psychology,Psychology,0,0
56 | Recreation Administration,Recreation Administration,0,0
57 | Science,Science,0,0
58 | Sociology,Sociology,0,0
59 | Statistics,Statistics,0,0
60 | Software Engineering,Software Engineering,0,0
61 | Theatre Arts,Theatre Arts,0,0
62 | Viticulture,Viticulture,0,0
--------------------------------------------------------------------------------
/data/CSV/internalusers-dcloud-ens.csv:
--------------------------------------------------------------------------------
1 | User Name,First Name,Last Name,Email,User Details,Password,Is Password Encrypted(True/False),Enable User(Yes/No),Change Password on Next Login(Yes/No),User Identity Groups,Enable Password,Is Enable Password Encrypted(True/False),Password ID Store,Expiry Date(MM/dd/yyyy),Password Never Expires(Yes/No),Account Name Alias,Date Created (MM/dd/yyyy),Date Modified (MM/dd/yyyy)
2 | vendor,,,,Vendor,C1sco12345,FALSE,Yes,No,Vendor,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
3 | partner,,,,Partner,C1sco12345,FALSE,Yes,No,Partner,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
4 | integrator,,,,Integrator,C1sco12345,FALSE,Yes,No,Integrator,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
5 | provider,,,,Provider,C1sco12345,FALSE,Yes,No,Provider,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
6 | developer,,,,Developer,C1sco12345,FALSE,Yes,No,Developer,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
7 | consultant,,,,Consultant,C1sco12345,FALSE,Yes,No,Consultant,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
8 | manufacturer,,,,Manufacturer,C1sco12345,FALSE,Yes,No,Manufacturer,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
9 | distributor,,,,Distributor,C1sco12345,FALSE,Yes,No,Distributor,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
10 | captain,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Federal,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
11 | dean,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Education,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
12 | doctor,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Healthcare,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
13 | employee,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Corporate,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
14 | helpdesk,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Employee,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
15 | manager,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Corporate,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
16 | network_admin,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Network_Admins,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
17 | nurse,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Healthcare,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
18 | officer,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Federal,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
19 | professor,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Education,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
20 | security_admin,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Security_Admins,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
21 | sponsor,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Employee,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
22 | tcnac,,,,E&S demo user,C1sco12345,FALSE,Yes,No,Security_Admins,C1sco12345,FALSE,Internal Users,,Yes,,1/1/24,1/1/24
--------------------------------------------------------------------------------
/data/CSV/internalusers-template.csv:
--------------------------------------------------------------------------------
1 | User Name,First Name,Last Name,Email,User Details,Password,Is Password Encrypted(True/False),Enable User(Yes/No),Change Password on Next Login(Yes/No),User Identity Groups,Enable Password,Is Enable Password Encrypted(True/False),Password ID Store,Expiry Date(MM/dd/yyyy),Password Never Expires(Yes/No),Account Name Alias
--------------------------------------------------------------------------------
/data/CSV/networkdevicegroups-dcloud-ens.csv:
--------------------------------------------------------------------------------
1 | Name:String(100):Required,Description:String(1024),Type:String(64):Required,Is Root:Boolean(true|false):Required
2 | Device Type#All Device Types,All Device Types,Device Type,true
3 | Device Type#All Device Types#Network Devices,,Device Type,false
4 | Device Type#All Device Types#Network Devices#IOS Devices,IOS based routers & switches,Device Type,false
5 | Device Type#All Device Types#Network Devices#Nexus_OS,Devices running NX-OS,Device Type,false
6 | Device Type#All Device Types#Network Devices#Wireless Devices,Wireless LAN Controllers,Device Type,false
7 | Device Type#All Device Types#Security Devices,,Device Type,false
8 | Device Type#All Device Types#Security Devices#Firewalls,Firewalls,Device Type,false
9 | Device Type#All Device Types#Security Devices#IPS,IPS,Device Type,false
10 | Device Type#All Device Types#Security Devices#VPN,VPN,Device Type,false
11 | Device Type#All Device Types#Simulators,ISE use-case traffic generators,Device Type,false
12 | IPSEC#Is IPSEC Device,Is this a RADIUS over IPSEC Device,IPSEC,true
13 | IPSEC#Is IPSEC Device#No,Device is not IPSEC Type,IPSEC,false
14 | IPSEC#Is IPSEC Device#Yes,Device is IPSEC Type,IPSEC,false
15 | Location#All Locations,All Locations,Location,true
16 | Location#All Locations#dCloud,,Location,false
17 | Location#All Locations#dCloud#DC,,Location,false
18 | Location#All Locations#dCloud#DMZ,,Location,false
19 | Location#All Locations#dCloud#Lab,,Location,false
20 |
--------------------------------------------------------------------------------
/data/CSV/networkdevicegroups-default.csv:
--------------------------------------------------------------------------------
1 | Name:String(100):Required,Description:String(1024),Type:String(64):Required,Is Root:Boolean(true|false):Required
2 | Device Type#All Device Types,All Device Types,Device Type,true
3 | IPSEC#Is IPSEC Device,Is this a RADIUS over IPSEC Device,IPSEC,true
4 | IPSEC#Is IPSEC Device#No,Device is not IPSEC Type,IPSEC,false
5 | IPSEC#Is IPSEC Device#Yes,Device is IPSEC Type,IPSEC,false
6 | Location#All Locations,All Locations,Location,true
7 |
--------------------------------------------------------------------------------
/data/CSV/networkdevicegroups-operations.csv:
--------------------------------------------------------------------------------
1 | Name:String(100):Required,Description:String(1024),Type:String(64):Required,Is Root:Boolean(true|false):Required
2 | Operation#Operation,All Operations,Operation,TRUE
3 | Operation#Operation#Zone1,Zone 1,Operation,FALSE
4 | Operation#Operation#Zone2,Zone 2,Operation,FALSE
5 | Operation#Operation#Zone3,Zone 3,Operation,FALSE
6 | Operation#Operation#Zone4,Zone 4,Operation,FALSE
7 | Operation#Operation#Zone5,Zone 5,Operation,FALSE
8 | Operation#Operation#Zone6,Zone 6,Operation,FALSE
9 | Operation#Operation#Zone7,Zone 7,Operation,FALSE
10 | Operation#Operation#Zone8,Zone 8,Operation,FALSE
11 | Operation#Operation#Zone9,Zone 9,Operation,FALSE
12 | Operation#Operation#Zone10,Zone 10,Operation,FALSE
--------------------------------------------------------------------------------
/data/CSV/networkdevicegroups-template.csv:
--------------------------------------------------------------------------------
1 | Name:String(100):Required,Description:String(1024),Type:String(64):Required,Is Root:Boolean(true|false):Required
--------------------------------------------------------------------------------
/data/CSV/networkdevicegroups-university.csv:
--------------------------------------------------------------------------------
1 | Name:String(100):Required,Description:String(1024),Type:String(64):Required,Is Root:Boolean(true|false):Required
2 | School#School,All University Schools,School,TRUE
3 | School#School#Agriculture,Agriculture,School,FALSE
4 | School#School#Architecture,Architecture,School,FALSE
5 | School#School#Business,Business,School,FALSE
6 | School#School#Engineering,Engineering,School,FALSE
7 | School#School#LiberalArts,LiberalArts,School,FALSE
8 | School#School#Science,Science,School,FALSE
9 | Department#Department,All Departments,Department,TRUE
10 | Department#Department#AAG,Anthropology and Geography,Department,FALSE
11 | Department#Department#AER,Aerospace,Department,FALSE
12 | Department#Department#AGB,Agricultural Business,Department,FALSE
13 | Department#Department#AGR,Agriculture,Department,FALSE
14 | Department#Department#AGS,Agricultural Science,Department,FALSE
15 | Department#Department#ARC,Architecture,Department,FALSE
16 | Department#Department#ARE,Architectural Engineering,Department,FALSE
17 | Department#Department#ART,Art and Design,Department,FALSE
18 | Department#Department#ASC,Animal Science,Department,FALSE
19 | Department#Department#BIO,Biochemistry,Department,FALSE
20 | Department#Department#BM,Biomedical,Department,FALSE
21 | Department#Department#BSC,Biological Sciences,Department,FALSE
22 | Department#Department#BUS,Business,Department,FALSE
23 | Department#Department#CE,Civil Engineering,Department,FALSE
24 | Department#Department#CES,Comparative Ethnic Studies,Department,FALSE
25 | Department#Department#Chemistry,Chemistry,Department,FALSE
26 | Department#Department#CM,Construction Management,Department,FALSE
27 | Department#Department#CON,Construction,Department,FALSE
28 | Department#Department#CPE,Computer Engineering,Department,FALSE
29 | Department#Department#CRP,City and Regional Planning,Department,FALSE
30 | Department#Department#CS,Computer Science,Department,FALSE
31 | Department#Department#ECN,Economics,Department,FALSE
32 | Department#Department#EE,Electrical Engineering,Department,FALSE
33 | Department#Department#EGR,Engineering,Department,FALSE
34 | Department#Department#ENG,English,Department,FALSE
35 | Department#Department#ES,Ethnic Studies,Department,FALSE
36 | Department#Department#FS,Food Science,Department,FALSE
37 | Department#Department#GE,General Engineering,Department,FALSE
38 | Department#Department#HIS,History,Department,FALSE
39 | Department#Department#IE,Industrial Engineering,Department,FALSE
40 | Department#Department#IT,Industrial Technology,Department,FALSE
41 | Department#Department#JRN,Journalism,Department,FALSE
42 | Department#Department#KIN,Kinesiology,Department,FALSE
43 | Department#Department#LA,Landscape Architecture,Department,FALSE
44 | Department#Department#LAN,Languages,Department,FALSE
45 | Department#Department#LAW,Law,Department,FALSE
46 | Department#Department#LS,Liberal Studies,Department,FALSE
47 | Department#Department#MAN,Manufacturing Engineering,Department,FALSE
48 | Department#Department#MAT,Materials Engineering,Department,FALSE
49 | Department#Department#MB,Microbiology,Department,FALSE
50 | Department#Department#ME,Mechanical Engineering,Department,FALSE
51 | Department#Department#MS,Marine Sciences,Department,FALSE
52 | Department#Department#MSC,Music,Department,FALSE
53 | Department#Department#MTH,Mathematics,Department,FALSE
54 | Department#Department#NRM,Natural Resources Management,Department,FALSE
55 | Department#Department#NUT,Nutrition,Department,FALSE
56 | Department#Department#NVE,Environmental Engineering,Department,FALSE
57 | Department#Department#NVS,Environmental Sciences,Department,FALSE
58 | Department#Department#PH,Public Health,Department,FALSE
59 | Department#Department#PHL,Philosophy,Department,FALSE
60 | Department#Department#PHY,Physics,Department,FALSE
61 | Department#Department#PLS,Plant Sciences,Department,FALSE
62 | Department#Department#POL,Political Science,Department,FALSE
63 | Department#Department#PSY,Psychology,Department,FALSE
64 | Department#Department#REC,Recreation Administration,Department,FALSE
65 | Department#Department#SCI,Science,Department,FALSE
66 | Department#Department#SOC,Sociology,Department,FALSE
67 | Department#Department#STS,Statistics,Department,FALSE
68 | Department#Department#SWE,Software Engineering,Department,FALSE
69 | Department#Department#TA,Theatre Arts,Department,FALSE
70 | Department#Department#VIT,Viticulture,Department,FALSE
--------------------------------------------------------------------------------
/data/CSV/networkdevices-template.csv:
--------------------------------------------------------------------------------
1 | Name:String(32):Required,Description:String(256),IP Address:Subnets(a.b.c.d/m#....):Required,Model Name:String(32),Software Version:String(32),Network Device Groups:String(100)(Type#Root Name#Name|...):Required,Authentication:Protocol:String(6),Authentication:Shared Secret:String(128),EnableKeyWrap:Boolean(true|false),EncryptionKey:String(ascii:16|hexa:32),AuthenticationKey:String(ascii:20|hexa:40),InputFormat:String(32),SNMP:Version:Enumeration(1|2c|3),SNMP:RO Community:String(32),SNMP:Username:String(32),SNMP:Security Level:Enumeration(Auth|No Auth|Priv),SNMP:Authentication Protocol:Enumeration(MD5|SHA|SHA2),SNMP:Authentication Password:String(32),SNMP:Privacy Protocol:Enumeration(DES|AES128|AES192|AES256|3DES),SNMP:Privacy Password:String(32),SNMP:Polling Interval:Integer:600-86400 seconds,SNMP:Is Link Trap Query:Boolean(true|false),SNMP:Is MAC Trap Query:Boolean(true|false),SNMP:Originating Policy Services Node:String(32),SGA:Device Id:String(32),SGA:Device Password:String(256),SGA:Environment Data Download Interval:Integer:1-2147040000 seconds,SGA:Peer Authorization Policy Download Interval:Integer:1-2147040000 seconds,SGA:Reauthentication Interval:Integer:1-2147040000 seconds,SGA:SGACL List Download Interval:Integer:1-2147040000 seconds,SGA:Is Other SGA Devices Trusted:Boolean(true|false),SGA:Notify this device about SGA configuration changes:String(ENABLE_USING_CLI|ENABLE_USING_COA|DISABLE_ALL),SGA:Include this device when deploying Security Group Tag Mapping Updates:Boolean(true|false),Deployment:EXEC Mode Username:String(32),Deployment:EXEC Mode Password:String(32),Deployment:Enable Mode Password:String(32),SGA:PAC issue date:Date,SGA:PAC expiration date:Date,SGA:PAC issued by:String,TACACS:Shared Secret:String(128),TACACS:Connect Mode Options:String (OFF|ON_LEGACY|ON_DRAFT_COMPLIANT),Profile:String(128):Required,coaPort:Integer(128):Required,DtlsRequired:Boolean(true|false),DtlsCoaPort:Integer(128),DtlsIssuerCertificate:String(128),DtlsDnsName:String(100),SGA:CoA Coa Source Host:String,Authentication:Second Shared Secret:String(128),Enable Multi Shared Secret:Boolean(true|false)
--------------------------------------------------------------------------------
/data/CSV/networkdevices-thomas.csv:
--------------------------------------------------------------------------------
1 | Name:String(32):Required,Description:String(256),IP Address:Subnets(a.b.c.d/m#....):Required,Model Name:String(32),Software Version:String(32),Network Device Groups:String(100)(Type#Root Name#Name|...):Required,Authentication:Protocol:String(6),Authentication:Shared Secret:String(128),EnableKeyWrap:Boolean(true|false),EncryptionKey:String(ascii:16|hexa:32),AuthenticationKey:String(ascii:20|hexa:40),InputFormat:String(32),SNMP:Version:Enumeration(1|2c|3),SNMP:RO Community:String(32),SNMP:Username:String(32),SNMP:Security Level:Enumeration(Auth|No Auth|Priv),SNMP:Authentication Protocol:Enumeration(MD5|SHA|SHA2),SNMP:Authentication Password:String(32),SNMP:Privacy Protocol:Enumeration(DES|AES128|AES192|AES256|3DES),SNMP:Privacy Password:String(32),SNMP:Polling Interval:Integer:600-86400 seconds,SNMP:Is Link Trap Query:Boolean(true|false),SNMP:Is MAC Trap Query:Boolean(true|false),SNMP:Originating Policy Services Node:String(32),SGA:Device Id:String(32),SGA:Device Password:String(256),SGA:Environment Data Download Interval:Integer:1-2147040000 seconds,SGA:Peer Authorization Policy Download Interval:Integer:1-2147040000 seconds,SGA:Reauthentication Interval:Integer:1-2147040000 seconds,SGA:SGACL List Download Interval:Integer:1-2147040000 seconds,SGA:Is Other SGA Devices Trusted:Boolean(true|false),SGA:Notify this device about SGA configuration changes:String(ENABLE_USING_CLI|ENABLE_USING_COA|DISABLE_ALL),SGA:Include this device when deploying Security Group Tag Mapping Updates:Boolean(true|false),Deployment:EXEC Mode Username:String(32),Deployment:EXEC Mode Password:String(32),Deployment:Enable Mode Password:String(32),SGA:PAC issue date:Date,SGA:PAC expiration date:Date,SGA:PAC issued by:String,TACACS:Shared Secret:String(128),TACACS:Connect Mode Options:String (OFF|ON_LEGACY|ON_DRAFT_COMPLIANT),Profile:String(128):Required,coaPort:Integer(128):Required,DtlsRequired:Boolean(true|false),DtlsCoaPort:Integer(128),DtlsIssuerCertificate:String(128),DtlsDnsName:String(100),SGA:CoA Coa Source Host:String,Authentication:Second Shared Secret:String(128),Enable Multi Shared Secret:Boolean(true|false)
2 | simulator,,10.80.60.148/32,Simulator,,Location#All Locations#AMER#US#HBC|IPSEC#Is IPSEC Device#No|Device Type#All Device Types,RADIUS,C1sco12345,FALSE,,,,2c,C1sco12345,,,,,,,28800,TRUE,TRUE,,simulator,C1sco12345,86400,86400,86400,86400,TRUE,DISABLE_ALL,FALSE,,,,,,,C1sco12345,OFF,Cisco,1700,FALSE,2083,,,,,FALSE
3 | lab-ms390-1,,10.80.60.149/32,MS390,,Location#All Locations#AMER#US#HBC|IPSEC#Is IPSEC Device#No|Device Type#All Device Types,RADIUS,C1sco12345,FALSE,,,,2c,C1sco12345,,,,,,,28800,TRUE,TRUE,,lab-ms390-1,C1sco12345,86400,86400,86400,86400,TRUE,DISABLE_ALL,FALSE,,,,,,,C1sco12345,OFF,Cisco,1700,FALSE,2083,,,,,FALSE
4 | lab-mr46-1,,10.80.60.150/32,MR46,,Location#All Locations#AMER#US#HBC|IPSEC#Is IPSEC Device#No|Device Type#All Device Types,RADIUS,C1sco12345,FALSE,,,,2c,C1sco12345,,,,,,,28800,TRUE,TRUE,,lab-mr46-1,C1sco12345,86400,86400,86400,86400,TRUE,DISABLE_ALL,FALSE,,,,,,,C1sco12345,OFF,Cisco,1700,FALSE,2083,,,,,FALSE
5 | lab-9200cx-1,,10.80.60.151/32,9200CX,,Location#All Locations#AMER#US#HBC|IPSEC#Is IPSEC Device#No|Device Type#All Device Types,RADIUS,C1sco12345,FALSE,,,,2c,C1sco12345,,,,,,,28800,TRUE,TRUE,,lab-9200cx-1,C1sco12345,86400,86400,86400,86400,TRUE,DISABLE_ALL,FALSE,,,,,,,C1sco12345,OFF,Cisco,1700,FALSE,2083,,,,,FALSE
--------------------------------------------------------------------------------
/data/CSV/sgts-default.csv:
--------------------------------------------------------------------------------
1 | Icon,Name:String(32):Required,Value,Description:String(256)
2 | 0,Auditors,9,Auditor Security Group
3 | 0,BYOD,15,BYOD Security Group
4 | 0,Contractors,5,Contractor Security Group
5 | 0,Developers,8,Developer Security Group
6 | 0,Development_Servers,12,Development Servers Security Group
7 | 0,Employees,4,Employee Security Group
8 | 0,Guests,6,Guest Security Group
9 | 0,Network_Services,3,Network Services Security Group
10 | 0,PCI_Servers,14,PCI Servers Security Group
11 | 0,Point_of_Sale_Systems,10,Point of Sale Security Group
12 | 0,Production_Servers,11,Production Servers Security Group
13 | 0,Production_Users,7,Production User Security Group
14 | 0,Quarantined_Systems,255,Quarantine Security Group
15 | 0,Test_Servers,13,Test Servers Security Group
16 | 0,TrustSec_Devices,2,TrustSec Devices Security Group
17 | 0,Unknown,0,Unknown Security Group
18 |
--------------------------------------------------------------------------------
/data/CSV/sgts-medical.csv:
--------------------------------------------------------------------------------
1 | Icon,Name:String(32):Required,Value,Description:String(256)
2 | 0,Unknown,0,System Default - applies when a policy is specified for unsuccessful group classification
3 | 0,Infrastructure,2,Infrastructure group is used by Meraki devices for internal and dashboard communication
4 | 0,Badging,10,Badge Readers
5 | 0,Building,11,Building Lighting
6 | 0,Cameras,12,Cameras
7 | 0,Cardio,13,Cardio
8 | 0,Careware,14,Careware
9 | 0,Clinical,15,Clinical
10 | 0,Conferencing,16,Conferencing
11 | 0,Doctors,17,Doctors
12 | 0,Facilities,18,Facilities
13 | 0,Fetalink,19,Fetalink
14 | 0,Guest,20,Guest
15 | 0,HVAC,21,HVAC
16 | 0,Imaging,22,Imaging
17 | 0,Infants,23,Infants
18 | 0,Kiosks,24,Kiosks
19 | 0,Lab,25,Lab
20 | 0,Lighting,26,Lighting
21 | 0,Linux,27,Linux
22 | 0,MedicalDevices,28,MedicalDevices
23 | 0,Nurses,29,Nurses
24 | 0,PatientCare,30,PatientCare
25 | 0,Pharmacy,31,Pharmacy
26 | 0,Phones,32,Phones
27 | 0,Printers,33,Printers
28 | 0,Retail,34,Retail
29 | 0,Servers,35,Servers
30 | 0,Signage,36,Signage
31 | 0,Staff,37,Staff
32 | 0,Storage,38,Storage
33 | 0,Support,39,Support
34 | 0,Surgical,40,Surgical
35 | 0,UPS,41,Uninteruptable Power Supplies
36 | 0,VM,42,VM
37 | 0,Volunteers,43,Volunteers
38 | 0,Wireless,44,Wireless
39 | 0,Workstation,45,Workstation
40 | 0,WOW,46,WOW
--------------------------------------------------------------------------------
/data/CSV/sgts-thomas.csv:
--------------------------------------------------------------------------------
1 | Icon,Name:String(32):Required,Value,Description:String(256)
2 | 0,Unknown,0,System Default - applies when a policy is specified for unsuccessful group classification
3 | 0,Infrastructure,2,Infrastructure / TrustSec_Devices group is used by Meraki devices for internal and dashboard communication
4 | 0,Badging,10,Badging
5 | 0,Building,11,Building
6 | 0,BYOD,12,BYOD
7 | 0,Cameras,13,Cameras
8 | 0,Contractors,14,Contractors
9 | 0,Employees,15,Employees
10 | 0,Engineering,16,Engineering
11 | 0,Facilities,17,Facilities
12 | 0,Guests,18,Guests
13 | 0,HVAC,19,HVAC
14 | 0,Industrial,20,Industrial
15 | 0,IOT,21,IOT
16 | 0,Kiosks,22,Kiosks
17 | 0,Lab,23,Lab
18 | 0,Lighting,24,Lighting
19 | 0,Linux,25,Linux
20 | 0,Manufacturing,26,Manufacturing
21 | 0,Phones,27,Phones
22 | 0,Printers,28,Printers
23 | 0,Quarantined,29,Quarantined
24 | 0,Retail,30,Retail
25 | 0,Servers,31,Servers
26 | 0,Signage,32,Signage
27 | 0,Storage,33,Storage
28 | 0,UPS,34,UPS
29 | 0,Workstations,35,Workstations
--------------------------------------------------------------------------------
/data/SQL/aaa_diagnostics.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Reports > Diagnostics > AAA Diagnostics
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | -- timestamp_timezone,
10 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
11 | session_id, -- ise-ppan/520285697/348
12 | -- ise_node,
13 | username,
14 | message_severity AS severity,
15 | message_code AS msg_code,
16 | message_text AS msg_text,
17 | -- category, -- always CISE_RADIUS_Diagnostics
18 | info -- RADIUS attribute details
19 | FROM aaa_diagnostics_view
20 | -- ORDER BY timestamp ASC -- first/oldest records
21 | ORDER BY timestamp DESC -- most recent records
22 | FETCH FIRST 10 ROWS ONLY
23 |
--------------------------------------------------------------------------------
/data/SQL/aaa_diagnostics_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Reports > Diagnostics > AAA Diagnostics
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- timestamp_timezone,
10 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
11 | -- session_id,
12 | -- ise_node,
13 | -- username,
14 | -- message_severity,
15 | -- message_code,
16 | -- message_text,
17 | -- category,
18 | -- info
19 | FROM aaa_diagnostics_view
20 | -- ORDER BY timestamp ASC -- first/oldest records
21 | ORDER BY timestamp DESC -- most recent records
22 | FETCH FIRST 100 ROWS ONLY -- limit default number of rows returned for large datasets
23 |
--------------------------------------------------------------------------------
/data/SQL/adapter_status.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- adapter_status
3 | -- Adapter Status Report.
4 | --
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- logged_at, -- shows the time when the syslog was processed and stored by the Monitoring node
11 | -- status, -- specifies the adapter status
12 | -- id, -- unique database ID
13 | -- adapter_name, specifies the adapter name
14 | -- connectivity, -- specifies the connectivity
15 | FROM adapter_status
16 | ORDER BY
17 | logged_at ASC
18 | -- adapter_name ASC
19 |
--------------------------------------------------------------------------------
/data/SQL/admin_users.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- admin_users
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM admin_users
10 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/administrator_login_counts.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Author: Thomas Howard, thomas@cisco.com
3 | -- License: MIT - https://mit-license.org
4 | --
5 |
6 | SELECT MAX(timestamp),
7 | MAX(ise_node),
8 | admin_name,
9 | COUNT(admin_name) AS count,
10 | -- ip_address,
11 | -- ipv6_address,
12 | -- interface,
13 | MAX(admin_session),
14 | MAX(event_details) event
15 | FROM administrator_logins
16 | GROUP BY admin_name
17 | ORDER BY count DESC
18 |
--------------------------------------------------------------------------------
/data/SQL/administrator_logins.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- administrator_logins
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | -- * -- all columns
9 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
10 | ip_address, -- comment
11 | admin_name, -- comment
12 | admin_session, -- [AdminGUI_Session, ?]
13 | CASE WHEN LENGTH(event_details) > 40 THEN SUBSTR(event_details, 1, 39) || '...' ELSE event_details END AS event_details, -- trim verbose messages
14 | -- event_details, -- comment
15 | event -- comment
16 | -- timestamp_timezone, -- comment
17 | -- ise_node, -- comment
18 | -- ipv6_address, -- comment
19 | -- interface, -- [GUI, ERS]
20 | FROM administrator_logins
21 | WHERE admin_name = 'readonly'
22 | -- WHERE admin_name = 'iseadamin'
23 | ORDER BY timestamp ASC -- first/oldest records
24 | -- ORDER BY timestamp DESC -- most recent records
25 | FETCH FIRST 100 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/authentications_like_location.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications for Location like example.
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- access_service,
11 | -- audit_session_id,
12 | -- authentication_method,
13 | -- authentication_protocol,
14 | -- authorization_profiles,
15 | -- authorization_rule,
16 | -- calling_station_id,
17 | -- checksum,
18 | -- credential_check,
19 | -- device_name,
20 | -- device_type,
21 | -- endpoint_profile,
22 | -- failed,
23 | -- failure_reason,
24 | -- framed_ip_address,
25 | -- framed_ipv6_address,
26 | -- id,
27 | -- identity_group,
28 | -- identity_store,
29 | -- ise_node,
30 | -- location,
31 | -- mdm_server_name,
32 | -- nas_ip_address,
33 | -- nas_ipv6_address,
34 | -- nas_port_id,
35 | -- nas_port_type,
36 | -- orig_calling_station_id,
37 | -- passed,
38 | -- policy_set_name,
39 | -- posture_status,
40 | -- response_time,
41 | -- security_group,
42 | -- service_type,
43 | -- syslog_message_code,
44 | -- timestamp
45 | -- timestamp_timezone,
46 | -- user_type,
47 | -- username,
48 | FROM radius_authentications
49 | WHERE location LIKE '%All%'
50 | -- ORDER BY timestamp ASC -- first/oldest records
51 | ORDER BY timestamp DESC -- most recent records
52 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
53 |
--------------------------------------------------------------------------------
/data/SQL/authorization_profiles.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Authorization Profiles
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- name,
11 | -- description
12 | FROM authorization_profiles
13 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/change_configuration_audit.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Reports > Audit > Change Configuration Audit Report
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | timestamp , -- Time when record added (TIMESTAMP(6))
10 | admin_name , -- Name of the admin who made config change
11 | details , -- Details of the event
12 | event , -- Config change done
13 | failure_flag , -- Failure flag
14 | host_id , -- Hostname of ISE node on which change is done
15 | id , -- Database unique ID
16 | interface , -- Interface used for login GUI/CLI
17 | ise_node , -- Hostname of ISE node
18 | applied_to_acs_instance, -- ISE nodes to which change is applied
19 | local_mode , -- Local mode
20 | message_class , -- Message class
21 | message_code , -- Message code
22 | modified_properties , -- Modified properties
23 | nas_ip_address , -- IP address of NAD
24 | nas_ipv6_address , -- IPV6 address of NAD
25 | operation_message_text , -- Operation details
26 | request_response_type , -- Type of request response
27 | requested_operation , -- Operation done
28 | object_id , -- Object ID
29 | object_name , -- Name of object for which config is changed
30 | object_type -- Type of object for which config is changed
31 | -- timestamp_timezone -- Time with timezone when record added (⚠ TIMESTAMP(6)+TZ)
32 | FROM change_configuration_audit
33 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
34 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
35 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
36 | WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
37 | ORDER BY timestamp ASC -- first/oldest records
38 | -- ORDER BY timestamp DESC -- most recent records
39 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/compliance_counts_by_username.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- From the ISE Data Connect Guides' Posture Examples
3 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
4 | -- Posture > Number of times a user becomes compliant and non-compliant
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM (
10 | SELECT username,
11 | posture_status
12 | FROM posture_assessment_by_endpoint
13 | ) pivot (
14 | count(posture_status) for posture_status in ('Compliant', 'NonCompliant')
15 | );
--------------------------------------------------------------------------------
/data/SQL/compliant_endpoints_per_day.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Compliant Endpoints per Day
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | -- *
9 | TO_CHAR(timestamp, 'YYYY-MM-DD') AS day, -- date only
10 | COUNT(DISTINCT username) AS count --
11 | -- am_installed, -- anti-malware installed on the endpoint
12 | -- anti_spyware_installed, -- installed anti-spyware
13 | -- anti_virus_installed, -- installed anti-virus
14 | -- endpoint_mac_address, -- mac address of the endpoint
15 | -- endpoint_operating_system, -- operating system of the endpoint
16 | -- failure_reason, -- reason for failure
17 | -- feed_url, -- update feed url
18 | -- id number database unique id
19 | -- ip_address, -- ip address of the endpoint
20 | -- ise_node, -- hostname of ise node
21 | -- message_code, -- message code of the posture syslog
22 | -- message_text, -- message text
23 | -- nad_location, -- location of nad
24 | -- num_of_updates number number of updates
25 | -- posture_agent_version, -- version of the posture agent
26 | -- posture_policy_matched, -- posture policy matched
27 | -- posture_report clob posture report
28 | -- posture_status, -- posture status i.e. pending, compliant, non-compliant etc
29 | -- pra_action, -- periodic reassessment action configured
30 | -- pra_enforcement_flag number status of periodic reassessment enforcement
31 | -- pra_grace_time, -- periodic reassessment grace time configured
32 | -- pra_interval number periodic reassessment interval configured
33 | -- request_time, -- request time
34 | -- response_time, -- response time
35 | -- session_id, -- session id
36 | -- system_domain, -- domain name of the endpoint
37 | -- system_name, -- hostname of the endpoint
38 | -- system_user_domain, -- system user domain
39 | -- system_user, -- system user
40 | -- timestamp, -- stime when record added
41 | -- timestamp_timezone, -- stimestamp(6) with time zone time with timezone when record added
42 | -- user_agreement_status, -- status of the user agreement
43 | -- username, -- username
44 | FROM posture_assessment_by_endpoint
45 | -- WHERE posture_status = 'Compliant'
46 | GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD')
47 | ORDER BY day DESC
--------------------------------------------------------------------------------
/data/SQL/dc_table_columns.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Shows all columns definitions in the specified ISE Data Connect table.
3 | -- This is similar to doing a `SELECT * FROM {table_name}
4 | --
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 | -- Author: Thomas Howard, thomas@cisco.com
8 | -- License: MIT - https://mit-license.org
9 | --
10 |
11 | SELECT
12 | -- * -- all columns
13 | table_name, --
14 | column_name, --
15 | data_type, --
16 | data_length, --
17 | char_length, --
18 | -- data_default, -- empty
19 | -- avg_col_len, -- empty
20 | -- char_col_decl_length, --
21 | -- char_used, --
22 | -- character_set_name, --
23 | -- collation, --
24 | -- column_id, --
25 | -- data_precision, --
26 | -- data_scale, --
27 | -- data_type_mod, --
28 | -- data_type_owner, --
29 | -- data_upgraded, --
30 | -- default_length, --
31 | -- default_on_null, --
32 | -- density, -- empty
33 | -- evaluation_edition, --
34 | -- global_stats, -- 'NO'
35 | -- high_value, --
36 | -- histogram, -- 'NONE'
37 | -- identity_column, -- 'NO'
38 | -- last_analyzed, --
39 | -- low_value, -- empty
40 | -- num_buckets, --
41 | -- num_distinct, -- empty
42 | -- num_nulls, -- empty
43 | -- owner, --
44 | -- sample_size, -- empty
45 | -- unusable_before, --
46 | -- unusable_beginning, --
47 | -- user_stats, --
48 | -- v80_fmt_image, --
49 | nullable --
50 | FROM all_tab_columns
51 | WHERE table_name = UPPER('radius_authentications') -- ⚠ must be uppercase to match table name
52 | ORDER BY
53 | table_name ASC,
54 | column_name ASC
--------------------------------------------------------------------------------
/data/SQL/dc_tables.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Lists all available table views in ISE Data Connect
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT DISTINCT table_name
9 | FROM all_tab_columns
10 | ORDER BY table_name
--------------------------------------------------------------------------------
/data/SQL/dc_views.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Lists all available table views in ISE Data Connect
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT view_name
9 | FROM user_views
10 | ORDER BY view_name ASC
--------------------------------------------------------------------------------
/data/SQL/devices_last_auth.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Show the last RADIUS authentication per network device.
3 | -- Optionally filter for >N days or more.
4 | --
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 | -- Author: Thomas Howard, thomas@cisco.com
8 | -- License: MIT - https://mit-license.org
9 | --
10 |
11 | SELECT
12 | CAST(MAX(timestamp) AS DATE) AS last_auth, -- drop fractional seconds
13 | ROUND(CAST(SYSTIMESTAMP AS DATE) - CAST(MAX(timestamp) AS DATE), 2) AS inactive_days,
14 | nas_ip_address AS nas_ip_address, --
15 | device_name AS device_name, --
16 | -- MAX(nas_ip_address) AS nas_ip_address, --
17 | -- MAX(location) AS location, --
18 | MAX(calling_station_id) AS mac, --
19 | MAX(username) AS username, --
20 | MAX(endpoint_profile) AS endpoint_profile, --
21 | MAX(security_group) AS SGT, -- ⚠ Blank for failed auths!
22 | -- MAX(access_service) AS access_service, -- Allowed Protocols
23 | -- MAX(audit_session_id) AS audit_session_id, --
24 | MAX(authentication_method) AS auth_method, --
25 | -- MAX(authentication_protocol) AS auth_protocol, --
26 | -- MAX(authorization_profiles) AS authz_profiles, -- ⚠ Blank for failed auths!
27 | -- MAX(authorization_rule) AS authz_rule, -- ⚠ Blank for failed auths!
28 | -- MAX(checksum) AS checksum, --
29 | -- MAX(credential_check) AS credential_check, --
30 | -- MAX(device_type) AS device_type, --
31 | -- MAX(framed_ip_address) AS ipv4, --
32 | -- MAX(failure_reason) AS failure_reason --
33 | -- MAX(failed) AS failed, --
34 | -- MAX(framed_ipv6_address) AS ipv6, --
35 | -- MAX(id) AS id, --
36 | -- MAX(identity_group) AS identity_group, --
37 | -- MAX(identity_store) AS identity_store, --
38 | -- MAX(ise_node) AS ise_node, --
39 | -- MAX(mdm_server_name) AS mdm_server_name, --
40 | -- MAX(nas_ipv6_address) AS nas_ipv6_address, --
41 | -- MAX(nas_port_id) AS nas_port_id, -- Physical port number of the NAS (Network Access Server) originating the request
42 | -- MAX(nas_port_type) AS nas_port_type, --
43 | -- MAX(orig_calling_station_id) AS orig_calling_station_id, --
44 | -- MAX(policy_set_name) AS policy_set_name, -- Default, Wired, etc.
45 | -- MAX(posture_status) AS posture_status, --
46 | -- MAX(response_time) AS response_time, -- ⚠ Blank for failed auths!
47 | -- MAX(service_type) AS service_type, --
48 | -- MAX(syslog_message_code) AS syslog_message_code, --
49 | -- MAX(timestamp_timezone) AS timestamp_tz, --
50 | -- MAX(user_type) AS user_type, --
51 | MAX(passed) AS passed -- 'Fail' for username='INVALID'
52 | FROM radius_authentications
53 | GROUP BY nas_ip_address, device_name
54 | -- HAVING MAX(timestamp) < (sysdate - INTERVAL '30' DAY) -- Last seen >30 days ago
55 | ORDER BY last_auth ASC -- first/oldest records
56 | -- ORDER BY timestamp DESC -- most recent records
57 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
58 |
--------------------------------------------------------------------------------
/data/SQL/endpoint_identity_groups.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- endpoint_identity_groups
3 | --
4 |
5 | SELECT
6 | * --
7 | -- id, -- database unique id
8 | -- name, -- name
9 | -- description, -- description
10 | -- created_by, -- username
11 | -- create_time, -- created TIMESTAMP(6)
12 | -- update_time, -- updated TIMESTAMP(6)
13 | -- status -- Active/Inactive
14 | FROM endpoint_identity_groups --
15 | ORDER BY name ASC
16 |
--------------------------------------------------------------------------------
/data/SQL/endpoint_purge_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- endpoint_purge_view
3 | -- Show the history of endpoints purge activities.
4 | --
5 |
6 | SELECT
7 | * -- all columns
8 | -- id, -- database unique ID
9 | -- endpoint_purge_id, -- endpoint purge ID ??
10 | -- run_time, -- when
11 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- time when record added; drop fractional seconds
12 | -- profiler_server, -- profiler server
13 | -- endpoint_purge_rule, -- endpoint purge rule
14 | -- endpoint_count -- number of endpoints purged
15 | FROM endpoint_purge_view
16 | ORDER BY endpoint_purge_id
17 |
--------------------------------------------------------------------------------
/data/SQL/endpoints.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Show all endpoints with added feature columns for random MAC, endpoint age, and activity.
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | mac_address, -- endpoint MAC address
10 | CASE WHEN REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') THEN SUBSTR(mac_address, 2, 1) ELSE ' ' END AS random, -- random MAC
11 | -- CASE WHEN REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') THEN '✔' ELSE ' ' END AS random, -- random MAC CAST(create_time AS DATE) AS created, -- ⚠ cast to DATE because TIMESTAMP_TIMEZONE not supported in OracleDB's thin mode
12 | CAST(create_time AS DATE) AS created, -- ⚠ cast to DATE because TIMESTAMP_TIMEZONE not supported in OracleDB's thin mode
13 | CAST(update_time AS DATE) AS updated, -- ⚠ cast to DATE because TIMESTAMP_TIMEZONE not supported in OracleDB's thin mode
14 | ROUND(CAST(SYSTIMESTAMP AS DATE) - CAST(update_time AS DATE), 2) AS inactive_days,
15 | ROUND(CAST(SYSTIMESTAMP AS DATE) - CAST(create_time AS DATE), 2) AS age_days,
16 | -- floor(12345678/86400) || 'd ' || to_char(to_date(mod (12345678,86400) ,'sssss'),'hh24"h" mi"m" ss"s"') AS dhms,
17 | -- TO_CHAR(TO_DATE( MOD( CAST(SYSTIMESTAMP AS DATE) - CAST(create_time AS DATE), 86400 ), 'sssss'), 'HH24') as dhms,
18 | -- TO_CHAR(TO_DATE( MOD( CAST(SYSTIMESTAMP AS DATE) - CAST(create_time AS DATE), 86400 ) ,'sssss'),'HH24"h" MI"m" SS"s"') as dhms,
19 | -- TO_CHAR(TO_DATE((CAST(SYSTIMESTAMP AS DATE) - CAST(create_time AS DATE)) * 86400, 'ssssss'), 'HH24:MI:SS') AS dhms, -- seconds
20 | endpoint_ip, -- the IP address of the endpoint
21 | endpoint_policy, -- ⚡ endpoint profile classification
22 | matched_value AS cf, -- ⚡ Matched Certainty Factor (CF)
23 | static_assignment AS is_static, -- ⚡ the endpoint static assignment status
24 | static_group_assignment AS static_group, -- ⚡ endpoint statically assigned to user ID group
25 | -- custom_attributes, -- ⧗ the custom attributes; 🐞 UUIDs instead of attribute names and no separators
26 | -- hostname, -- ⚡ DNS hostname of the endpoint, if any
27 | -- auth_store_id, -- ⧗ the auth store ID; Always blank? --
28 | -- byod_reg, -- ⧗ the BYOD Registration status 🐞 byod_reg or byod_registered?
29 | -- device_registrations_status, -- ⧗ if device is registered
30 | -- endpoint_id, -- ⧗ the EPID of the endpoint, Example: epid:420686389928259584
31 | -- endpoint_policy_id, -- ⧗ the unique ID of the endpoint policy used
32 | -- endpoint_policy_version, -- ⧗ The version of endpoint policy used
33 | -- endpoint_unique_id,-- ⧗-- Endpoint unique ID. What is special about this?
34 | -- hostname, -- the hostname of the endpoint
35 | -- id, -- Database unique ID
36 | -- identity_group_id, -- ⚡ unique ID of UserIdentityGroup of the endpoint
37 | -- matched_policy_id, -- ⚡ the ID of profiling used
38 | -- native_udid, -- ⧗ Endpoint native UDID
39 | -- nmap_subnet_scanid, -- ⧗ NMAP subnet can ID of end points
40 | -- phone_id_type, -- ⚡ Endpoint phone ID type
41 | -- phone_id, -- ⚡ Endpoint phone ID
42 | -- portal_user, -- ⚡ the portal user
43 | -- posture_applicable, -- ⚡ if Posture is Applicable
44 | -- posture_expiry, -- ⧗ the posture expiry
45 | -- probe_data, -- ⧗ All the probe data acquired during profiling. ⚠ Error: 'utf-8' codec can't decode byte 0xbb in position 1260: invalid start byte
46 | -- profile_server, -- ⧗ the ISE node that profiled the endpoint
47 | -- reg_timestamp, -- ⧗ the registered timestamp; 0 if not registered?
48 | -- unique_subject_id, -- ⚡ Endpoint subject ID
49 | version
50 | FROM endpoints_data
51 | -- ORDER BY created ASC
52 | -- ORDER BY mac_address ASC
53 | -- ORDER BY inactive_days DESC
54 | ORDER BY updated DESC
55 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
56 |
--------------------------------------------------------------------------------
/data/SQL/endpoints_data.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- endpoints_data
3 | --
4 |
5 | SELECT
6 | mac_address,
7 | CAST(create_time AS TIMESTAMP) AS create_time, -- ⚠ cast to DATE because TIMESTAMP_TIMEZONE not supported in OracleDB's thin mode
8 | CAST(update_time AS TIMESTAMP) AS update_time, -- ⚠ cast to DATE because TIMESTAMP_TIMEZONE not supported in OracleDB's thin mode
9 | mac_address, -- endpoint MAC address
10 | endpoint_ip, -- the IP address of the endpoint
11 | endpoint_policy, -- ⚡ endpoint profile classification
12 | matched_value AS cf, -- ⚡ Matched Certainty Factor (CF)
13 | static_assignment AS is_static, -- ⚡ the endpoint static assignment status
14 | static_group_assignment AS static_group, -- ⚡ endpoint statically assigned to user ID group
15 | custom_attributes, -- ⧗ the custom attributes; 🐞 UUIDs instead of attribute names and no separators
16 | hostname, -- ⚡ DNS hostname of the endpoint, if any
17 | auth_store_id, -- ⧗ the auth store ID; Always blank? --
18 | byod_reg, -- ⧗ the BYOD Registration status 🐞 byod_reg or byod_registered?
19 | device_registrations_status, -- ⧗ if device is registered
20 | endpoint_id, -- ⧗ the EPID of the endpoint, Example: epid:420686389928259584
21 | endpoint_policy_id, -- ⧗ the unique ID of the endpoint policy used
22 | endpoint_policy_version, -- ⧗ The version of endpoint policy used
23 | endpoint_unique_id,-- ⧗-- Endpoint unique ID. What is special about this?
24 | hostname, -- the hostname of the endpoint
25 | id, -- Database unique ID
26 | identity_group_id, -- ⚡ unique ID of UserIdentityGroup of the endpoint
27 | matched_policy_id, -- ⚡ the ID of profiling used
28 | native_udid, -- ⧗ Endpoint native UDID
29 | nmap_subnet_scanid, -- ⧗ NMAP subnet can ID of end points
30 | phone_id_type, -- ⚡ Endpoint phone ID type
31 | phone_id, -- ⚡ Endpoint phone ID
32 | portal_user, -- ⚡ the portal user
33 | posture_applicable, -- ⚡ if Posture is Applicable
34 | posture_expiry, -- ⧗ the posture expiry
35 | -- probe_data, -- ⧗ All the probe data acquired during profiling. ⚠ Error: 'utf-8' codec can't decode byte 0xbb in position 1260: invalid start byte
36 | profile_server, -- ⧗ the ISE node that profiled the endpoint
37 | reg_timestamp, -- ⧗ the registered timestamp; 0 if not registered?
38 | unique_subject_id, -- ⚡ Endpoint subject ID
39 | version
40 | FROM endpoints_data
41 | -- ORDER BY create_time ASC
42 | -- ORDER BY mac_address ASC
43 | -- ORDER BY update_time DESC
44 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
45 |
--------------------------------------------------------------------------------
/data/SQL/endpoints_last_auth.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Show the last RADIUS authentication per endpoint.
3 | -- Includes random MAC detection (2nd digit is 26AE).
4 | -- Optionally filter for >N days or more.
5 | -- Ideally you would use the `endpoints_data` table's `update_time` field but the `TIMESTAMP(6)+TZ` data type cannot be read by an oracledb thin client.
6 | --
7 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
8 | --
9 | -- Author: Thomas Howard, thomas@cisco.com
10 | -- License: MIT - https://mit-license.org
11 | --
12 |
13 | SELECT
14 | calling_station_id AS mac, --
15 | MAX(CASE WHEN REGEXP_LIKE(calling_station_id, '^.[26AE].*', 'i') THEN '✔' END) AS random, -- Indicator: ✔
16 | -- MAX(CASE WHEN REGEXP_LIKE(calling_station_id, '^.[26AE].*', 'i') THEN '✔' ELSE '✖' END) AS random, -- Indicator: ✔|✖
17 | -- MAX(CASE WHEN REGEXP_LIKE(calling_station_id, '^.[26AE].*', 'i') THEN SUBSTR(calling_station_id, 2, 1) END) AS random, -- Indicator: 2|6|A|E
18 | TO_CHAR(MAX(timestamp), 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
19 | MAX(location) AS location, --
20 | MAX(username) AS username, --
21 | MAX(endpoint_profile) AS endpoint_profile, --
22 | MAX(security_group) AS SGT, -- ⚠ Blank for failed auths!
23 | MAX(device_name) AS device_name, --
24 | MAX(framed_ip_address) AS ipv4, --
25 | MAX(passed) AS passed -- 'Fail' for username='INVALID'
26 | -- MAX(failure_reason) AS failure_reason --
27 | -- MAX(access_service) AS access_service, -- Allowed Protocols
28 | -- MAX(audit_session_id) AS audit_session_id, --
29 | -- MAX(authentication_method) AS auth_method, --
30 | -- MAX(authentication_protocol) AS auth_protocol, --
31 | -- MAX(authorization_profiles) AS authz_profiles, -- ⚠ Blank for failed auths!
32 | -- MAX(authorization_rule) AS authz_rule, -- ⚠ Blank for failed auths!
33 | -- MAX(checksum) AS checksum, --
34 | -- MAX(credential_check) AS credential_check, --
35 | -- MAX(device_type) AS device_type, --
36 | -- MAX(failed) AS failed, --
37 | -- MAX(framed_ipv6_address) AS ipv6, --
38 | -- MAX(id) AS id, --
39 | -- MAX(identity_group) AS identity_group, --
40 | -- MAX(identity_store) AS identity_store, --
41 | -- MAX(ise_node) AS ise_node, --
42 | -- MAX(mdm_server_name) AS mdm_server_name, --
43 | -- MAX(nas_ip_address) AS nas_ip_address, --
44 | -- MAX(nas_ipv6_address) AS nas_ipv6_address, --
45 | -- MAX(nas_port_id) AS nas_port_id, -- Physical port number of the NAS (Network Access Server) originating the request
46 | -- MAX(nas_port_type) AS nas_port_type, --
47 | -- MAX(orig_calling_station_id) AS orig_calling_station_id, --
48 | -- MAX(policy_set_name) AS policy_set_name, -- Default, Wired, etc.
49 | -- MAX(posture_status) AS posture_status, --
50 | -- MAX(response_time) AS response_time, -- ⚠ Blank for failed auths!
51 | -- MAX(service_type) AS service_type, --
52 | -- MAX(syslog_message_code) AS syslog_message_code, --
53 | -- MAX(timestamp_timezone) AS timestamp_tz, --
54 | -- MAX(user_type) AS user_type, --
55 | FROM radius_authentications
56 | GROUP BY calling_station_id
57 | -- HAVING MAX(timestamp) < (sysdate - INTERVAL '30' DAY) -- Last seen >30 days ago
58 | ORDER BY timestamp ASC -- first/oldest records
59 | -- ORDER BY timestamp DESC -- most recent records
60 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
61 |
--------------------------------------------------------------------------------
/data/SQL/endpoints_profile_unknown.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Endpoints with an 'Unknown' endpoint profile.
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | mac_address, -- MAC address of the endpoint
10 | -- CASE WHEN REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') THEN SUBSTR(mac_address, 2, 1) ELSE ' ' END AS random, -- random MAC feature column
11 | CASE WHEN REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') THEN '✔' END AS random, -- Indicator: ✔
12 | -- endpoint_ip, -- the IP address of the endpoint
13 | endpoint_policy, -- matched endpoint profiling policy
14 | matched_value AS cf, -- Matched Certainty Factor (CF)
15 | CAST(create_time AS TIMESTAMP) AS create_time, -- time when record added ⚠ (TIMESTAMP(6)+TZ)
16 | CAST(update_time AS TIMESTAMP) AS update_time, -- time when record added ⚠ (TIMESTAMP(6)+TZ)
17 | -- auth_store_id, -- the auth store ID
18 | -- byod_reg, -- the BYOD Registration status
19 | -- custom_attributes, -- the custom attributes
20 | -- device_registrations_status, -- if device is registered
21 | -- endpoint_id, -- the EPID of the endpoint
22 | -- endpoint_policy_id, -- the unique ID of the endpoint policy used
23 | -- endpoint_policy_version, -- The version of endpoint policy used
24 | -- endpoint_unique_id, -- Endpoint unique ID. What is special about this?
25 | -- hostname, -- the hostname of the endpoint
26 | -- id, -- Database unique ID
27 | -- identity_group_id, -- unique ID of UserIdentityGroup of the endpoint
28 | -- matched_policy_id, -- the ID of profiling used
29 | -- mdm_guid, -- Endpoint MDM GUID
30 | -- mdm_server_id, -- Endpoint MDM server ID
31 | -- native_udid, -- Endpoint native UDID
32 | -- nmap_subnet_scanid, -- NMAP subnet can ID of end points
33 | -- phone_id_type, -- Endpoint phone ID type
34 | -- phone_id, -- Endpoint phone ID
35 | -- portal_user, -- the portal user
36 | -- posture_applicable, -- if Posture is Applicable
37 | -- posture_expiry, -- the posture expiry
38 | -- probe_data, -- all the probe data acquired during profiling. Error: 'utf-8' codec can't decode byte
39 | -- profile_server, -- the ISE node that profiled the endpoint
40 | -- reg_timestamp, -- the registered timestamp
41 | -- static_assignment AS is_static, -- the endpoint static assignment status
42 | -- static_group_assignment AS static_group, -- endpoint statically assigned to user ID group
43 | -- unique_subject_id, -- Endpoint subject ID
44 | -- update_time, -- Time when record last updated. Used to calculate `InactiveDays` 🛑 (TIMESTAMP(6)+TZ)
45 | version AS ver -- the version
46 | FROM endpoints_data
47 | WHERE endpoint_policy = 'Unknown'
48 | ORDER BY create_time ASC
49 | -- ORDER BY mac_address ASC
50 |
--------------------------------------------------------------------------------
/data/SQL/endpoints_random.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- endpoints_random
3 | -- Collection of all data related to endpoints in ISE.
4 | --
5 | -- ⚡ Attributes updated in real time
6 | -- ⧗ The other attributes will be synchronized with a delay of up to 12 hours.
7 | --
8 |
9 | SELECT
10 | TO_CHAR(create_time, 'YYYY-MM-DD HH24:MI:SS') AS created, -- time when record added; drop fractional seconds
11 | mac_address, -- endpoint MAC address
12 | CASE WHEN REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') THEN SUBSTR(mac_address, 2, 1) ELSE '✕' END AS random, -- random MAC feature column ✔|✕
13 | -- create_time, -- ⚠ not supported in thin mode
14 | -- update_time, -- ⚠ not supported in thin mode
15 | endpoint_ip, -- the IP address of the endpoint
16 | endpoint_policy, -- ⚡ endpoint profile classification
17 | matched_value, -- ⚡ Matched Certainty Factor (CF)
18 | -- custom_attributes, -- the custom attributes; 🐞 UUIDs instead of attribute names and no separators
19 | -- hostname, -- ⚡ DNS hostname of the endpoint, if any
20 | static_assignment AS is_static, -- ⚡ the endpoint static assignment status
21 | static_group_assignment AS static_group, -- ⚡ endpoint statically assigned to user ID group
22 | -- anomalous_behaviour, -- ⚡
23 | -- aup_accepted, -- ⚡
24 | -- auth_store_id, -- ⧗ the auth store ID; Always blank? --
25 | -- byod_reg, -- ⧗ the BYOD Registration status 🐞 byod_reg or byod_registered?
26 | -- byod_registered, -- ⚡ the BYOD Registration status
27 | -- device_identifier, -- ⚡
28 | -- device_reg_status, -- ⚡ 🐞 device_reg_status or device_registrations_status?
29 | -- device_registrations_status, -- ⧗ if device is registered
30 | -- endpoint_id, -- ⧗ the EPID of the endpoint, Example: epid:420686389928259584
31 | -- endpoint_policy_id, -- ⧗ the unique ID of the endpoint policy used
32 | -- endpoint_policy_version, -- ⧗ The version of endpoint policy used
33 | -- endpoint_unique_id,-- ⧗-- Endpoint unique ID. What is special about this?
34 | -- epid, -- ⚡
35 | -- host_name, -- ⚡ 🐞 hostname or host_name?
36 | -- hostname, -- the hostname of the endpoint
37 | -- id, -- Database unique ID
38 | -- identity_group_id, -- ⚡ unique ID of UserIdentityGroup of the endpoint
39 | -- last_aup_accepted_timestamp, -- ⚡
40 | -- matched_policy_id, -- ⚡ the ID of profiling used
41 | -- mdm_compliant_failure_reason, -- ⚡
42 | -- mdm_compliant, -- ⚡
43 | -- mdm_diskencrypted, -- ⚡
44 | -- mdm_enrolled, -- ⚡
45 | -- mdm_guid, -- ⚡ Endpoint MDM GUID
46 | -- mdm_jailbroken, -- ⚡
47 | -- mdm_lastcheckin_timestamp, -- ⚡
48 | -- mdm_manufacturer, -- ⚡
49 | -- mdm_model, -- ⚡
50 | -- mdm_os_version, -- ⚡
51 | -- mdm_phone_num, -- ⚡
52 | -- mdm_pinlockset, -- ⚡
53 | -- mdm_provider, -- ⚡
54 | -- mdm_serial_num, -- ⚡
55 | -- mdm_server_id, -- ⚡ Endpoint MDM server ID
56 | -- mdm_server_name, -- ⚡
57 | -- mdm_serverreachable, -- ⚡
58 | -- mdm_updatetimestamp, -- ⚡
59 | -- mdm_user_notified, -- ⚡
60 | -- mdmimei, -- ⚡ 🐞 mdmimei or mdm_imei ?
61 | -- native_udid, -- ⧗ Endpoint native UDID
62 | -- nmap_subnet_scan_id, -- ⚡ NMAP subnet can ID of end points 🐞 nmap_subnet_scan_id or nmap_subnet_scanid ?
63 | -- nmap_subnet_scanid, -- ⧗ NMAP subnet can ID of end points
64 | -- phone_id_type, -- ⚡ Endpoint phone ID type
65 | -- phone_id, -- ⚡ Endpoint phone ID
66 | -- portal_user, -- ⚡ the portal user
67 | -- posture_applicable, -- ⚡ if Posture is Applicable
68 | -- posture_expiry, -- ⧗ the posture expiry
69 | -- probe_data, -- ⧗ All the probe data acquired during profiling. ⚠ Error: 'utf-8' codec can't decode byte 0xbb in position 1260: invalid start byte
70 | -- profile_server, -- ⧗ the ISE node that profiled the endpoint
71 | -- reg_timestamp, -- ⧗ the registered timestamp; 0 if not registered?
72 | -- unique_subject_id, -- ⚡ Endpoint subject ID
73 | -- update_time, -- ⧗ Time when record last updated. Used to calculate `InactiveDays` 🛑 (TIMESTAMP(6)+TZ)
74 | version -- ⧗ the version
75 | FROM endpoints_data
76 | -- WHERE REGEXP_LIKE(mac_address, '^.[26AE].*', 'i') -- random MACs only
77 | ORDER BY mac_address ASC
78 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
79 |
--------------------------------------------------------------------------------
/data/SQL/failure_code_cause.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- failure_code_cause
3 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
4 | --
5 |
6 | SELECT
7 | -- * -- all columns
8 | failure_code, -- the failure code
9 | -- CASE WHEN LENGTH(failure_code) > 50 THEN SUBSTR(failure_code, 1, 49) || '...' ELSE failure_code END AS failure_code, -- trim verbose messages
10 | failure_cause -- the failure cause
11 | -- CASE WHEN LENGTH(failure_cause) > 60 THEN SUBSTR(failure_cause, 1, 59) || '...' ELSE failure_cause END AS failure_cause -- trim verbose messages
12 |
13 | FROM failure_code_cause
14 | ORDER BY failure_code ASC
15 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
16 |
--------------------------------------------------------------------------------
/data/SQL/guest_accounting.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- _____
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | -- logged_at,
8 | -- identity,
9 | -- time_spent,
10 | -- logged_in,
11 | -- logged_out,
12 | -- endpoint_id,
13 | -- ip_address,
14 | FROM guest_accounting
15 | ORDER BY logged_at ASC
16 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/guest_devicelogin_audit.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- _____
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM guest_devicelogin_audit
10 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
11 |
--------------------------------------------------------------------------------
/data/SQL/guest_sponsor_login_and_audit.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Reports > Audit > Sponsor Login and Audit
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | -- id, -- database unique ID
8 | -- timestamp_timezone, -- TIMESTAMP(6) WITH TIME ZONE Time with timezone when record added
9 | -- timestamp, -- timeSTAMP(6) Time when record added
10 | -- sponser_user_namE, -- User name of sponsor
11 | -- ip_address, -- IP address
12 | -- mac_address, -- MAC address
13 | -- portal_name, -- Portal name
14 | -- result, -- Result
15 | -- identity_store, -- Identity store
16 | -- operation, -- Operation
17 | -- guest_username, -- User name of guest
18 | -- guest_status, -- Status of guest
19 | -- failure_reason, -- Reason of failure
20 | -- optional_data, -- Optional data
21 | -- psn_hostname, -- Hostname of PSN
22 | -- user_details, -- Details of user
23 | -- guest_details, -- Details of guest
24 | -- guest_users, -- Guest users
25 | FROM sponsor_login_and_audit
26 | ORDER BY timestamp ASC
27 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
28 |
--------------------------------------------------------------------------------
/data/SQL/key_performance_metrics.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- key_performance_metrics
3 | -- Shows details of ISE nodes' key performance metrics (KPM) like average TPS, average load etc.
4 | --
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- avg_latency_per_req, -- average latency per RADIUS request for PSN node
11 | -- avg_load, -- average load for node
12 | -- avg_tps, -- average transactions per second ???
13 | -- ise_node, -- ISE Node
14 | -- logged_time, -- logged timestamp
15 | -- logged_to_mnt_hr, -- requests logged to MNT database for PSN node
16 | -- max_load, -- maximum load for node
17 | -- noise_hr, -- difference between RADIUS requests and logged to MnT per hour ???
18 | -- radius_requests_hr, -- radius requests per hour for PSN node
19 | -- suppression_hr,
20 | FROM key_performance_metrics
21 | -- WHERE logged_time > sysdate - INTERVAL '10' SECOND -- last N seconds
22 | -- WHERE logged_time > sysdate - INTERVAL '1' MINUTE -- last N minutes
23 | -- WHERE logged_time > sysdate - INTERVAL '1' HOUR -- last N hours
24 | WHERE logged_time > sysdate - INTERVAL '1' DAY -- last N days
25 | ORDER BY logged_time ASC -- first/oldest records
26 | -- ORDER BY logged_time DESC -- most recent records
27 |
--------------------------------------------------------------------------------
/data/SQL/logical_profiles.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
3 | --
4 |
5 | SELECT
6 | -- * -- all columns
7 | logical_profile, -- name
8 | assigned_policies, -- endpoint profile name
9 | description, --
10 | system_type -- CiscoProvided, etc.
11 | FROM logical_profiles
12 | ORDER BY logical_profile ASC, assigned_policies ASC
13 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/logical_profiles_and_endpoints.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Logical Profiles and Endpoints
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | b.logical_profile,
9 | b.assigned_policies,
10 | a.mac_address
11 | FROM
12 | endpoints_data a,
13 | logical_profiles b
14 | WHERE a.endpoint_policy = b.assigned_policies
15 | ORDER BY b.logical_profile ASC
16 |
--------------------------------------------------------------------------------
/data/SQL/misconfigured_nas_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- misconfigured_nas_view
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- timestamp, -- time when record added
10 | -- calling_station_id, -- calling station id
11 | -- nas_ip_address, -- ip address of nas
12 | -- nas_ipv6_address, -- nas ipv6 address
13 | -- timestamp_timezone, -- time with timezone when record added
14 | -- detail_info, -- displays the detailed info
15 | -- failed_attempts, -- failed attempts
16 | -- failed_times_hours, -- failed times in hours
17 | -- failed_times, -- failed times
18 | -- id, -- database unique id
19 | -- ise_node, -- displays the hostname of the ise server
20 | -- message_code, -- displays the message code
21 | -- message_text, -- displays the message text
22 | -- other_attributes, -- other attributes
23 | FROM misconfigured_nas_view
24 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
25 |
--------------------------------------------------------------------------------
/data/SQL/misconfigured_supplicants_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- misconfigured_supplicants_view
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- timestamp_timezone, -- time with timezone when record added
10 | -- timestamp, -- time when record added
11 | -- access_service, -- access service
12 | -- audit_session_id, -- unique numeric string identifying the server session
13 | -- authentication_method, -- authentication method
14 | -- authentication_protocol, -- authentication protocol
15 | -- calling_station_id, -- calling station id
16 | -- credential_check, -- credential check
17 | -- device_type, -- device type
18 | -- endpoint_profile, -- endpoint matched profile
19 | -- execution_steps, -- execution steps
20 | -- failed, -- failed flag
21 | -- failure_reason, -- failure reason
22 | -- framed_ip_address, -- framed ip address
23 | -- framed_ipv6_address, -- framed ipv6 address
24 | -- id, -- database unique id
25 | -- identity_group, -- identity group
26 | -- identity_store, -- identity store
27 | -- ise_node, -- displays the hostname of the ise server
28 | -- location, -- location
29 | -- mdm_server_name, -- mdm server name
30 | -- message_code, -- displays the message code
31 | -- message_text, -- displays the message text
32 | -- nas_ip_address, -- ip address of nas
33 | -- nas_ipv6_address, -- nas ipv6 address
34 | -- nas_port_id, -- nas port id
35 | -- nas_port_type, -- nas port type
36 | -- network_device_name, -- network device name
37 | -- other_attributes, -- other attributes
38 | -- passed, -- passed flag
39 | -- posture_status, -- posture status
40 | -- response_time, -- response time
41 | -- response, -- displays the response
42 | -- security_group, -- security group
43 | -- selected_authorization_profiles, -- authorization profile used after authentication
44 | -- service_type, -- the type of service the user has requested
45 | -- user_type, -- user type
46 | -- username, -- user's claimed identity
47 | FROM misconfigured_supplicants_view
48 | -- ORDER BY timestamp ASC
49 | ORDER BY timestamp DESC
50 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
51 |
--------------------------------------------------------------------------------
/data/SQL/network_access_users.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- network_access_users
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- username,
10 | -- status,
11 | -- account_name_alias,
12 | -- alarm_emailable
13 | -- allow_password_change_after_login,
14 | -- current_successful_login_time,
15 | -- description,
16 | -- email_address,
17 | -- expiry_date_enabled,
18 | -- expiry_date,
19 | -- failed_login_ipaddress,
20 | -- first_name,
21 | -- id,
22 | -- identity_group,
23 | -- is_admin,
24 | -- last_name,
25 | -- last_successful_login_time,
26 | -- last_unsuccessful_login_time,
27 | -- password_last_updated_on,
28 | -- password_never_expires,
29 | -- success_login_ipaddress,
30 | FROM network_access_users
31 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
32 |
--------------------------------------------------------------------------------
/data/SQL/network_device_groups.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- network_device_groups
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id, -- comment
10 | -- name, -- comment
11 | -- description, -- comment
12 | -- created_by, -- comment
13 | -- create_time, -- comment
14 | -- update_time, -- comment
15 | -- active_status -- comment
16 | FROM network_device_groups
17 | ORDER BY name ASC -- alphabetical
18 |
--------------------------------------------------------------------------------
/data/SQL/network_devices.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- network_devices
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id,
10 | -- name,
11 | -- ip_mask,
12 | -- profile_name,
13 | -- location,
14 | -- type
15 | FROM network_devices
16 | -- WHERE type LIKE '%MX%' -- Meraki MX
17 | -- WHERE type LIKE '%mr%' -- Meraki MR
18 | -- WHERE type LIKE '%ms%' -- Meraki MS
19 | ORDER BY name ASC
20 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
21 |
--------------------------------------------------------------------------------
/data/SQL/node_list.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- node_list table practical view.
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | hostname,
9 | node_type,
10 | node_role,
11 | active_status,
12 | pdp_services,
13 | udi_pid,
14 | udi_vid,
15 | udi_sn,
16 | patch_version,
17 | vm_info
18 | -- pic_node,
19 | -- installation_type,
20 | -- gateway,
21 | -- replication_status,
22 | -- host_alias,
23 | -- create_time,
24 | -- update_time,
25 | -- xgrid_enabled,
26 | -- xgrid_peer,
27 | -- udi_pt,
28 | -- api_node
29 | FROM node_list
30 | ORDER BY hostname ASC
31 |
--------------------------------------------------------------------------------
/data/SQL/openapi_operations.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- openapi_operations
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | -- * -- all columns
9 | logged_at AS timestamp, -- timestamp
10 | -- request_time -- ⚠ TIMESTAMP(6) WITH TIME ZONE not supported in thin mode
11 | administrator, -- username
12 | client_ip,
13 | server, -- ISE PPAN
14 | http_method as method, -- [DELETE, GET, PATCH, PUT, POST]
15 | http_code AS status, -- HTTP numeric status code
16 | http_status, -- ⚠ text, not status code
17 | -- request_body, -- ⚠ may contain JSON and may be very large!
18 | -- request_id,
19 | request_name, -- URL of API endpoint
20 | response_duration AS time, -- milliseconds
21 | error_message AS error,
22 | message_text AS text -- ?
23 | -- response, -- ⚠ contains the JSON response and may be very large!
24 | FROM openapi_operations
25 | ORDER BY timestamp ASC -- first/oldest records
26 | -- ORDER BY timestamp DESC -- most recent records
27 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
28 |
--------------------------------------------------------------------------------
/data/SQL/policy_sets.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
3 | --
4 |
5 | SELECT
6 | id, -- Database unique ID
7 | -- create_time, -- ⚠ not supported in thin mode! TIMESTAMP(6) + TIMEZONE Time when record was created
8 | -- update_time, -- ⚠ not supported in thin mode! TIMESTAMP(6) + TIMEZONE Time when record was last updated
9 | policyset_status, -- Specifies if the policy set status is active
10 | policyset_name, -- Specifies the policy set name
11 | description -- Specifies the policy sets description
12 | FROM policy_sets
13 | ORDER BY policyset_name ASC
14 |
--------------------------------------------------------------------------------
/data/SQL/posture_agent_os_status_by_mac.sql:
--------------------------------------------------------------------------------
1 | SELECT posture.posture_agent_version,
2 | posture.endpoint_mac_address,
3 | posture.endpoint_operating_system,
4 | posture.posture_status
5 | FROM posture_assessment_by_endpoint posture
6 | INNER JOIN (
7 | SELECT endpoint_mac_address,
8 | MAX(timestamp) as timestamp
9 | FROM posture_assessment_by_endpoint
10 | GROUP BY endpoint_mac_address
11 | ) latest_records ON posture.endpoint_mac_address = latest_records.endpoint_mac_address
12 | AND posture.timestamp = latest_records.timestamp
13 | ORDER BY posture.posture_agent_version
--------------------------------------------------------------------------------
/data/SQL/posture_agent_versions.sql:
--------------------------------------------------------------------------------
1 | SELECT posture_agent_version,
2 | endpoint_mac_address
3 | FROM (
4 | SELECT DISTINCT posture_agent_version,
5 | endpoint_mac_address
6 | FROM posture_assessment_by_endpoint
7 | )
8 | WHERE endpoint_mac_address IS NOT NULL
9 | and posture_agent_version IS NOT NULL
10 | ORDER BY posture_agent_version
--------------------------------------------------------------------------------
/data/SQL/posture_assessment_by_condition.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- posture_assessment_by_condition
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT *
8 | -- condition_status, -- Displays the status of the condition i.e. passed, failed or skipped
9 | -- location, -- Displays the network device group location
10 | -- logged_at, -- timestamp(6) Specifies the time at which policy was enforced
11 | -- policy, -- specifies the posture policy
12 | -- policy_status, -- Displays the policy condition status
13 | -- enforcement_name, -- Displays the posture requirement name
14 | -- enforcement_type, -- Enforcement type of the requirement i.e. mandatory, optional or audit
15 | -- enforcement_status, -- Displays the status of the posture requirement enforcement
16 | -- ise_node, -- Displays the hostname of the ISE server
17 | -- message_code, -- Displays the message code of the posture syslog
18 | -- request_time, -- Displays the request time
19 | -- response_time, -- Displays the response time
20 | -- endpoint_id, -- Endpoint MAC address
21 | -- endpoint_os, -- Endpoint operating system
22 | -- posture_agent_version, -- Displays the version of the posture agent
23 | -- posture_status, -- Posture status i.e. pending, compliant, non-compliant etc
24 | -- posture_policy_matched, -- Displays the posture policy matched
25 | -- posture_report, -- Displays the posture report
26 | -- anti_virus_installed, -- Displays the installed anti-virus
27 | -- anti_spyware_installed, -- Displays the installed anti-spyware
28 | -- failure_reason, -- Specifies the reason for failure
29 | -- pra_enforcement, -- Displays the status of periodic reassessment enforcement
30 | -- pra_interval, -- Periodic reassessment interval configured
31 | -- pra_action, -- Periodic reassessment action configured
32 | -- pra_grace_time, -- Periodic reassessment grace time configured
33 | -- identity, -- Displays the user name
34 | -- session_id, -- Shows the session ID
35 | -- feed_url, -- Shows the update feed URL
36 | -- num_of_updates, -- Displays the number of updates
37 | -- user_agreement_status, -- Displays the status of the user agreement
38 | -- system_name, -- Hostname of the endpoint
39 | -- system_domain, -- Displays the domain name of the endpoint
40 | -- system_user, -- Displays the system user
41 | -- system_user_domain, -- Displays the system user domain
42 | -- ip_address, -- IP address of the endpoint
43 | -- am_installed, -- Displays the anti-malware installed on the endpoint
44 | -- condition_name, -- Specifies the posture condition which was matched
45 | FROM posture_assessment_by_condition
46 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/posture_assessment_by_endpoint.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- posture_assessment_by_endpoint
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- system_domain, -- Displays the domain name of the endpoint
10 | -- system_user, -- Displays the system user
11 | -- system_user_domain, -- Displays the system user domain
12 | -- ip_address, -- IP address of the endpoint
13 | -- pra_grace_time, -- Periodic reassessment grace time configured
14 | -- nad_location, -- Location of NAD
15 | -- am_installed, -- Displays the anti-malware installed on the endpoint
16 | -- message_text, -- Displays the message text
17 | -- id, -- database unique ID
18 | -- timestamp_timezone, -- timeSTAMP(6) WITH TIME ZONE Time with timezone when record added
19 | -- timestamp, -- timestamp(6) Time when record added
20 | -- ise_node, -- Hostname of ISE node
21 | -- message_code, -- Displays the message code of the posture syslog
22 | -- request_time, -- Displays the request time
23 | -- response_time, -- Displays the response time
24 | -- endpoint_mac_address, -- MAC address of the endpoint
25 | -- endpoint_operating_systeM, -- Operating system of the endpoint
26 | -- posture_agent_version, -- Displays the version of the posture agent
27 | -- posture_status, -- Posture status i.e. pending, compliant, non-compliant etc
28 | -- posture_policy_matched, -- Displays the posture policy matched
29 | -- posture_report, -- Displays the posture report
30 | -- anti_virus_installed, -- Displays the installed anti-virus
31 | -- anti_spyware_installed, -- Displays the installed anti-spyware
32 | -- failure_reason, -- Specifies the reason for failure
33 | -- pra_enforcement_flag, -- Displays the status of periodic reassessment enforcement
34 | -- pra_interval, -- Periodic reassessment interval configured
35 | -- pra_action, -- Periodic reassessment action configured
36 | -- username, -- Displays the username
37 | -- session_id, -- Shows the session ID
38 | -- feed_url, -- Shows the update feed URL
39 | -- num_of_updates, -- Number of updates
40 | -- user_agreement_status, -- Displays the status of the user agreement
41 | -- system_name, -- Hostname of the endpoint
42 | FROM posture_assessment_by_endpoint
43 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
44 |
--------------------------------------------------------------------------------
/data/SQL/posture_assessment_by_username.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Posture Assessment by Username
3 | --
4 |
5 | SELECT
6 | username,
7 | COUNT(*)
8 | -- system_domain, -- Displays the domain name of the endpoint
9 | -- system_user, -- Displays the system user
10 | -- system_user_domain, -- Displays the system user domain
11 | -- ip_address, -- IP address of the endpoint
12 | -- pra_grace_time, -- Periodic reassessment grace time configured
13 | -- nad_location, -- Location of NAD
14 | -- am_installed, -- Displays the anti-malware installed on the endpoint
15 | -- message_text, -- Displays the message text
16 | -- id, -- database unique ID
17 | -- timestamp_timezone, -- timeSTAMP(6) WITH TIME ZONE Time with timezone when record added
18 | -- timestamp, -- timestamp(6) Time when record added
19 | -- ise_node, -- Hostname of ISE node
20 | -- message_code, -- Displays the message code of the posture syslog
21 | -- request_time, -- Displays the request time
22 | -- response_time, -- Displays the response time
23 | -- endpoint_mac_address, -- MAC address of the endpoint
24 | -- endpoint_operating_systeM, -- Operating system of the endpoint
25 | -- posture_agent_version, -- Displays the version of the posture agent
26 | -- posture_status, -- Posture status i.e. pending, compliant, non-compliant etc
27 | -- posture_policy_matched, -- Displays the posture policy matched
28 | -- posture_report, -- Displays the posture report
29 | -- anti_virus_installed, -- Displays the installed anti-virus
30 | -- anti_spyware_installed, -- Displays the installed anti-spyware
31 | -- failure_reason, -- Specifies the reason for failure
32 | -- pra_enforcement_flag, -- Displays the status of periodic reassessment enforcement
33 | -- pra_interval, -- Periodic reassessment interval configured
34 | -- pra_action, -- Periodic reassessment action configured
35 | -- username, -- Displays the username
36 | -- session_id, -- Shows the session ID
37 | -- feed_url, -- Shows the update feed URL
38 | -- num_of_updates, -- Number of updates
39 | -- user_agreement_status, -- Displays the status of the user agreement
40 | -- system_name, -- Hostname of the endpoint
41 |
42 | FROM posture_assessment_by_endpoint
43 | -- WHERE timestamp > '24-May-22 04.00.00 PM'
44 | GROUP BY username
45 | ORDER BY username ASC
--------------------------------------------------------------------------------
/data/SQL/posture_compliant_endpoints_per_day.sql:
--------------------------------------------------------------------------------
1 | -- From the ISE Data Connect Guides' Posture Examples
2 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
3 | -- Posture > Number of Compliant Devices per day
4 | SELECT trunc(timestamp),
5 | count(distinct username)
6 | FROM posture_assessment_by_endpoint
7 | WHERE posture_status = 'Compliant'
8 | GROUP BY TRUNC(timestamp)
9 | ORDER BY TRUNC(timestamp) desc;
--------------------------------------------------------------------------------
/data/SQL/posture_grace_period.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- posture_grace_period
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- mac_list, -- Specifies the list of MAC address
10 | -- last_grace_expiry, -- Specifies the posture grace period expiration time
11 | FROM posture_grace_period
12 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
13 |
--------------------------------------------------------------------------------
/data/SQL/posture_noncompliant_details.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- From the ISE Data Connect Guides' Posture Examples
3 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
4 | -- Posture > Details of non-compliant posture
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM posture_assessment_by_condition
10 | WHERE enforcement_type = 'Mandatory'
11 | AND posture_status = 'NonCompliant'
12 | AND policy_status = 'Failed';
--------------------------------------------------------------------------------
/data/SQL/posture_noncompliant_endpoints_per_day.sql:
--------------------------------------------------------------------------------
1 | -- From the ISE Data Connect Guides' Posture Examples
2 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
3 | -- Posture > Number of Non-Compliant Devices per day
4 | SELECT TRUNC(timestamp),
5 | count(distinct username)
6 | FROM posture_assessment_by_endpoint
7 | WHERE posture_status = 'NonCompliant'
8 | GROUP BY TRUNC(timestamp)
9 | ORDER BY TRUNC(timestamp) desc;
--------------------------------------------------------------------------------
/data/SQL/posture_noncompliant_users_with_date.sql:
--------------------------------------------------------------------------------
1 | -- From the ISE Data Connect Guides' Posture Examples
2 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
3 | -- Posture > Non Complaint Users with Date
4 | SELECT TRUNC(timestamp),
5 | username
6 | FROM posture_assessment_by_endpoint
7 | WHERE posture_status = 'NonCompliant';
--------------------------------------------------------------------------------
/data/SQL/primary_guest.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- primary_guest
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- details, -- details
10 | -- portal_name, -- portal name
11 | -- result, -- result
12 | -- sponsor_first_name, -- sponsor first name
13 | -- sponsor_last_name, -- sponsor last name
14 | -- identity_group, -- identity group to which user belongs
15 | -- sponsor_email_address, -- sponsor email address
16 | -- sponsor_phone_number, -- sponsor phone number
17 | -- sponsor_company, -- sponsor company
18 | -- guest_last_name, -- guest last name
19 | -- guest_first_name, -- guest first name
20 | -- guest_email_address, -- guest email address
21 | -- guest_phone_number, -- guest phone number
22 | -- guest_company, -- guest company
23 | -- guest_status, -- guest status
24 | -- guest_type, -- guest type
25 | -- valid_days, -- number of days guest user is valid
26 | -- from_date, -- start date of the guest user
27 | -- to_date, -- end date of the guest user
28 | -- location, -- location of the guest user
29 | -- ssid, -- SSID of guest user
30 | -- group_tag, -- group tag of guest user
31 | -- guest_person_visited, -- guest person visited
32 | -- guest_reason_for_visit, -- guest reason for visit
33 | -- nas_ip_address, -- NAS IP address
34 | -- user_link char specifies the user link
35 | -- guest_link char specifies the guest link
36 | -- failure_reason, -- reason for failure
37 | -- time_spent, -- time spent
38 | -- logged_in varchar2 Specifies when logged in
39 | -- logged_out varchar2 Specifies when logged out
40 | -- optional_data, -- optional data
41 | -- identity_store, -- identity store to which the user belongs
42 | -- nad_address, -- NAD address
43 | -- server, -- ISE node
44 | -- sponsor_user_details, -- sponsor user details
45 | -- guest_user_details, -- guest user details
46 | -- mac_address, -- MAC address
47 | -- ip_address, -- IP address
48 | -- sponsor_username, -- sponsor user name
49 | -- guest_username, -- guest user name
50 | -- guest_users clob Specifies the guest users
51 | -- operation, -- operation
52 | -- aup_acceptance, -- AUP acceptance
53 | -- logged_at timestamp(6) Shows the time when the syslog was stored
54 | -- message
55 | FROM primary_guest
56 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
57 |
--------------------------------------------------------------------------------
/data/SQL/profiled_endpoints_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- profiled_endpoints_summary
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id, -- database unique ID
10 | -- timestamp, -- TIMESTAMP(6) Time when record added
11 | -- endpoint_id, -- Endpoint ID
12 | -- endpoint_profiLE, -- Endpoint profile
13 | -- source, -- Source name
14 | -- host, -- Host name
15 | -- endpoint_action_name, -- Endpoint action name
16 | -- message_code, -- Message code
17 | -- identity_group, -- Identity group name
18 | FROM profiled_endpoints_summary
19 | -- ORDER BY timestamp ASC -- first/oldest records
20 | ORDER BY timestamp DESC -- most recent records
21 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
22 |
--------------------------------------------------------------------------------
/data/SQL/profiling_endpoint_profiles_by_probe.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- From the ISE Data Connect Guides' Profiling Examples
3 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
4 | -- Profiling > Number of different endpoint profiles profiled per endpoint sources
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM (
10 | SELECT source,
11 | endpoint_profile
12 | FROM profiled_endpoints_summary
13 | ) pivot (
14 | COUNT(endpoint_profile) for endpoint_profile in (
15 | 'Cisco-Device',
16 | 'Macintosh-Workstation',
17 | 'Microsoft-Workstation',
18 | 'RedHat-Workstation',
19 | 'VMWare-Device',
20 | 'Windows10-Workstation',
21 | 'Windows11-Workstation',
22 | 'Xerox-Device'
23 | )
24 | )
--------------------------------------------------------------------------------
/data/SQL/profiling_endpoints_by_endpoint_profile.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- From the ISE Data Connect Guides' Profiling Examples
3 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
4 | -- Profiling > Number of Profiled Endpoints filtered by Endpoint Profile
5 | --
6 |
7 | SELECT
8 | endpoint_profile,
9 | COUNT(endpoint_profile)
10 | FROM profiled_endpoints_summary
11 | GROUP BY endpoint_profile
12 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
13 |
--------------------------------------------------------------------------------
/data/SQL/profiling_policies.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Endpoint Profiles (profiling_policies)
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- profiling_policy_name, -- Name of Profiling Policy
10 | -- description, -- Description of Profiling Policy
11 | FROM profiling_policies
12 | ORDER BY profiling_policy_name ASC -- first/oldest records
13 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
14 |
--------------------------------------------------------------------------------
/data/SQL/pxgrid_direct_data.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- pxgrid_direct_data
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- edda_id, -- The unique identifier as specified in the connector configuration
10 | -- connector_type, -- The connector type as specified in the connector configuration
11 | -- create_time, -- The time when record created
12 | -- bulk_id, -- The Bulk ID
13 | -- version, -- The connector version
14 | -- version_type, -- The connector version type
15 | -- name, -- The connector name
16 | -- data, -- The data parsed by the connector in JSON format
17 | FROM pxgrid_direct_data
18 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
19 |
--------------------------------------------------------------------------------
/data/SQL/radius_accounting.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_accounting
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
10 | -- TO_CHAR(timestamp_timezone, 'YYYY-MM-DD HH24:MI:SS') AS timestamp_timezone, -- drop fractional seconds
11 | -- id,
12 | -- access_service,
13 | -- acct_authentic,
14 | -- acct_delay_time, -- Length of time (in seconds) for which the NAS has been sending the same accounting packet
15 | -- acct_input_octets, -- Number of octets received during the session
16 | -- acct_input_packets, -- Number of packets received during the session
17 | -- acct_interim_interval, -- Number of seconds between each transmittal of an interim update for a specific session
18 | -- acct_multi_session_id,
19 | -- acct_output_octets, -- Number of octets sent during the session
20 | -- acct_output_packets, -- Number of octets sent during the session
21 | -- acct_session_id, -- Unique numeric string identifying the server session
22 | -- acct_session_time, -- Length of time (in seconds) for which the session has been logged in
23 | -- acct_status_type, -- Specifies whether accounting packet starts or stops a bridging, routing, or terminal server session.
24 | -- acct_terminate_cause, -- Reason a connection was terminated
25 | -- acct_tunnel_connection,
26 | -- acct_tunnel_packet_lost,
27 | -- ad_domain,
28 | -- audit_session_id,
29 | -- authorization_policy,
30 | -- calling_station_id,
31 | -- cisco_h323_connect_time,
32 | -- cisco_h323_disconnect_time,
33 | -- cisco_h323_setup_time,
34 | -- device_groups,
35 | -- device_name,
36 | -- event_timestamp, -- The date and time that this event occurred on the NAS
37 | -- failure_reason,
38 | -- framed_ip_address,
39 | -- framed_ipv6_address,
40 | -- framed_protocol,
41 | -- identity_group,
42 | -- identity_store,
43 | -- idle_timeout,
44 | -- ise_node,
45 | -- nas_identifier,
46 | -- nas_ip_address, -- The IP address of the NAS originating the request
47 | -- nas_ipv6_address,
48 | -- nas_port_id,
49 | -- nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
50 | -- response_time,
51 | -- security_group,
52 | -- service_selection_policy,
53 | -- service_type,
54 | -- session_id,
55 | -- session_timeout,
56 | -- started,
57 | -- stopped,
58 | -- syslog_message_code,
59 | -- termination_action,
60 | -- user_type,
61 | -- username,
62 | -- vn
63 | FROM radius_accounting
64 | -- WHERE timestamp > '23-APR-22 08.25.35.839000000 PM' AND timestamp < '24-APR-22 08.25.35.839000000 PM'
65 | -- WHERE TRUNC(timestamp) = TRUNC(SYSDATE) -- today
66 | -- WHERE TRUNC(timestamp, 'HH24') = TRUNC(SYSDATE, 'HH24') -- sessions this hour
67 | -- WHERE TRUNC(timestamp, 'MI') = TRUNC(SYSDATE, 'MI') -- sessions this minute
68 | -- WHERE timestamp_timezone > '23-APR-22 08.25.35.839000000 PM +05:30' AND timestamp_timezone < '24-APR-22 08.25.35.839000000 PM +05:30'
69 | ORDER BY timestamp ASC -- first/oldest records
70 | -- ORDER BY timestamp DESC -- most recent records
71 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
72 |
--------------------------------------------------------------------------------
/data/SQL/radius_accounting_week.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_accounting_week
3 | --
4 | -- 🛑 contains only 1 week of historical data!
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- timestamp,
11 | -- timestamp_timezone,
12 | -- access_service,
13 | -- acct_authentic,
14 | -- acct_delay_time, -- Length of time (in seconds) for which the NAS has been sending the same accounting packet
15 | -- acct_input_octets, -- Number of octets received during the session
16 | -- acct_input_packets, -- Number of packets received during the session
17 | -- acct_interim_interval, -- Number of seconds between each transmittal of an interim update for a specific session
18 | -- acct_multi_session_id,
19 | -- acct_output_octets, -- Number of octets sent during the session
20 | -- acct_output_packets, -- Number of octets sent during the session
21 | -- acct_session_id, -- Unique numeric string identifying the server session
22 | -- acct_session_time, -- Length of time (in seconds) for which the session has been logged in
23 | -- acct_status_type, -- Specifies whether accounting packet starts or stops a bridging, routing, or terminal server session.
24 | -- acct_terminate_cause, -- Reason a connection was terminated
25 | -- acct_tunnel_connection,
26 | -- acct_tunnel_packet_lost,
27 | -- ad_domain,
28 | -- audit_session_id,
29 | -- authorization_policy,
30 | -- calling_station_id,
31 | -- cisco_h323_connect_time,
32 | -- cisco_h323_disconnect_time,
33 | -- cisco_h323_setup_time,
34 | -- device_groups,
35 | -- device_name,
36 | -- event_timestamp, -- The date and time that this event occurred on the NAS
37 | -- failure_reason,
38 | -- framed_ip_address,
39 | -- framed_ipv6_address,
40 | -- framed_protocol,
41 | -- id,
42 | -- identity_group,
43 | -- identity_store,
44 | -- idle_timeout,
45 | -- ise_node,
46 | -- nas_identifier,
47 | -- nas_ip_address, -- The IP address of the NAS originating the request
48 | -- nas_ipv6_address,
49 | -- nas_port_id,
50 | -- nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
51 | -- response_time,
52 | -- security_group,
53 | -- service_selection_policy,
54 | -- service_type,
55 | -- session_id,
56 | -- session_timeout,
57 | -- started,
58 | -- stopped,
59 | -- syslog_message_code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Acct-Watchdog-Update
60 | -- termination_action,
61 | -- user_type,
62 | -- username,
63 | -- vn
64 | FROM radius_accounting_week -- WHERE username = 'thomas'
65 | -- ORDER BY acct_session_id, timestamp ASC
66 | -- ORDER BY timestamp ASC -- first/oldest records
67 | -- WHERE TRUNC(timestamp) = TRUNC(SYSDATE) -- today
68 | -- WHERE TRUNC(timestamp, 'HH24') = TRUNC(SYSDATE, 'HH24') -- sessions this hour
69 | -- WHERE TRUNC(timestamp, 'MI') = TRUNC(SYSDATE, 'MI') -- sessions this minute
70 | ORDER BY timestamp DESC -- most recent records
71 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/radius_acct_by_session_id.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- List All Cisco ISE RADIUS Accounting Sessions by ID with start, stop and session time.
3 | -- Session states are in the `ℹ` column: □ stopped, ! ghosted, ⧖ interim, ▷ started
4 | -- An active session is generally considered 'ghosted' after >24 hours without a Stop or Interim Update.
5 | -- 💡 Un/Comment columns to quickly customize queries to suite your needs.
6 | --
7 | -- Author: Thomas Howard, thomas@cisco.com
8 | -- License: MIT - https://mit-license.org
9 | --
10 |
11 |
12 | SELECT
13 | acct_session_id,
14 | CASE WHEN syslog_message_code = 3001 THEN '□' WHEN syslog_message_code = '3002' THEN '⧖' WHEN syslog_message_code = '3000' THEN '▷' WHEN (timestamp < (SYSDATE - 1)) THEN '!' ELSE '▷' END AS ℹ, -- [□ stopped, ! ghosted, ⧖ interim, ▷ started] alternatives: ▷|⏹ ⚠ ! ◌ ⍉ ⬚ ◯ ▶ ◻ □ ○ ◌
15 | timestamp,
16 | -- event_timestamp AS nas_timestamp, -- seconds since epoch that this event occurred on the NAS
17 | syslog_message_code as msg_code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
18 | acct_status_type AS status_type, -- [Interim-Update, Start, Stop]
19 | acct_session_time AS session_time, -- time (seconds) for which the session has been Started
20 | acct_terminate_cause AS termination, -- Reason a connection was terminated
21 | NVL(acct_session_time, 0) AS duration, -- calculate time (seconds) since the session Started
22 | calling_station_id AS mac, -- endpoint MAC address (00:00:00:00:00:00)
23 | username AS username, -- username or MAC (00-00-00-00-00-00)
24 | device_name AS device, -- ISE device name
25 | response_time as resp_ms
26 | -- session_id, -- very long string (8a37ff0600001811672d50d2:ise-span/519859596/4561)
27 | -- user_type AS user_type, -- ⚠ empty
28 | -- service_type AS service_type, -- RADIUS Service-Type: [Framed, Call Check, ...]
29 | -- acct_input_octets AS acct_input_octets, -- Number of octets received during the session
30 | -- acct_output_octets AS acct_output_octets, -- Number of octets sent during the session
31 | -- acct_input_packets AS acct_input_packets, -- Number of packets received during the session
32 | -- acct_output_packets AS acct_output_packets, -- Number of octets sent during the session
33 | -- nas_port AS nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
34 | -- nas_ip_address AS nas_ip_address, -- The IP address of the NAS originating the request
35 | -- framed_protocol AS framed_protocol, -- ⚠ empty
36 | -- framed_ip_address AS framed_ip_address,
37 | -- access_service AS access_service,
38 | -- audit_session_id AS audit_session_id, -- (75ec21060000000366c76fb5)
39 | -- acct_multi_session_id AS acct_multi_session_id,
40 | -- acct_authentic AS acct_authentic, -- RADIUS
41 | -- session_timeout AS session_timeout, -- ⚠ empty
42 | -- idle_timeout AS idle_timeout, -- ⚠ empty
43 | -- acct_interim_interval AS interim, -- ⚠ empty. Number of seconds between each transmittal of an interim update for a specific session
44 | -- acct_delay_time, -- time (seconds) for which the NAS has been sending the same accounting packet
45 | -- acct_tunnel_connection, -- ⚠ empty
46 | -- acct_tunnel_packet_lost, -- ⚠ empty
47 | -- device_groups AS device_groups,
48 | -- nas_identifier,
49 | -- nas_port_id AS port_id, -- ⚠ empty
50 | -- service_selection_policy AS service_selection_policy,-- ⚠ empty
51 | -- identity_store AS identity_store,-- ⚠ empty
52 | -- ad_domain AS ad_domain,
53 | -- identity_group AS identity_group, -- ⚠ empty
54 | -- authorization_policy AS authz, -- ⚠ empty
55 | -- failure_reason, -- ⚠ empty - no session if authentication failed
56 | -- security_group AS SGT, -- ⚠ empty
57 | -- cisco_h323_setup_time,
58 | -- cisco_h323_connect_time,
59 | -- cisco_h323_disconnect_time,
60 | FROM radius_accounting
61 | WHERE acct_session_id = '009D34AFC779ED0F' -- change for your specific session
62 | ORDER BY acct_session_id ASC, timestamp ASC
63 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
64 |
--------------------------------------------------------------------------------
/data/SQL/radius_acct_counts_by_day.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Summarize all Cisco ISE RADIUS Accounting events per day.
3 | -- You may also do this per hour/minute/second by changing the timestamp format and GROUP BY statement.
4 | --
5 | -- Author: Thomas Howard, thomas@cisco.com
6 | -- License: MIT - https://mit-license.org
7 | --
8 |
9 | SELECT
10 | -- timestamp,
11 | -- TRUNC(timestamp, 'DD') as timestamp,
12 | -- TRUNC(timestamp, 'MI') as timestamp,
13 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- per second (YYYY-MM-DD HH24:MI:SS)
14 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:') || '00' AS timestamp, -- per minute ('YYYY-MM-DD HH24:MI:00)
15 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:') || '00:00' AS timestamp, -- per hour (YYYY-MM-DD HH24:00:00)
16 | TO_CHAR(timestamp, 'YYYY-MM-DD') AS timestamp, -- per day (2024-12-01)
17 | COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END) AS starts,
18 | COUNT(CASE WHEN acct_status_type = 'Stop' THEN 1 END) AS stops,
19 | CASE
20 | WHEN COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END) = 0 THEN 0
21 | ELSE ROUND(COUNT(CASE WHEN acct_status_type = 'Stop' THEN 1 END) / COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END), 2)
22 | END AS stop_to_start,
23 | COUNT(CASE WHEN acct_status_type = 'Interim-Update' THEN 1 END) AS interims,
24 | ROUND(COUNT(CASE WHEN acct_status_type = 'Interim-Update' THEN 1 END) / COUNT(*), 2) AS interim_to_total,
25 | COUNT(CASE WHEN syslog_message_code > '3002' THEN 1 END) AS others,
26 | COUNT(*) AS total -- total
27 | -- access_service, -- ISE Allowed Protocls
28 | -- acct_authentic,
29 | -- acct_delay_time AS delay, -- always 0? Length of time (in seconds) for which the NAS has been sending the same accounting packet
30 | -- acct_input_octets AS oct_in, -- Number of octets received during the session
31 | -- acct_input_packets AS pack_in, -- Number of packets received during the session
32 | -- acct_interim_interval, -- Number of seconds between each transmittal of an interim update for a specific session
33 | -- acct_multi_session_id,
34 | -- acct_output_octets AS oct_out, -- Number of octets sent during the session
35 | -- acct_output_packets AS pack_out, -- Number of octets sent during the session
36 | -- acct_session_id AS session_id, -- Unique numeric string identifying the server session
37 | -- acct_session_time AS duration, -- Length of time (in seconds) for which the session has been logged in
38 | -- acct_session_time AS session_time,
39 | -- acct_status_type AS status, -- Specifies whether accounting packet starts or stops a bridging, routing, or terminal server session.
40 | -- acct_terminate_cause AS termination, -- Reason a connection was terminated
41 | -- acct_tunnel_connection, -- ⚠ empty
42 | -- acct_tunnel_packet_lost, -- ⚠ empty
43 | -- ad_domain,
44 | -- audit_session_id,
45 | -- authorization_policy,
46 | -- calling_station_id,
47 | -- cisco_h323_connect_time,
48 | -- cisco_h323_disconnect_time,
49 | -- cisco_h323_setup_time,
50 | -- device_groups,
51 | -- device_name -- ISE network device name
52 | -- event_timestamp, -- The date and time that this event occurred on the NAS
53 | -- failure_reason,
54 | -- framed_ip_address, -- session IP address of endpoint
55 | -- framed_ipv6_address,
56 | -- framed_protocol,
57 | -- id,
58 | -- identity_group,
59 | -- identity_store,
60 | -- idle_timeout,
61 | -- ise_node, -- ISE node name
62 | -- nas_identifier,
63 | -- nas_ip_address, -- The IP address of the NAS originating the request
64 | -- nas_ipv6_address,
65 | -- nas_port_id, -- If provided by NAS
66 | -- nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
67 | -- response_time, -- in milliseconds
68 | -- security_group AS SGT, -- ⚠ empty
69 | -- service_selection_policy,
70 | -- service_type, -- RADIUS Service Type: Framed, Call-Check, etc.
71 | -- session_id, -- ⚠ very long string
72 | -- session_timeout
73 | -- started, -- ⚠ always 1
74 | -- stopped, -- ⚠ always 0
75 | -- syslog_message_code AS code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
76 | -- termination_action,
77 | -- timestamp_timezone AS timestamp_tz,
78 | -- user_type,
79 | -- username,
80 | -- vn,
81 | FROM radius_accounting
82 | -- WHERE TRUNC(timestamp) = TRUNC(SYSDATE) -- today
83 | -- WHERE TRUNC(timestamp, 'HH24') = TRUNC(SYSDATE, 'HH24') -- sessions this hour
84 | -- WHERE TRUNC(timestamp, 'MI') = TRUNC(SYSDATE, 'MI') -- sessions this minute
85 | -- GROUP BY TRUNC(timestamp, 'DD')
86 | GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD') -- per day
87 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:') || '00:00' -- per hour
88 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:') || '00' -- per minute
89 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') -- per second
90 | ORDER BY timestamp ASC -- first/oldest records
91 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/radius_acct_counts_by_device.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Show All Cisco ISE RADIUS Accounting events per Device.
3 | -- This helps discover high counts of RADIUS interims which can backlog ISE.
4 | --
5 | -- Author: Thomas Howard, thomas@cisco.com
6 | -- License: MIT - https://mit-license.org
7 | --
8 |
9 | SELECT
10 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- per second (YYYY-MM-DD HH24:MI:SS)
11 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:') || '00' AS timestamp, -- per minute ('YYYY-MM-DD HH24:MI:00)
12 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:') || '00:00' AS timestamp, -- per hour (YYYY-MM-DD HH24:00:00)
13 | -- TO_CHAR(timestamp, 'YYYY-MM-DD') AS timestamp, -- per day (2024-12-01)
14 | nas_ip_address, -- The IP address of the NAS originating the request
15 | device_name, -- ISE network device name
16 | COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END) AS starts,
17 | COUNT(CASE WHEN acct_status_type = 'Stop' THEN 1 END) AS stops,
18 | CASE
19 | WHEN COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END) = 0 THEN 0
20 | ELSE ROUND(COUNT(CASE WHEN acct_status_type = 'Stop' THEN 1 END) / COUNT(CASE WHEN acct_status_type = 'Start' THEN 1 END), 2)
21 | END AS stop_to_start,
22 | COUNT(CASE WHEN acct_status_type = 'Interim-Update' THEN 1 END) AS interims,
23 | ROUND(COUNT(CASE WHEN acct_status_type = 'Interim-Update' THEN 1 END) / COUNT(*), 2) AS interim_to_total,
24 | COUNT(CASE WHEN syslog_message_code > '3002' THEN 1 END) AS others,
25 | -- access_service, -- ISE Allowed Protocls
26 | -- acct_authentic,
27 | -- acct_delay_time AS delay, -- always 0? Length of time (in seconds) for which the NAS has been sending the same accounting packet
28 | -- acct_input_octets AS oct_in, -- Number of octets received during the session
29 | -- acct_input_packets AS pack_in, -- Number of packets received during the session
30 | -- acct_interim_interval, -- Number of seconds between each transmittal of an interim update for a specific session
31 | -- acct_multi_session_id,
32 | -- acct_output_octets AS oct_out, -- Number of octets sent during the session
33 | -- acct_output_packets AS pack_out, -- Number of octets sent during the session
34 | -- acct_session_id AS session_id, -- Unique numeric string identifying the server session
35 | -- acct_session_time AS duration, -- Length of time (in seconds) for which the session has been logged in
36 | -- acct_session_time AS session_time,
37 | -- acct_status_type AS status, -- Specifies whether accounting packet starts or stops a bridging, routing, or terminal server session.
38 | -- acct_terminate_cause AS termination, -- Reason a connection was terminated
39 | -- acct_tunnel_connection, -- ⚠ empty
40 | -- acct_tunnel_packet_lost, -- ⚠ empty
41 | -- ad_domain,
42 | -- audit_session_id,
43 | -- authorization_policy,
44 | -- calling_station_id,
45 | -- cisco_h323_connect_time,
46 | -- cisco_h323_disconnect_time,
47 | -- cisco_h323_setup_time,
48 | -- device_groups,
49 | -- event_timestamp, -- The date and time that this event occurred on the NAS
50 | -- failure_reason,
51 | -- framed_ip_address, -- session IP address of endpoint
52 | -- framed_ipv6_address,
53 | -- framed_protocol,
54 | -- id,
55 | -- identity_group,
56 | -- identity_store,
57 | -- idle_timeout,
58 | -- ise_node, -- ISE node name
59 | -- nas_identifier,
60 | -- nas_ipv6_address,
61 | -- nas_port_id, -- If provided by NAS
62 | -- nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
63 | -- response_time, -- in milliseconds
64 | -- security_group AS SGT, -- ⚠ empty
65 | -- service_selection_policy,
66 | -- service_type, -- RADIUS Service Type: Framed, Call-Check, etc.
67 | -- session_id, -- ⚠ very long string
68 | -- session_timeout
69 | -- started, -- ⚠ always 1
70 | -- stopped, -- ⚠ always 0
71 | -- syslog_message_code AS code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
72 | -- termination_action,
73 | -- timestamp_timezone AS timestamp_tz,
74 | -- user_type,
75 | -- username,
76 | -- vn,
77 | COUNT(*) AS total -- total
78 | FROM radius_accounting
79 | WHERE timestamp > sysdate - INTERVAL '30' DAY -- last N days
80 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
81 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
82 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
83 | GROUP BY nas_ip_address, device_name
84 | -- GROUP BY TRUNC(timestamp, 'DD')
85 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD') -- per day
86 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:') || '00:00' -- per hour
87 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:') || '00' -- per minute
88 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') -- per second
89 | ORDER BY starts DESC -- first/oldest records
90 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/radius_acct_sessions_active.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- List All Cisco ISE Sessions by ID that are Active.
3 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
4 | -- Session states are in the `ℹ` column: □ stopped, ! ghosted, ⧖ interim, ▷ started
5 | --
6 | -- All Active RADIUS Accounting sessions consume a license until a RADIUS Accounting Stop is received or the session is cleared in ISE.
7 | -- A RADIUS session is Active/Started if:
8 | -- - there is a RADIUS Accounting Start record (syslog_message_code = 3000 OR acct_status_type = 'Start') with an acct_session_id
9 | -- - the acct_session_id does not have a corresponding Stop record (syslog_message_code = 3001 OR acct_status_type = 'Stop')
10 | -- - the last update is < 5 days old
11 | -- ⓘ there may 0 or more Interim-Updates (syslog_message_code = 3002 or acct_status_type = Interim-Update) to maintain a session
12 | -- ⚠ If a device is [unintentionally] powered off or accounting is mis/unconfigured, it's sessions' may become stale in ISE.
13 | -- ⓘ RADIUS Accounting sessions without updates every 24 hours are generally considered as 'ghosted' 👻
14 | -- ⓘ ISE clears any session after five days of inactivity (no further RADIUS Accounting updates for that acct_session_id).
15 | -- ⓘ RADIUS Accounting Interim-Updates may contain IPv4/v6 address changes for the given sessions
16 | -- ⓘ Cisco WLC uses an Accounting-Stop with a 'nas-update=true' attribute to identify a session in a roaming state.
17 | -- When ISE sees this attribute, the session is not deleted in ISE to avoid reauthentication.
18 | -- If roaming fails, ISE clears the session after five days of inactivity.
19 | --
20 |
21 | SELECT
22 | acct_session_id,
23 | TO_CHAR(MIN(timestamp), 'YYYY-MM-DD HH24:MI:SS') AS started, -- drop fractional seconds
24 | TO_CHAR(MAX(timestamp), 'YYYY-MM-DD HH24:MI:SS') AS stopped, -- drop fractional seconds
25 | MAX(syslog_message_code) AS code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
26 | COUNT(timestamp) AS num, -- total accounting updates
27 | CASE WHEN MAX(syslog_message_code) = 3001 THEN '□' WHEN (MAX(timestamp) < (SYSDATE - 1)) THEN '!' WHEN MAX(syslog_message_code) = '3002' THEN '⧖' ELSE '▷' END AS ℹ, -- [□ stopped, ! ghosted, ⧖ interim, ▷ started] alternatives: ▷ | □ ⏹ ⚠ ! ◌ ⍉ ⬚ ◯ ▶ ◻ □ ○ ◌
28 | NVL(MAX(acct_session_time), 0) AS time, -- time (seconds) for which the session has been Started
29 | MAX(calling_station_id) AS mac, -- endpoint MAC address (00:00:00:00:00:00)
30 | MAX(username) AS username, -- username or MAC (00-00-00-00-00-00)
31 | MAX(acct_terminate_cause) AS termination, -- Reason a connection was terminated
32 | MAX(device_name) AS device_name, -- ISE device name
33 | MAX(response_time) as resp_ms
34 | -- MIN(event_timestamp) AS nas_timestamp, -- seconds since epoch that this event occurred on the NAS
35 | -- MIN(syslog_message_code) AS min_code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
36 | -- MAX(syslog_message_code) INTO last_msg,
37 | -- NVL(MAX(acct_session_time), ((CAST(SYSTIMESTAMP AS DATE) - (CAST(MIN(timestamp) AS DATE))) * 86400)) AS duration, -- calculate time (seconds) since the session Started
38 | -- MAX(session_id), -- very long string (8a37ff0600001811672d50d2:ise-span/519859596/4561)
39 | -- MAX(user_type) AS user_type, -- ⚠ empty
40 | -- MIN(acct_status_type) AS status_min, -- [Interim-Update, Start, Stop]
41 | -- MAX(acct_status_type) AS status_max, -- [Interim-Update, Start, Stop]
42 | FROM radius_accounting
43 | WHERE syslog_message_code != 3003 AND syslog_message_code != 3004 -- ignore Accounting-On/Off messages
44 | GROUP BY acct_session_id
45 | HAVING MAX(syslog_message_code) != 3001
46 | -- ORDER BY MIN(timestamp) ASC
47 | ORDER BY MIN(timestamp) DESC
48 | -- ORDER BY NVL(MAX(acct_session_time), 0) DESC, MIN(timestamp) ASC -- longest sessions
49 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
50 |
--------------------------------------------------------------------------------
/data/SQL/radius_acct_stops.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_accounting
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 | -- Author: Thomas Howard, thomas@cisco.com
7 | -- License: MIT - https://mit-license.org
8 | --
9 |
10 | SELECT
11 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
12 | acct_session_id AS session_id, -- Unique numeric string identifying the server session
13 | acct_status_type AS status, -- Specifies whether accounting packet starts or stops a bridging, routing, or terminal server session.
14 | syslog_message_code AS code, -- 3000=Acct-Start, 3001=Acct-Stop, 3002=Interim-Update, 3003=Acct-On, 3004=Acct-Off
15 | acct_session_time AS duration, -- Length of time (in seconds) for which the session has been logged in
16 | calling_station_id,
17 | username,
18 | acct_terminate_cause AS termination, -- Reason a connection was terminated
19 | device_name -- ISE network device name
20 | -- access_service, -- ISE Allowed Protocls
21 | -- acct_authentic,
22 | -- acct_delay_time AS delay, -- always 0? Length of time (in seconds) for which the NAS has been sending the same accounting packet
23 | -- acct_input_octets AS oct_in, -- Number of octets received during the session
24 | -- acct_input_packets AS pack_in, -- Number of packets received during the session
25 | -- acct_interim_interval, -- Number of seconds between each transmittal of an interim update for a specific session
26 | -- acct_multi_session_id,
27 | -- acct_output_octets AS oct_out, -- Number of octets sent during the session
28 | -- acct_output_packets AS pack_out, -- Number of octets sent during the session
29 | -- acct_tunnel_connection, -- ⚠ empty
30 | -- acct_tunnel_packet_lost, -- ⚠ empty
31 | -- ad_domain,
32 | -- audit_session_id,
33 | -- authorization_policy,
34 | -- cisco_h323_connect_time,
35 | -- cisco_h323_disconnect_time,
36 | -- cisco_h323_setup_time,
37 | -- device_groups,
38 | -- event_timestamp, -- The date and time that this event occurred on the NAS
39 | -- failure_reason,
40 | -- framed_ip_address, -- session IP address of endpoint
41 | -- framed_ipv6_address,
42 | -- framed_protocol,
43 | -- id,
44 | -- identity_group,
45 | -- identity_store,
46 | -- idle_timeout,
47 | -- ise_node, -- ISE node name
48 | -- nas_identifier,
49 | -- nas_ip_address, -- The IP address of the NAS originating the request
50 | -- nas_ipv6_address,
51 | -- nas_port_id, -- If provided by NAS
52 | -- nas_port, -- Physical port number of the NAS (Network Access Server) originating the request
53 | -- response_time, -- in milliseconds
54 | -- security_group AS SGT, -- ⚠ empty
55 | -- security_group AS SGT, -- ⚠ empty
56 | -- service_selection_policy,
57 | -- service_type, -- RADIUS Service Type: Framed, Call-Check, etc.
58 | -- session_id, -- ⚠ very long string
59 | -- session_timeout -- ⚠ always empty
60 | -- started, -- ⚠ always 0?
61 | -- stopped, -- ⚠ always 0?
62 | -- termination_action,
63 | -- timestamp_timezone,
64 | -- timestamp,
65 | -- user_type,
66 | -- vn,
67 | FROM radius_accounting
68 | -- WHERE syslog_message_code = 3001 -- RADIUS Accounting Stop
69 | WHERE acct_status_type = 'Stop' -- RADIUS Accounting Stop
70 | -- AND acct_session_time < (60*60) -- sessions < 1 hour
71 | -- AND acct_session_time > 3700 -- > sessions 1 hour
72 | -- AND acct_session_time > (60*60*24) -- sessions > 1 day
73 | -- AND acct_session_time > (60*60*24*3) -- sessions > 3 days
74 | AND TRUNC(timestamp) = TRUNC(SYSDATE) -- today
75 | -- AND TRUNC(timestamp, 'HH24') = TRUNC(SYSDATE, 'HH24') -- sessions this hour
76 | -- AND TRUNC(timestamp, 'MI') = TRUNC(SYSDATE, 'MI') -- sessions this minute
77 | -- ORDER BY timestamp ASC -- first/oldest records
78 | ORDER BY timestamp DESC -- most recent records
79 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
80 |
--------------------------------------------------------------------------------
/data/SQL/radius_authentication_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_authentication_summary
3 | --
4 | -- ⚠ `radius_authentication_summary` table is limited to only 30 days of data!
5 | -- 💡 Use `radius_authentications` for *all* records in database!
6 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
7 | --
8 |
9 | SELECT
10 | * -- all columns
11 | -- timestamp, -- timestamp(6) Time when record added
12 | -- ise_node, -- Name of the ISE server used for authentication
13 | -- username, -- User name
14 | -- calling_station_id, -- Mac address of the device the user is using
15 | -- identity_store, -- The Identity Store to which the user authenticated belongs to. Example - Internal Endpoints
16 | -- identity_group, -- The Identity Group to which the user belongs to. Example - Windows11-Workstation
17 | -- device_name, -- The name of the network device used by the user to access network. Example - 9800CLWLC, Access-Switch-3K, 9800VWLC etc.
18 | -- device_type, -- The type of the network device used by the user to access network. Example - Wireless - IEEE 802.11
19 | -- location, -- The location hierarchy of the the network device. Example - All Locations#My-Territory#US#Sanjose#BLDG5
20 | -- access_service, -- The protocol used for authentication. Example - NDAC_SGT_Service, Default Network Access
21 | -- nas_port_id, -- ID of the NAD Port used. Example - GigabitEthernet1/0/14
22 | -- authorization_profiles, -- The authorization profile applied. Example - PermitAccess, Machine-Access
23 | -- failure_reason, -- Reason for the failure, in case authentication was not successful
24 | -- security_group, -- The security group classification of the device i.e the source SGT. Example - TrustedDevices, Quarantined_Systems
25 | -- total_response_time, -- The total response time required for authentication
26 | -- max_response_time, -- The maximum response time required for authentication
27 | -- passed_count, -- The number of passed authentication
28 | -- failed_count, -- Number of failed authentication
29 | FROM radius_authentication_summary
30 | ORDER BY timestamp ASC -- first/oldest records
31 | -- ORDER BY timestamp DESC -- most recent records
32 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/radius_authentications.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_authentications
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- access_service, -- Allowed Protocols
10 | -- audit_session_id,
11 | -- authentication_method,
12 | -- authentication_protocol,
13 | -- authorization_profiles, -- ⚠ Blank for failed auths!
14 | -- authorization_rule, -- ⚠ Blank for failed auths!
15 | -- calling_station_id,
16 | -- checksum,
17 | -- credential_check,
18 | -- device_name,
19 | -- device_type,
20 | -- endpoint_profile,
21 | -- failed,
22 | -- failure_reason,
23 | -- framed_ip_address,
24 | -- framed_ipv6_address,
25 | -- id,
26 | -- identity_group,
27 | -- identity_store,
28 | -- ise_node,
29 | -- location,
30 | -- mdm_server_name,
31 | -- nas_ip_address,
32 | -- nas_ipv6_address,
33 | -- nas_port_id, -- Physical port number of the NAS (Network Access Server) originating the request
34 | -- nas_port_type,
35 | -- orig_calling_station_id,
36 | -- passed, -- 'Fail' for username='INVALID'
37 | -- policy_set_name, -- Default, Wired, etc.
38 | -- posture_status,
39 | -- response_time -- ⚠ Blank for failed auths!
40 | -- security_group, -- ⚠ Blank for failed auths!
41 | -- service_type,
42 | -- syslog_message_code,
43 | -- timestamp
44 | -- timestamp_timezone,
45 | -- user_type,
46 | -- username,
47 | FROM radius_authentications
48 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
49 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
50 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
51 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
52 | -- WHERE TO_CHAR(timestamp, 'YYYY-MM-DD') = '2024-11-01' -- match a timestamp by day
53 | -- WHERE TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') = '2024-11-01 00:08:27' -- match a timestamp (YYYY-MM-DD HH24:MI:SS.ffffff)
54 | -- WHERE timestamp > TIMESTAMP '2024-11-01 00:00:00' -- after a timestamp
55 | -- WHERE timestamp > TIMESTAMP '2024-11-01 00:00:00' AND timestamp < TIMESTAMP '2024-11-02 00:00:00' -- time window
56 | -- WHERE timestamp BETWEEN Date '2024-11-01' and Date '2024-11-02' -- exclusive of end date
57 | -- WHERE timestamp_timezone < '24-APR-22 08.25.35.839000000 PM +05:30' AND timestamp_timezone > '23-APR-22 08.25.35.839000000 PM +05:30'
58 | ORDER BY timestamp ASC -- first/oldest records
59 | -- ORDER BY timestamp DESC -- most recent records
60 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
61 |
--------------------------------------------------------------------------------
/data/SQL/radius_authentications_week.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_authentications_week
3 | --
4 | -- ⚠ This table is limited to only 1 week of data!
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id,
10 | -- timestamp_timezone,
11 | -- ise_node,
12 | -- syslog_message_code,
13 | -- username,
14 | -- user_type,
15 | -- calling_station_id,
16 | -- access_service,
17 | -- framed_ip_address,
18 | -- identity_store,
19 | -- identity_group,
20 | -- audit_session_id,
21 | -- authentication_method,
22 | -- authentication_protocol,
23 | -- service_type,
24 | -- device_name,
25 | -- device_type,
26 | -- location,
27 | -- nas_ip_address,
28 | -- nas_port_id,
29 | -- nas_port_type,
30 | -- authorization_profiles,
31 | -- posture_status,
32 | -- security_group,
33 | -- failure_reason,
34 | -- response_time,
35 | -- passed,
36 | -- failed,
37 | -- credential_check,
38 | -- endpoint_profile,
39 | -- mdm_server_name,
40 | -- policy_set_name,
41 | -- authorization_rule,
42 | -- nas_ipv6_address,
43 | -- framed_ipv6_address,
44 | -- orig_calling_station_id,
45 | -- checksum,
46 | -- timestamp,
47 | -- authentication_policy,
48 | -- authorization_policy,
49 | -- nad_profile_name
50 | FROM radius_authentications_week
51 | ORDER BY timestamp ASC -- first/oldest records
52 | -- ORDER BY timestamp DESC -- most recent records
53 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/radius_authorization_profiles.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- authorization_profiles
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | -- name,
8 | -- description,
9 | FROM authorization_profiles
10 | ORDER BY name ASC
11 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries.
5 | -- Remember the last SELECT column must not end with a `,`.
6 | --
7 | -- Author: Thomas Howard, thomas@cisco.com
8 | -- License: MIT - https://mit-license.org
9 | --
10 |
11 | SELECT
12 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
13 | -- passed, -- 'Fail' for username='INVALID'
14 | calling_station_id,
15 | username,
16 | -- user_type, -- ⚠ Blank?
17 | device_name,
18 | -- nas_ip_address,
19 | -- nas_port_id,
20 | -- nas_port_type,
21 | ise_node,
22 | policy_set_name, -- Default, Wired, etc.
23 | -- audit_session_id,
24 | access_service, -- Allowed Protocols
25 | authentication_method AS auth_method,
26 | authentication_protocol AS auth_protocol,
27 | authorization_rule AS authz_rule, -- ⚠ Blank for failed auths!
28 | authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
29 | -- checksum,
30 | -- credential_check -- Auth protocol?
31 | -- device_type, -- NDG
32 | -- failed,
33 | -- failure_reason,
34 | -- framed_ip_address,
35 | -- framed_ipv6_address,
36 | -- id,
37 | -- identity_group,
38 | -- identity_store,
39 | -- location, -- NDG
40 | -- mdm_server_name,
41 | -- nas_ipv6_address,
42 | -- orig_calling_station_id,
43 | -- posture_status,
44 | -- response_time -- ⚠ Blank for failed auths!
45 | -- security_group, -- ⚠ Blank for failed auths!
46 | -- service_type,
47 | -- syslog_message_code,
48 | response_time
49 | FROM radius_authentications
50 | -- WHERE username = 'INVALID'
51 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
52 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
53 | WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
54 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
55 | -- WHERE TO_CHAR(timestamp, 'YYYY-MM-DD') = '2024-11-01' -- match a timestamp by day
56 | -- WHERE TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') = '2024-11-01 00:08:27' -- match a timestamp (YYYY-MM-DD HH24:MI:SS.ffffff)
57 | -- WHERE timestamp > TIMESTAMP '2024-11-01 00:00:00' -- after a timestamp
58 | -- WHERE timestamp > TIMESTAMP '2024-11-01 00:00:00' AND timestamp < TIMESTAMP '2024-11-02 00:00:00' -- time window
59 | -- WHERE timestamp BETWEEN Date '2024-11-01' and Date '2024-11-02' -- exclusive of end date
60 | ORDER BY timestamp ASC -- first/oldest records
61 | -- ORDER BY timestamp DESC -- most recent records
62 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
63 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_by.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications by ...
3 | -- There are many ways to perform a GROUP BY on the radius_authentications table!
4 | -- Rather than create a separate SQL file for each one, un/comment lines to quickly customize queries.
5 | -- Remember the last SELECT column must not end with a `,`.
6 | --
7 | -- Author: Thomas Howard, thomas@cisco.com
8 | -- License: MIT - https://mit-license.org
9 | --
10 |
11 | SELECT
12 | -- 💡 Group by one or more of these attributes
13 |
14 | TO_CHAR(timestamp, 'YYYY-MM-DD') AS timestamp, -- by day
15 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24') AS timestamp, -- by hour
16 | -- TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI') AS timestamp, -- by minute
17 |
18 | -- access_service AS allowed_protocol,
19 | -- calling_station_id AS mac,
20 | -- device_name,
21 | -- device_name, location,
22 | -- device_type,
23 | -- failure_reason,
24 | -- identity_group,
25 | -- identity_store,
26 | -- nas_port_type,
27 | -- username,
28 | -- ise_node,
29 |
30 | -- 💡 Metrics for the group
31 | COUNT(CASE WHEN passed = 'Pass' THEN 1 END) AS passed,
32 | COUNT(CASE WHEN passed = 'Fail' THEN 1 END) AS failed,
33 | COUNT(timestamp) AS total,
34 | TO_CHAR(ROUND( (COUNT(CASE WHEN passed = 'Fail' THEN 1 END) / (COUNT(CASE WHEN passed = 'Pass' THEN 1 END) + COUNT(CASE WHEN passed = 'Fail' THEN 1 END)) * 100), 0), 'FM999') || '%' AS fail_pct,
35 | -- ROUND(AVG(response_time), 0) AS avg_resp_ms, -- milliseconds
36 | ROUND(MEDIAN(response_time), 0) AS median_resp_ms, -- milliseconds
37 | MAX(response_time) AS max_resp_ms -- milliseconds
38 | FROM radius_authentications
39 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
40 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
41 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
42 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
43 |
44 | GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD') -- by day
45 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24') -- by hour
46 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI') -- by minute
47 | ORDER BY timestamp ASC -- first/oldest records
48 | -- ORDER BY timestamp DESC -- most recent records
49 |
50 | -- GROUP BY failure_reason
51 | -- ORDER BY failure_reason ASC
52 |
53 | -- GROUP BY TO_CHAR(timestamp, 'YYYY-MM-DD'), ise_node
54 | -- ORDER BY
55 | -- TO_CHAR(timestamp, 'YYYY-MM-DD') ASC,
56 | -- ise_node ASC
57 |
58 | -- GROUP BY username,calling_station_id
59 | -- ORDER BY username ASC,calling_station_id ASC
60 |
61 | -- GROUP BY device_name
62 | -- ORDER BY device_name ASC
63 |
64 | -- GROUP BY device_name, location
65 | -- ORDER BY device_name ASC, location ASC
66 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_by_policy.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications by Policy
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | policy_set_name AS policy_set, --
10 | -- access_service AS allowed_protocols, --
11 | authentication_method AS authn_method, --
12 | authentication_protocol AS authn_protocol, --
13 | NVL(authorization_rule, '-') AS authz_rule, --
14 | NVL(authorization_profiles, 'ACCESS-REJECT') AS authz_profile, --
15 | MAX(security_group) AS security_group, --
16 | TO_CHAR(AVG(response_time), '9999999') || 'ms' AS rt_avg, -- avg response time
17 | TO_CHAR(MAX(response_time), '9999999') || 'ms' AS rt_max, -- max response time
18 | COUNT(CASE WHEN passed = 'Pass' THEN 1 END) AS passed,
19 | COUNT(CASE WHEN passed = 'Fail' THEN 1 END) AS failed,
20 | COUNT(timestamp) AS total,
21 | TO_CHAR(ROUND( (COUNT(CASE WHEN passed = 'Fail' THEN 1 END) / (COUNT(CASE WHEN passed = 'Pass' THEN 1 END) + COUNT(CASE WHEN passed = 'Fail' THEN 1 END)) * 100), 0), 'FM999') || '%' AS fail_pct
22 | -- COUNT(DISTINCT device_name) AS devices,
23 | -- MAX(audit_session_id) AS audit_session_id, --
24 | -- MAX(calling_station_id) AS mac, --
25 | -- MAX(checksum) AS checksum, --
26 | -- MAX(credential_check) AS credential_check, --
27 | -- MAX(device_type) AS device_type, --
28 | -- MAX(endpoint_profile) AS endpoint_profile, --
29 | -- MAX(failed) AS failed, --
30 | -- MAX(failure_reason) AS failure_reason, --
31 | -- MAX(framed_ip_address) AS framed_ip_address, --
32 | -- MAX(framed_ipv6_address) AS framed_ipv6_address, --
33 | -- MAX(id) AS id, --
34 | -- MAX(identity_group) AS identity_group, --
35 | -- MAX(identity_store) AS identity_store, --
36 | -- MAX(ise_node) AS ise_node, --
37 | -- MAX(location) AS location, --
38 | -- MAX(mdm_server_name) AS mdm_server_name, --
39 | -- MAX(nas_ip_address) AS nas_ip_address, --
40 | -- MAX(nas_ipv6_address) AS nas_ipv6_address, --
41 | -- MAX(nas_port_id) AS nas_port_id, -- -- Physical port number of the NAS (Network Access Server) originating the request
42 | -- MAX(nas_port_type) AS nas_port_type, --
43 | -- MAX(orig_calling_station_id) AS orig_calling_station_id, --
44 | -- MAX(passed) AS passed, --
45 | -- MAX(posture_status) AS posture_status, --
46 | -- MAX(response_time) AS response_time, --
47 | -- MAX(service_type) AS service_type, --
48 | -- MAX(syslog_message_code) AS syslog_message_code, --
49 | -- MAX(timestamp) AS timestamp, --
50 | -- MAX(timestamp_timezone) AS timestamp_timezone, --
51 | -- MAX(user_type) AS user_type, --
52 | -- MAX(username) AS username, --
53 | FROM radius_authentications
54 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
55 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
56 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
57 | WHERE timestamp > sysdate - INTERVAL '30' DAY -- last N days
58 | GROUP BY policy_set_name, access_service, authentication_method, authentication_protocol, authorization_rule, authorization_profiles
59 | -- GROUP BY policy_set_name
60 | ORDER BY policy_set_name ASC, total DESC
61 | -- ORDER BY calling_station_id ASC
62 | -- ORDER BY username ASC
63 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
64 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_by_security_group.sql:
--------------------------------------------------------------------------------
1 | -- From the ISE Data Connect Guides' RADIUS Authentication Summary Examples
2 | -- https://developer.cisco.com/docs/dataconnect/guides/#radius-authentication-summary
3 | SELECT security_group,
4 | SUM(passed_count) AS passed,
5 | SUM(failed_count) AS failed,
6 | SUM(passed_count) + SUM(failed_count) AS total,
7 | ROUND( (SUM(failed_count) / (SUM(passed_count) + SUM(failed_count)) * 100), 2) AS failed_pct,
8 | ROUND(SUM(total_response_time) / (SUM(passed_count) + SUM(failed_count)), 2) AS total_response_time,
9 | MAX(max_response_time) AS max_response_time
10 | FROM radius_authentication_summary
11 | GROUP BY security_group
12 | ORDER BY security_group ASC
--------------------------------------------------------------------------------
/data/SQL/radius_auths_by_sgt.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications by SGT
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | security_group,
10 | MAX(calling_station_id) AS calling_station_id,
11 | MAX(framed_ip_address) AS ipv4,
12 | MAX(username),
13 | MAX(timestamp) AS timestamp,
14 | MAX(passed)
15 | FROM radius_authentications
16 | WHERE passed = 'Pass'
17 | GROUP BY security_group,
18 | calling_station_id
19 | -- framed_ip_address,
20 | -- username,
21 | -- passed
22 | ORDER BY security_group ASC,timestamp DESC
23 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
24 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_failure_reason_counts.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications by Failure Reason Counts
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | COUNT(*) as total,
10 | calling_station_id AS mac,
11 | username AS username,
12 | -- MAX(device_name),
13 | -- MAX(nas_ip_address),
14 | -- MAX(ise_node),
15 | -- MAX(policy_set_name), -- Default, Wired, etc.
16 | -- audit_session_id,
17 | -- access_service, -- Allowed Protocols
18 | -- authentication_method AS auth_method,
19 | -- authentication_protocol AS auth_protocol,
20 | -- authorization_rule AS authz_rule, -- ⚠ Blank for failed auths!
21 | -- authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
22 | failure_reason
23 | FROM radius_authentications
24 | WHERE failure_reason IS NOT NULL
25 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
26 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
27 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
28 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
29 | GROUP BY failure_reason, calling_station_id, username
30 | ORDER BY total DESC
31 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
32 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_invalid.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications with Username 'INVALID'
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | -- timestamp,
10 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
11 | -- failed,
12 | calling_station_id,
13 | username,
14 | failure_reason,
15 | device_name,
16 | nas_port_id,
17 | nas_port_type,
18 | response_time,
19 | policy_set_name, -- Default, Wired, etc.
20 | ise_node
21 | -- user_type,
22 | -- '1' for username='INVALID'
23 | -- access_service, -- Allowed Protocols
24 | -- audit_session_id,
25 | -- authentication_method,
26 | -- authentication_protocol,
27 | -- authorization_profiles, -- ⚠ blank for failed auths
28 | -- authorization_rule, -- ⚠ blank for failed auths
29 | -- checksum,
30 | -- credential_check -- Auth protocol?
31 | -- device_type, -- NDG
32 | -- framed_ip_address,
33 | -- framed_ipv6_address,
34 | -- ⓘ Endpoint
35 | -- id,
36 | -- identity_group,
37 | -- identity_store,
38 | -- location, -- NDG
39 | -- mdm_server_name, -- ⚠ blank for failed auths
40 | -- nas_ip_address,
41 | -- nas_ipv6_address,
42 | -- orig_calling_station_id,
43 | -- passed, -- 'Fail' for username='INVALID'
44 | -- posture_status, -- ⚠ blank for failed auths
45 | -- response_time
46 | -- security_group, -- ⚠ blank for failed auths
47 | -- service_type,
48 | -- syslog_message_code,
49 | FROM radius_authentications
50 | WHERE username = 'INVALID'
51 | -- ORDER BY timestamp ASC -- first/oldest records
52 | ORDER BY timestamp DESC -- most recent records
53 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
54 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_last_by_username.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Last Authentication (max timestamp) by Username
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | TO_CHAR(MAX(timestamp), 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
10 | username
11 | FROM radius_authentications
12 | -- WHERE username = 'thomas'
13 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
14 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
15 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
16 | WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
17 | GROUP BY username
18 | ORDER BY username ASC
19 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
20 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_pass_fail_counts_by_username.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Author: Thomas Howard, thomas@cisco.com
3 | -- License: MIT - https://mit-license.org
4 | --
5 |
6 | SELECT
7 | username,
8 | COUNT( CASE WHEN passed = 'Pass' THEN 1 END ) AS passed,
9 | COUNT( CASE WHEN passed = 'Fail' THEN 1 END ) AS failed,
10 | COUNT(*) AS total
11 | FROM radius_authentications
12 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
13 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
14 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
15 | WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
16 | GROUP BY username
17 | ORDER BY username ASC
18 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
19 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_password_failures.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Count password-related failures which may indicate a credential stuffing attack.
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 | SELECT
8 | COUNT(*) AS total,
9 | TO_CHAR(MAX(timestamp), 'YYYY-MM-DD HH24:MI:SS') AS last_failed, -- drop fractional seconds
10 | username,
11 | nas_port_type,
12 | -- calling_station_id,
13 | -- device_name,
14 | failure_reason
15 | -- policy_set_name, -- Default, Wired, etc.
16 | -- location, -- NDG
17 | -- passed, -- 'Fail' for username='INVALID'
18 | -- user_type, -- ⚠ Blank?
19 | -- nas_ip_address,
20 | -- nas_port_id,
21 | -- ise_node,
22 | -- audit_session_id,
23 | -- access_service, -- Allowed Protocols
24 | -- authentication_method AS auth_method,
25 | -- authentication_protocol AS auth_protocol,
26 | -- authorization_rule AS authz_rule, -- ⚠ Blank for failed auths!
27 | -- authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
28 | -- checksum,
29 | -- credential_check -- Auth protocol?
30 | -- device_type, -- NDG
31 | -- failed,
32 | -- framed_ip_address,
33 | -- framed_ipv6_address,
34 | -- id,
35 | -- identity_group,
36 | -- identity_store,
37 | -- mdm_server_name,
38 | -- nas_ipv6_address,
39 | -- orig_calling_station_id,
40 | -- posture_status,
41 | -- response_time -- ⚠ Blank for failed auths!
42 | -- security_group, -- ⚠ Blank for failed auths!
43 | -- service_type,
44 | -- syslog_message_code,
45 | -- response_time
46 | FROM radius_authentications
47 | WHERE failure_reason LIKE '%password%'
48 | -- WHERE failure_reason ^= '22040 Wrong password or invalid shared secret'
49 | -- WHERE nas_port_type = 'Virtual' -- VPN connections
50 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
51 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
52 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
53 | -- WHERE timestamp > sysdate - INTERVAL '7' DAY -- last N days
54 | GROUP BY
55 | username,
56 | nas_port_type,
57 | -- calling_station_id,
58 | -- device_name,
59 | failure_reason
60 | ORDER BY total DESC, username ASC
--------------------------------------------------------------------------------
/data/SQL/radius_auths_subject_not_found.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Authentications - Subject Not Found
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 |
8 | SELECT
9 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
10 | calling_station_id,
11 | username, -- subject
12 | device_name,
13 | policy_set_name, -- Default, Wired, etc.
14 | access_service, -- Allowed Protocols
15 | authentication_method AS auth_method,
16 | CASE WHEN LENGTH(failure_reason) > 40 THEN SUBSTR(failure_reason, 1, 39) || '⋯' ELSE failure_reason END AS failure_reason
17 | -- user_type, -- ⚠ Blank?
18 | -- nas_ip_address,
19 | -- nas_port_id,
20 | -- nas_port_type,
21 | -- ise_node,
22 | -- audit_session_id,
23 | -- authentication_protocol AS auth_protocol,
24 | -- authorization_rule AS authz_rule, -- ⚠ Blank for failed auths!
25 | -- authorization_profiles AS authz_profiles, -- ⚠ Blank for failed auths!
26 | -- checksum,
27 | -- credential_check -- Auth protocol?
28 | -- device_type, -- NDG
29 | -- passed, -- 'Fail' for username='INVALID'
30 | -- failed,
31 | -- SUBSTR(failure_reason, 1, 50) || '⋯' AS failure_reason,
32 | -- framed_ip_address,
33 | -- framed_ipv6_address,
34 | -- id,
35 | -- identity_group,
36 | -- identity_store,
37 | -- location, -- NDG
38 | -- mdm_server_name,
39 | -- nas_ipv6_address,
40 | -- orig_calling_station_id,
41 | -- posture_status,
42 | -- response_time -- ⚠ Blank for failed auths!
43 | -- security_group, -- ⚠ Blank for failed auths!
44 | -- service_type,
45 | -- syslog_message_code,
46 | -- response_time
47 | FROM radius_authentications
48 | WHERE failure_reason LIKE '22056%'
49 | -- WHERE failure_reason IS NULL
50 | -- WHERE failure_reason IS NOT NULL
51 | -- AND failed = 1
52 | -- AND username = 'INVALID'
53 | -- AND timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
54 | -- AND timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
55 | -- AND timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
56 | AND timestamp > sysdate - INTERVAL '30' DAY -- last N days
57 | -- AND TO_CHAR(timestamp, 'YYYY-MM-DD') = '2024-11-01' -- match a timestamp by day
58 | -- AND TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') = '2024-11-01 00:08:27' -- match a timestamp (YYYY-MM-DD HH24:MI:SS.ffffff)
59 | -- AND timestamp > TIMESTAMP '2024-11-01 00:00:00' -- after a timestamp
60 | -- AND timestamp > TIMESTAMP '2024-11-01 00:00:00' AND timestamp < TIMESTAMP '2024-11-02 00:00:00' -- time window
61 | -- AND timestamp BETWEEN Date '2024-11-01' and Date '2024-11-02' -- exclusive of end date
62 | -- GROUP BY failure_reason
63 | ORDER BY timestamp ASC -- first/oldest records
64 |
--------------------------------------------------------------------------------
/data/SQL/radius_auths_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_authentication_summary
3 | --
4 | -- ⚠ `radius_authentication_summary` table is limited to only 30 days of data!
5 | -- 💡 Use `radius_authentications` for *all* records in database!
6 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
7 | --
8 | -- Author: Thomas Howard, thomas@cisco.com
9 | -- License: MIT - https://mit-license.org
10 | --
11 |
12 | SELECT
13 | timestamp, -- timestamp(6) Time when record added
14 | username, -- User name
15 | calling_station_id, -- Mac address of the device the user is using
16 | identity_group, -- The Identity Group to which the user belongs to. Example - Windows11-Workstation
17 | device_name, -- The name of the network device used by the user to access network. Example - 9800CLWLC, Access-Switch-3K, 9800VWLC etc.
18 | -- device_type, -- The type of the network device used by the user to access network. Example - Wireless - IEEE 802.11
19 | -- location, -- The location hierarchy of the the network device. Example - All Locations#My-Territory#US#Sanjose#BLDG5
20 | nas_port_id, -- ID of the NAD Port used. Example - GigabitEthernet1/0/14
21 | authorization_profiles, -- The authorization profile applied. Example - PermitAccess, Machine-Access
22 | security_group -- The security group classification of the device i.e the source SGT. Example - TrustedDevices, Quarantined_Systems
23 | -- ise_node, -- Name of the ISE server used for authentication
24 | -- identity_store, -- The Identity Store to which the user authenticated belongs to. Example - Internal Endpoints
25 | -- access_service, -- The protocol used for authentication. Example - NDAC_SGT_Service, Default Network Access
26 | -- failure_reason, -- Reason for the failure, in case authentication was not successful
27 | -- total_response_time, -- The total response time required for authentication
28 | -- max_response_time, -- The maximum response time required for authentication
29 | -- passed_count, -- The number of passed authentication
30 | -- failed_count -- Number of failed authentication
31 | FROM radius_authentication_summary
32 | ORDER BY timestamp ASC -- first/oldest records
33 | -- ORDER BY timestamp DESC -- most recent records
34 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
35 |
--------------------------------------------------------------------------------
/data/SQL/radius_errors.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- Practical radius_errors_view
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 | -- Author: Thomas Howard, thomas@cisco.com
7 | -- License: MIT - https://mit-license.org
8 | --
9 |
10 | SELECT
11 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
12 | -- timestamp_timezone, -- OK for thin client
13 | -- id AS id, -- session ID?
14 | -- audit_session_id, -- unique numeric string identifying the server session
15 | calling_station_id AS mac, -- endpoint MAC address
16 | username, -- user's claimed identity
17 | -- user_type, -- sometimes `User`; unreliable
18 | network_device_name AS device,
19 | nas_ip_address,
20 | SUBSTR(device_type, 18) AS device_ndg, -- 'All Device Types' network device group (NDG)
21 | SUBSTR(location, 15) AS location, -- 'All Locations' network device group (NDG)
22 | -- nas_ipv6_address, -- NULL if IPv4
23 | -- nas_port_id, -- ⚠ always null for Meraki?
24 | nas_port_type, -- NULL, Ethernet, Wireless - IEEE 802.11, etc.
25 |
26 | authentication_method AS authn_method, -- Example: MSCHAPV2
27 | authentication_protocol AS authn_protocol, -- Example: PEAP (EAP-MSCHAPv2), EAP-TLS
28 | -- authorization_policy, -- ⚠ always null
29 | message_code AS code, -- Example: 5411
30 | response, -- NULL or `{RadiusPacketType=Drop; }`
31 | -- ise_node,
32 | -- mdm_server_name,
33 | access_service AS allowed_protocols, -- allowed protocols
34 | -- identity_store,
35 | -- identity_group,
36 | service_type, -- NULL, Framed, Call Check, etc.
37 | -- selected_authorization_profiles, -- authorization profile used after authentication
38 | -- posture_status,
39 | CASE WHEN LENGTH(failure_reason) > 50 THEN SUBSTR(failure_reason, 1, 49) || '⋯' ELSE failure_reason END AS failure_reason, -- ⚠ long message text
40 | -- message_text, -- same as failure_reason without error code
41 | -- execution_steps, # very long list of step numbers
42 | -- other_attributes -- very long string of RADIUS attributes; useful for debugging
43 | -- other_attributes_string, -- long list of RADIUS attributes
44 | -- passed AS pass, -- ⚠ always 'Fail'
45 | -- failed AS fail, -- ⚠ always 1
46 | -- authentication_policy, -- ⚠ always null
47 | -- credential_check, -- ⚠ always null
48 | -- endpoint_profile, -- ⚠ always null
49 | -- framed_ip_address, -- ⚠ always null
50 | -- framed_ipv6_address, -- ⚠ always null
51 | -- security_group AS SGT, -- ⚠ always null
52 | response_time AS resp_ms -- milliseconds
53 | FROM radius_errors_view
54 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
55 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
56 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
57 | WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
58 | ORDER BY timestamp ASC -- first/oldest records
59 | -- ORDER BY timestamp DESC -- most recent records
60 | -- FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
61 |
--------------------------------------------------------------------------------
/data/SQL/radius_errors_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- RADIUS Errors Summary
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | COUNT(*) AS total, --
9 | message_code as error, -- Example: 5411
10 | MAX(message_text) AS message_text -- Example: Supplicant stopped responding to ISE
11 | -- MAX(TRUNC(timestamp)) AS timestamp --
12 | -- MAX(timestamp) AS timestamp --
13 | -- passed, -- always 'Fail'?
14 | -- failed, -- always 1?
15 | -- authentication_policy,
16 | -- authorization_policy,
17 | -- response_time, -- milliseconds
18 | -- credential_check, -- always empty?
19 | -- endpoint_profile, -- always empty?
20 | -- authentication_method, -- Example: MSCHAPV2
21 | -- authentication_protocol, -- Example: PEAP (EAP-MSCHAPv2), EAP-TLS
22 | -- network_device_name,
23 | -- response -- always empty?
24 | -- timestamp_timezone, -- OK for thin client
25 | -- id,
26 | -- ise_node,
27 | -- mdm_server_name,
28 | -- username,
29 | -- user_type,
30 | -- calling_station_id,
31 | -- access_service,
32 | -- framed_ip_address,
33 | -- framed_ipv6_address,
34 | -- identity_store,
35 | -- identity_group,
36 | -- audit_session_id,
37 | -- service_type,
38 | -- device_type, -- 'All Device Types' network device group (NDG)
39 | -- location, -- 'All Locations' network device group (NDG)
40 | -- nas_ip_address,
41 | -- nas_ipv6_address,
42 | -- nas_port_id,
43 | -- nas_port_type,
44 | -- selected_authorization_profiles,
45 | -- posture_status,
46 | -- security_group,
47 | -- failure_reason,
48 | -- execution_steps,
49 | -- other_attributes
50 | -- other_attributes_string, -- long list of RADIUS attributes
51 | FROM radius_errors_view
52 | -- WHERE message_code = 5411
53 | -- WHERE TRUNC(timestamp) = TRUNC(SYSDATE) -- today
54 | -- WHERE TRUNC(timestamp, 'HH24') = TRUNC(SYSDATE, 'HH24') -- sessions this hour
55 | -- WHERE TRUNC(timestamp, 'MI') = TRUNC(SYSDATE, 'MI') -- sessions this minute
56 | GROUP BY message_code
57 | -- ORDER BY total ASC -- increasing
58 | ORDER BY total DESC -- decreasing
59 |
--------------------------------------------------------------------------------
/data/SQL/radius_errors_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- radius_errors_view
3 | -- Check for RADIUS Requests Dropped, EAP connection time outs and unknown NADs
4 | --
5 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
6 | --
7 |
8 | SELECT
9 | * -- all columns
10 | -- timestamp,
11 | -- passed, -- ⚠ always 'Fail'
12 | -- failed, -- ⚠ always 1
13 | -- authentication_policy, -- ⚠ always null
14 | -- authorization_policy, -- ⚠ always null
15 | -- response_time, -- milliseconds
16 | -- credential_check, -- ⚠ always null
17 | -- endpoint_profile, -- ⚠ always null
18 | -- authentication_method, -- Example: MSCHAPV2
19 | -- authentication_protocol, -- Example: PEAP (EAP-MSCHAPv2), EAP-TLS
20 | -- network_device_name,
21 | -- message_code, -- Example: 5411
22 | -- response -- always empty?
23 | -- timestamp_timezone, -- OK for thin client
24 | -- id,
25 | -- ise_node,
26 | -- mdm_server_name,
27 | -- username, -- user's claimed identity
28 | -- user_type,
29 | -- calling_station_id,
30 | -- access_service,
31 | -- framed_ip_address,
32 | -- framed_ipv6_address,
33 | -- identity_store,
34 | -- identity_group,
35 | -- audit_session_id,
36 | -- service_type,
37 | -- device_type, -- 'All Device Types' network device group (NDG)
38 | -- location, -- 'All Locations' network device group (NDG)
39 | -- nas_ip_address,
40 | -- nas_ipv6_address,
41 | -- nas_port_id,
42 | -- nas_port_type,
43 | -- selected_authorization_profiles, -- authorization profile used after authentication
44 | -- posture_status,
45 | -- security_group,
46 | -- failure_reason,
47 | -- execution_steps,
48 | -- other_attributes,
49 | -- message_text, -- Example: Supplicant stopped responding to ISE
50 | -- other_attributes_string, -- long list of RADIUS attributes
51 | FROM radius_errors_view
52 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
53 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
54 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
55 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
56 | ORDER BY timestamp ASC -- first/oldest records
57 | -- ORDER BY timestamp DESC -- most recent records
58 | FETCH FIRST 1 ROWS ONLY -- limit default number of rows returned for large datasets
59 |
--------------------------------------------------------------------------------
/data/SQL/registered_endpoints.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- registered_endpoints
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM registered_endpoints
10 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
11 |
--------------------------------------------------------------------------------
/data/SQL/security_group_acls.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- security_group_acls
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM security_group_acls
10 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
11 |
--------------------------------------------------------------------------------
/data/SQL/security_groups.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- security_groups
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- name,
10 | -- sgt_dec,
11 | -- sgt_hex,
12 | -- description,
13 | -- learned_from
14 | FROM security_groups
15 | ORDER BY name ASC -- alphabetical
16 | -- ORDER BY sgt_dec ASC -- numerical
17 | -- ORDER BY sgt_dec DESC -- numerical
18 |
--------------------------------------------------------------------------------
/data/SQL/system_diagnostics_view.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- system_diagnostics_view
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id,
10 | -- timestamp_timezone,
11 | -- timestamp,
12 | -- ise_node,
13 | -- message_severity,
14 | -- message_code,
15 | -- message_text,
16 | -- category,
17 | -- diagnostic_info
18 | FROM system_diagnostics_view
19 | ORDER BY timestamp ASC
20 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
21 |
--------------------------------------------------------------------------------
/data/SQL/system_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- system_summary
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- timestamp,
10 | -- ise_node,
11 | -- cpu_utilization,
12 | -- cpu_count,
13 | -- memory_utilization,
14 | -- diskspace_root,
15 | -- diskspace_boot,
16 | -- diskspace_opt,
17 | -- diskspace_storedconfig,
18 | -- diskspace_tmp,
19 | -- diskspace_runtime
20 | FROM system_summary
21 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
22 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
23 | -- WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
24 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
25 | ORDER BY timestamp ASC -- first/oldest records
26 | FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
27 |
--------------------------------------------------------------------------------
/data/SQL/system_summary_daily.sql:
--------------------------------------------------------------------------------
1 | -- ISE System Summary Daily
2 |
3 | SELECT TRUNC(timestamp, 'DD') AS datetime,
4 | MAX(ise_node) AS node,
5 | AVG(cpu_utilization) AS cpu_avg,
6 | MAX(cpu_utilization) AS cpu_max,
7 | MAX(cpu_count) AS cpus,
8 | AVG(memory_utilization) AS mem_avg,
9 | MAX(memory_utilization) AS mem_max
10 | -- MAX(diskspace_root),
11 | -- MAX(diskspace_boot),
12 | -- MAX(diskspace_opt),
13 | -- MAX(diskspace_storedconfig),
14 | -- MAX(diskspace_tmp),
15 | -- MAX(diskspace_runtime)
16 | FROM system_summary
17 | GROUP BY TRUNC(timestamp, 'DD'),
18 | ise_node
19 | ORDER BY TRUNC(timestamp, 'DD') ASC
20 | -- FETCH FIRST 10 ROWS ONLY
21 |
--------------------------------------------------------------------------------
/data/SQL/system_summary_last_hour.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE System (Nodes) Summary for the Last 1 hour
3 | --
4 | -- Author: Thomas Howard, thomas@cisco.com
5 | -- License: MIT - https://mit-license.org
6 | --
7 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
8 | --
9 |
10 | SELECT
11 | -- * -- all columns
12 | TO_CHAR(timestamp, 'YYYY-MM-DD HH24:MI:SS') AS timestamp, -- drop fractional seconds
13 | ise_node AS ise_node, --
14 | cpu_count AS cpus, --
15 | TO_CHAR(cpu_utilization, 'fm999D00') || '%' AS cpu_util, --
16 | TO_CHAR(memory_utilization, '999D00') || '%' AS memory_disk , --
17 | TO_CHAR(diskspace_root, 'fm999') || '%' AS root_disk , --
18 | TO_CHAR(diskspace_boot, 'fm999') || '%' AS boot_disk , --
19 | TO_CHAR(diskspace_opt, 'fm999') || '%' AS opt_disk , --
20 | TO_CHAR(diskspace_storedconfig, 'fm999') || '%' AS config_disk , --
21 | TO_CHAR(diskspace_tmp, 'fm999') || '%' AS tmp_disk --
22 | -- TO_CHAR(diskspace_runtime, 'fm990D99') || '%' AS runtime_disk ,
23 | FROM system_summary
24 | -- WHERE timestamp > sysdate - INTERVAL '10' SECOND -- last N seconds
25 | -- WHERE timestamp > sysdate - INTERVAL '1' MINUTE -- last N minutes
26 | WHERE timestamp > sysdate - INTERVAL '1' HOUR -- last N hours
27 | -- WHERE timestamp > sysdate - INTERVAL '1' DAY -- last N days
28 | -- AND ise_node = 'ise-ppan'
29 | ORDER BY timestamp ASC
30 | -- FETCH FIRST 50 ROWS ONLY -- limit default number of rows returned for large datasets
31 |
--------------------------------------------------------------------------------
/data/SQL/tacacs_accounting.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- _____
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM tacacs_accounting
10 | ORDER BY logged_time ASC -- first/oldest records
11 | -- ORDER BY logged_time DESC -- most recent records
12 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/tacacs_accounting_last_two_days.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- tacacs_accounting_last_two_days
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM tacacs_accounting_last_two_days
10 | ORDER BY logged_time ASC -- first/oldest records
11 | -- ORDER BY logged_time DESC -- most recent records
12 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/tacacs_authentication_summary.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- tacacs_authentication_summary
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM tacacs_authentication_summary
10 | ORDER BY logged_time ASC -- first/oldest records
11 | -- ORDER BY logged_time DESC -- most recent records
12 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
13 |
--------------------------------------------------------------------------------
/data/SQL/tacacs_authorizations.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- tacacs_authorizations
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | FROM tacacs_authorizations
8 | ORDER BY logged_time ASC -- first/oldest records
9 | -- ORDER BY logged_time DESC -- most recent records
10 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/tacacs_command_accounting.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- tacacs_command_accounting
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | FROM tacacs_command_accounting
10 | ORDER BY logged_time ASC -- first/oldest records
11 | -- ORDER BY logged_time DESC -- most recent records
12 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
13 |
--------------------------------------------------------------------------------
/data/SQL/tcnac_adapter_status.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- ISE Reports > Threat-Centric NAC > Adapter-status
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | -- logged_at, -- timeSTAMP(6) Shows the time when the syslog was processed and stored by the Monitoring node
8 | -- status, -- Specifies the adapter status
9 | -- id, -- Unique database ID
10 | -- adapter_name, -- Specifies the adapter name
11 | -- connectivity, -- Specifies the connectivity
12 | FROM adapter_status
13 | ORDER BY logged_at ASC -- first/oldest records
14 | -- ORDER BY logged_at DESC -- most recent records
15 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/tcnac_vulnerability_assessment_failures.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- vulnerability_assessment_failures
3 | --
4 |
5 | SELECT
6 | * -- all columns
7 | -- logged_at, -- timestamp(6) the time when the syslog was processed and stored by the Monitoring node
8 | -- id, -- unique database ID
9 | -- adapter_instance_name, -- adapter instance name
10 | -- adapter_instance_id, -- adapter instance ID
11 | -- vendor_name, -- vendor name
12 | -- ise_node, -- ACS instance
13 | -- mac_address, -- MAC address
14 | -- ip_address, -- IP address
15 | -- operation_messsage_text, -- operation message text
16 | -- message_type, -- message type
17 | FROM vulnerability_assessment_failures
18 | ORDER BY logged_at ASC -- first/oldest records
19 | -- ORDER BY logged_at DESC -- most recent records
20 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
--------------------------------------------------------------------------------
/data/SQL/user_identity_groups.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- _____
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- id,
10 | -- name,
11 | -- description,
12 | -- created_by,
13 | -- create_time,
14 | -- update_time,
15 | -- status
16 | FROM user_identity_groups
17 | -- ORDER BY update_time ASC -- first/oldest records
18 | ORDER BY update_time DESC -- most recent records
19 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
20 |
--------------------------------------------------------------------------------
/data/SQL/user_password_changes.sql:
--------------------------------------------------------------------------------
1 | --
2 | -- user_password_changes
3 | --
4 | -- 💡 Un/Comment columns to quickly customize queries. Remember the last SELECT column must not end with a `,`.
5 | --
6 |
7 | SELECT
8 | * -- all columns
9 | -- timestamp_timezone,
10 | -- timestamp,
11 | -- ise_node,
12 | -- message_code,
13 | -- admin_name,
14 | -- admin_ip_address,
15 | -- admin_ipv6_address,
16 | -- admin_interface,
17 | -- message_class,
18 | -- message_text,
19 | -- operator_name,
20 | -- user_admin_flag,
21 | -- account_name,
22 | -- device_ip,
23 | -- identity_store_name,
24 | -- change_password_method,
25 | -- audit_password_type
26 | FROM user_password_changes
27 | ORDER BY timestamp ASC -- first/oldest records
28 | -- ORDER BY timestamp DESC -- most recent records
29 | FETCH FIRST 10 ROWS ONLY -- limit default number of rows returned for large datasets
30 |
--------------------------------------------------------------------------------
/data/YAML/endpoint-example.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # Endpoints
4 | #
5 | # MAC format XXXX:XXXX:XXXX is an invalid mac format for ISE
6 | #
7 |
8 | # endpoint: []
9 |
10 | endpoint:
11 |
12 | - mac: "11:22:33:44:55:66" # "'s required around MACs with :'s
13 | description: Minimal endpoint definition with IEEE 802 MAC format (XX-XX-XX-XX-XX-XX)
14 |
15 | - mac: "11:22:33:44:55:77"
16 | description: Minimal endpoint definition with IEEE 802 MAC format (XX-XX-XX-XX-XX-XX)
17 |
18 | - mac: "11:22:33:44:55:88"
19 | description: Minimal endpoint definition with IEEE 802 MAC format (XX-XX-XX-XX-XX-XX)
20 |
21 | - mac: "11:22:33:44:55:99"
22 | description: Minimal endpoint definition with IEEE 802 MAC format (XX-XX-XX-XX-XX-XX)
23 |
24 | - mac: "DEAD.BEEF.CAFE"
25 | description: Minimal required definition with alternative dot-format (XXXX.XXXX.XXXX)
26 |
27 | - mac: "C0:FF:EE:EE:CA:FE"
28 | description: Minimal endpoint definition with Colon format (XX:XX:XX:XX:XX:XX)
29 |
30 | - mac: "CC:00:FF:FF:EE:EE"
31 | description: Coffee Machine
32 |
33 |
34 | #------------------------------------------------------------------------------
35 | # Cameras
36 | #------------------------------------------------------------------------------
37 |
38 | - mac: D8-EB-97-85-F8-C9
39 | description: Surveillance Camera
40 | staticGroupAssignment: true
41 | groupId: Trendnet-Device # Trendnet-Device
42 |
43 | - mac: AC:17:C8:0C:17:A0
44 | description: Meraki Surveillance Camera
45 | staticGroupAssignment: true
46 | groupId: Cameras # Cameras
47 |
48 |
49 | #------------------------------------------------------------------------------
50 | # IP Phones
51 | #------------------------------------------------------------------------------
52 |
53 | - mac: 00-11-BB-EF-EE-66
54 | description: IP Phone
55 | staticGroupAssignment: true
56 | groupId: Cisco-IP-Phone # Cisco-IP-Phone
57 |
58 | #------------------------------------------------------------------------------
59 | # Printers
60 | #------------------------------------------------------------------------------
61 |
62 | - mac: 00-00-AA-41-8C-A8
63 | description: Printers
64 | staticGroupAssignment: true
65 | groupId: Epson-Device # Epson-Device
66 |
67 |
68 | #------------------------------------------------------------------------------
69 | # Raspberry Pis
70 | #------------------------------------------------------------------------------
71 |
72 | - mac: DC:A6:32:6D:A3:BA
73 | description: RPI-1-Wired
74 |
75 | - mac: DC:A6:32:6D:A3:BB
76 | description: RPI-1-Wireless
77 |
78 | - mac: DC:A6:32:1A:C5:F7
79 | description: RPI-2-Wired
80 |
81 | - mac: DC:A6:32:1A:C5:F8
82 | description: RPI-2-Wireless
83 |
84 |
85 | #------------------------------------------------------------------------------
86 | # Static Endpoint Group Testing
87 | #------------------------------------------------------------------------------
88 |
89 | - mac: EE:EE:EE:EE:EE:EE
90 | description: Test 'Exception' Static Endpoint Group
91 | staticGroupAssignment: true
92 | groupId: Exception # Exception
93 |
94 | - mac: B1:0C:B1:0C:B1:0C
95 | description: Test 'Blocked' Static Endpoint Group
96 | staticGroupAssignment: true
97 | groupId: Blocked # Blocked
98 |
99 | - mac: 2c3f.0b56.e36c
100 | description: lab-mr46-1 AP
101 | staticGroupAssignment: true
102 | groupId: AccessPoints # AccessPoints
103 |
--------------------------------------------------------------------------------
/data/YAML/endpointgroup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # ISE Endpoint Groups examples.
4 | #
5 |
6 | # 💡 Use [] for an empty list
7 | # endpointgroup: []
8 |
9 | endpointgroup:
10 |
11 | #------------------------------------------------------------------------------
12 | # General Groups or Scenarios
13 | #------------------------------------------------------------------------------
14 |
15 | - name: Allowed
16 | description: Allowed
17 |
18 | - name: Blocked
19 | description: Blocked
20 |
21 | - name: Assets
22 | description: Assets
23 |
24 | - name: IOT
25 | description: IOT
26 |
27 | - name: PXE
28 | description: PXE Boot access
29 |
30 | - name: Exception
31 | description: Temporary endpoint exception
32 |
33 | - name: Quarantine
34 | description: Limit access to remediation
35 |
36 | #------------------------------------------------------------------------------
37 | # Endpoint Types
38 | #------------------------------------------------------------------------------
39 |
40 | - name: AccessPoints
41 | description: Access Points
42 |
43 | - name: Computer
44 | description: Computer
45 |
46 | - name: Mobile
47 | description: Mobile
48 |
49 | - name: Desktops
50 | description: Desktops
51 |
52 | - name: Laptops
53 | description: Laptops
54 |
55 | - name: Raspberry_Pis
56 | description: Raspberry Pi
57 |
58 | - name: Smartphones
59 | description: Smartphones
60 |
61 | - name: Tablets
62 | description: Tablets
63 |
64 | - name: Servers
65 | description: Servers
66 |
67 | - name: Workstations
68 | description: Workstations
69 |
70 | - name: Printers
71 | description: Printers
72 |
73 | - name: Signage
74 | description: Signage
75 |
76 | - name: Power
77 | description: Power Supplies, Outlets, UPS, etc.
78 |
79 | - name: RFID
80 | description: RFID Sensors
81 |
82 | - name: GameConsole
83 | description: A video game console like the Xbox or PlayStation.
84 |
85 |
86 | #------------------------------------------------------------------------------
87 | # Communications
88 | #------------------------------------------------------------------------------
89 |
90 | - name: Phones
91 | description: Phones
92 |
93 | - name: Telepresence
94 | description: Telepresence
95 |
96 | - name: Webex
97 | description: Webex
98 |
99 |
100 | #------------------------------------------------------------------------------
101 | # Physical Security
102 | #------------------------------------------------------------------------------
103 |
104 | - name: Badging
105 | description: Badge Readers
106 |
107 | - name: Cameras
108 | description: Cameras
109 |
110 |
111 | #------------------------------------------------------------------------------
112 | # Building / Facilities
113 | #------------------------------------------------------------------------------
114 |
115 | - name: Facilities
116 | description: Facilities IOT endpoints
117 |
118 | - name: Lighting
119 | description: Lighting
120 |
121 | - name: HVAC
122 | description: HVAC
123 |
124 | - name: Thermostats
125 | description: Thermostats
126 |
127 | - name: Elevators
128 | description: Elevators
129 |
130 | - name: Pumps
131 | description: Pumps
132 |
133 | - name: Vending
134 | description: Vending
135 |
136 |
137 | #------------------------------------------------------------------------------
138 | # Entertainment Devices
139 | #------------------------------------------------------------------------------
140 |
141 | - name: Entertainment
142 | description: Entertainment
143 |
144 | - name: Amazon_Echo
145 | description: AmazonTV
146 |
147 | - name: Amazon_TV
148 | description: AmazonTV
149 |
150 | - name: Apple_TV
151 | description: Apple TV
152 |
153 | - name: Apple_iPad
154 | description: Apple iPad
155 |
156 | - name: Roku
157 | description: Roku
158 |
159 | - name: TV
160 | description: Television (any manufacturer)
161 |
162 |
163 | #------------------------------------------------------------------------------
164 | # Vertical: Manufacturing
165 | #------------------------------------------------------------------------------
166 |
167 | - name: Manufacturing
168 | description: Manufacturing
169 |
170 |
171 | #------------------------------------------------------------------------------
172 | # Vertical: Medical
173 | #------------------------------------------------------------------------------
174 |
175 | - name: Medical
176 | description: Medical
177 |
178 |
179 | #------------------------------------------------------------------------------
180 | # Vertical: Retail
181 | #------------------------------------------------------------------------------
182 |
183 | - name: Register
184 | description: Scanner
185 |
186 | - name: Scanner
187 | description: Scanner
188 |
189 |
190 |
--------------------------------------------------------------------------------
/data/YAML/identitygroup.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # ISE Identity Groups
4 | #
5 | identitygroup:
6 |
7 | - name: Contractors
8 | description: Vendors
9 | parent: NAC Group:NAC:IdentityGroups:User Identity Groups
10 |
11 | - name: Probes
12 | description: Probe and Test accounts
13 | parent: NAC Group:NAC:IdentityGroups:User Identity Groups
14 |
15 | - name: Vendors
16 | description: Vendors
17 | parent: NAC Group:NAC:IdentityGroups:User Identity Groups
18 |
19 | - name: HelpDeskException
20 | description: Temporary exception by HelpDesk for support
21 | parent: NAC Group:NAC:IdentityGroups:User Identity Groups
22 |
--------------------------------------------------------------------------------
/data/YAML/internaluser.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for roles/ise_internaluser
3 |
4 | internaluser:
5 |
6 | - name: meraki_8021x_test
7 | password: C1sco12345
8 | description: Cisco Meraki RADIUS Test Probe
9 | identityGroups: Probes
10 |
11 | - name: radius-test
12 | password: C1sco12345
13 | description: RADIUS Test Probe
14 | identityGroups: Probes
15 |
16 | - name: thomas
17 | password: C1sco12345
18 | description: ISE TME
19 | identityGroups: Employee
20 |
21 | - name: guest_api_sponsor
22 | password: C1sco12345
23 | description: Sponsor Account for Using Guest APIs
24 | identityGroups: "ALL_ACCOUNTS (default)"
25 | # changePassword: false
26 | # customAttributes: {}
27 | # enabled: true
28 | # expiryDateEnabled: false
29 |
30 |
--------------------------------------------------------------------------------
/data/YAML/networkdevicegroup-other.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # ISE Network Device Groups for various groupings.
4 | #
5 | # 🐞 The ISE ERS API does not like `-` in NDG names. `_` is OK.
6 | #
7 |
8 | # 💡 Use [] for an empty list
9 | # networkdevicegroup: []
10 |
11 | networkdevicegroup:
12 |
13 | #------------------------------------------------------------------------------
14 | # Network Device Groups by Enforcement
15 | #------------------------------------------------------------------------------
16 |
17 | - name: Enforcement#Enforcement
18 | description: All Enforcement Options
19 | othername: Enforcement
20 |
21 | - name: Enforcement#Enforcement#Monitor
22 | description: Monitor
23 | othername: Enforcement
24 |
25 | - name: Enforcement#Enforcement#LowImpact
26 | description: LowImpact
27 | othername: Enforcement
28 |
29 | - name: Enforcement#Enforcement#Closed
30 | description: Closed
31 | othername: Enforcement
32 |
33 | #------------------------------------------------------------------------------
34 | # Network Device Groups by Place In The Network (PIN)
35 | #------------------------------------------------------------------------------
36 |
37 | - name: PIN#PIN
38 | description: Place in the Network (PIN)
39 | othername: PIN
40 |
41 | - name: PIN#PIN#Branch
42 | description: Branch
43 | othername: PIN
44 |
45 | - name: PIN#PIN#Campus
46 | description: Campus
47 | othername: PIN
48 |
49 | - name: PIN#PIN#WAN
50 | description: WAN
51 | othername: PIN
52 |
53 | - name: PIN#PIN#InternetEdge
54 | description: InternetEdge
55 | othername: PIN
56 |
57 | - name: PIN#PIN#Cloud
58 | description: Cloud
59 | othername: PIN
60 |
61 |
62 |
63 | #------------------------------------------------------------------------------
64 | # Network Device Groups by Operations
65 | #------------------------------------------------------------------------------
66 |
67 | - name: Operation#Operation
68 | description: All Operations
69 | othername: Operation
70 |
71 | - name: Operation#Operation#Zone1
72 | description: Zone 1
73 | othername: Operation
74 |
75 | - name: Operation#Operation#Zone2
76 | description: Zone 2
77 | othername: Operation
78 |
79 | - name: Operation#Operation#Zone3
80 | description: Zone 3
81 | othername: Operation
82 |
83 | - name: Operation#Operation#Zone4
84 | description: Zone 4
85 | othername: Operation
86 |
87 | - name: Operation#Operation#Zone5
88 | description: Zone 5
89 | othername: Operation
90 |
91 |
92 |
93 |
94 | #------------------------------------------------------------------------------
95 | # Network Device Groups by Regions
96 | #------------------------------------------------------------------------------
97 |
98 | - name: Region#Region
99 | description: All Regions
100 | othername: Region
101 |
102 | - name: Region#Region#Region1
103 | description: Region 1
104 | othername: Region
105 |
106 | - name: Region#Region#Region2
107 | description: Region 2
108 | othername: Region
109 |
110 | - name: Region#Region#Region3
111 | description: Region 3
112 | othername: Region
113 |
114 | - name: Region#Region#Region4
115 | description: Region 4
116 | othername: Region
117 |
118 | - name: Region#Region#Region5
119 | description: Region 5
120 | othername: Region
121 |
122 |
123 |
124 |
--------------------------------------------------------------------------------
/data/YAML/sgt-default.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | #
3 | # Cisco ISE SGTs (Security Group Tags) definitions.
4 | #
5 | # SGTs 0-2,65554 are RESERVED by ISE and Meraki and should never be changed.
6 | # - Unknown (0) Reserved by ISE and Meraki. Cannot be renamed. The Unknown group is used for an unsuccessful group classification.
7 | # - Infrastructure (2) Reserved by Meraki devices for internal and dashboard communication.
8 | # - TrustSec_Devices (2) Reserved by ISE for TrustSec Devices
9 | #
10 |
11 | sgt:
12 |
13 | # - name: Unknown
14 | # value: 0
15 | # description: Unknown. Reserved by ISE and Meraki. The Unknown group applies when a policy is specified for unsuccessful group classification.
16 | # generationId: '0'
17 | # propogateToApic: false
18 |
19 | # - name: Infrastructure
20 | # value: 2
21 | # description: Reserved by Meraki devices for internal and dashboard communication.
22 | # generationId: '0'
23 | # propogateToApic: no
24 |
25 | # - name: TrustSec_Devices
26 | # value: 2
27 | # description: TrustSec Devices
28 | # generationId: '0'
29 | # propogateToApic: no
30 |
31 | #------------------------------------------------------------------------------
32 | # These SGTs are the ISE default SGTs
33 | #------------------------------------------------------------------------------
34 |
35 | - name: Network_Services
36 | value: 3
37 | description: Network Services
38 | generationId: '0'
39 | propogateToApic: no
40 |
41 | - name: Employees
42 | value: 4
43 | description: Employee
44 | generationId: '0'
45 | propogateToApic: no
46 |
47 | - name: Contractors
48 | value: 5
49 | description: Contractor
50 | generationId: '0'
51 | propogateToApic: no
52 |
53 | - name: Guests
54 | value: 6
55 | description: Guest
56 | generationId: '0'
57 | propogateToApic: no
58 |
59 | - name: Production_Users
60 | value: 7
61 | description: Production User
62 | generationId: '0'
63 | propogateToApic: no
64 |
65 | - name: Developers
66 | value: 8
67 | description: Developer
68 | generationId: '0'
69 | propogateToApic: no
70 |
71 | - name: Auditors
72 | value: 9
73 | description: Auditor
74 | generationId: '0'
75 | propogateToApic: no
76 |
77 | - name: Point_of_Sale_Systems
78 | value: 10
79 | description: Point of Sale
80 | generationId: '0'
81 | propogateToApic: no
82 |
83 | - name: Production_Servers
84 | value: 11
85 | description: Production Servers
86 | generationId: '0'
87 | propogateToApic: no
88 |
89 | - name: Development_Servers
90 | value: 12
91 | description: Development Servers
92 | generationId: '0'
93 | propogateToApic: no
94 |
95 | - name: Test_Servers
96 | value: 13
97 | description: Test Servers
98 | generationId: '0'
99 | propogateToApic: no
100 |
101 | - name: PCI_Servers
102 | value: 14
103 | description: PCI Servers
104 | generationId: '0'
105 | propogateToApic: no
106 |
107 | - name: BYOD
108 | value: 15
109 | description: BYOD
110 | generationId: '0'
111 | propogateToApic: no
112 |
113 |
--------------------------------------------------------------------------------
/ise-api-enabled-aio.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Enable the ISE APIs using asynchronous I/O with REST APIs.
4 |
5 | Usage:
6 |
7 | ise-api-enabled-aio.py
8 |
9 | Requires setting the these environment variables using the `export` command:
10 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
11 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
12 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
13 | export ISE_CERT_VERIFY=false # validate the ISE certificate
14 |
15 | You may add these export lines to a text file and load with `source`:
16 | source env.sh
17 |
18 | """
19 | __author__ = "Thomas Howard"
20 | __email__ = "thomas@cisco.com"
21 | __license__ = "MIT - https://mit-license.org/"
22 |
23 | import asyncio
24 | import aiohttp
25 | import os
26 | import sys
27 |
28 |
29 | async def ise_open_api_enable(session: aiohttp.ClientSession = None, ssl_verify: bool = True):
30 | """ """
31 | url = "/admin/API/apiService/update"
32 | data = '{ "papIsEnabled":true, "psnsIsEnabled":true }'
33 | async with session.post(url, data=data, ssl=ssl_verify) as response:
34 | if response.status == 200 or response.status == 500:
35 | print(f"✅ {response.status} ISE Open APIs Enabled")
36 |
37 |
38 | async def ise_ers_api_enable(session: aiohttp.ClientSession = None, ssl_verify: bool = True):
39 | """ """
40 | url = "/admin/API/NetworkAccessConfig/ERS"
41 | data = """
42 |
43 | 1
44 | false
45 | true
46 | true
47 |
48 | """
49 | async with session.put(
50 | url, data=data, headers={"Accept": "application/xml", "Content-Type": "application/xml"}, ssl=ssl_verify
51 | ) as response:
52 | if response.status == 200 or response.status == 500:
53 | print(f"✅ {response.status} ISE ERS APIs Enabled")
54 | else:
55 | print(f"❌ {response.status} ISE ERS APIs Disabled")
56 |
57 |
58 | async def main():
59 | """
60 | Entrypoint for packaged script.
61 | """
62 | env = {k: v for (k, v) in os.environ.items()} # Load environment variables
63 | ssl_verify = False if env["ISE_CERT_VERIFY"][0:1].lower() in ["f", "n"] else True
64 |
65 | auth = aiohttp.BasicAuth(login=env["ISE_REST_USERNAME"], password=env["ISE_REST_PASSWORD"])
66 | session = aiohttp.ClientSession(
67 | f"https://{env['ISE_PPAN']}", auth=auth, headers={"Accept": "application/json", "Content-Type": "application/json"}
68 | )
69 | await asyncio.gather(
70 | ise_ers_api_enable(session, ssl_verify),
71 | ise_open_api_enable(session, ssl_verify),
72 | )
73 | await session.close()
74 |
75 |
76 | if __name__ == "__main__":
77 | """
78 | Run from script
79 | """
80 | asyncio.run(main())
81 | sys.exit(0) # 0 is ok
82 |
--------------------------------------------------------------------------------
/ise-api-enabled.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Enable the ISE APIs using (synchronous) APIs.
4 |
5 | Usage:
6 |
7 | ise-api-enabled.py
8 |
9 | Requires setting the these environment variables using the `export` command:
10 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
11 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
12 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
13 | export ISE_CERT_VERIFY=false # validate the ISE certificate
14 |
15 | You may add these export lines to a text file and load with `source`:
16 | source env.sh
17 |
18 | """
19 | __author__ = "Thomas Howard"
20 | __email__ = "thomas@cisco.com"
21 | __license__ = "MIT - https://mit-license.org/"
22 |
23 | import os
24 | import requests
25 | import sys
26 |
27 | requests.packages.urllib3.disable_warnings() # Silence any requests package warnings about certificates
28 |
29 |
30 | def ise_open_api_enable(session: requests.Session = None, ssl_verify: bool = True):
31 | url = "https://" + env["ISE_PPAN"] + "/admin/API/apiService/update"
32 | data = '{ "papIsEnabled":true, "psnsIsEnabled":true }'
33 | r = session.post(url, data=data, verify=ssl_verify)
34 | if r.status_code == 200 or r.status_code == 500: # 500 if already enabled
35 | print(f"✅ {r.status_code} ISE Open APIs Enabled")
36 | else:
37 | print(f"❌ {r.status_code} ISE Open APIs Disabled")
38 |
39 |
40 | def ise_ers_api_enable(session: requests.Session = None, ssl_verify: bool = True):
41 | url = "https://" + env["ISE_PPAN"] + "/admin/API/NetworkAccessConfig/ERS"
42 | data = """
43 |
44 | 1
45 | false
46 | true
47 | true
48 |
49 | """
50 | r = session.put(url, data=data, headers={"Content-Type": "application/xml", "Accept": "application/xml"}, verify=ssl_verify)
51 | print(f"{'✅' if r.ok else '❌'} {r.status_code} ISE ERS APIs {'Enabled' if r.ok else 'Disabled'}")
52 |
53 |
54 | if __name__ == "__main__":
55 | """
56 | Run from script
57 | """
58 | env = {k: v for (k, v) in os.environ.items()} # Load environment variables
59 | ssl_verify = False if env["ISE_CERT_VERIFY"][0:1].lower() in ["f", "n"] else True
60 |
61 | with requests.Session() as session:
62 | session = requests.Session()
63 | session.auth = (env["ISE_REST_USERNAME"], env["ISE_REST_PASSWORD"])
64 | session.headers.update({"Content-Type": "application/json", "Accept": "application/json"})
65 |
66 | ise_open_api_enable(session, ssl_verify)
67 | ise_ers_api_enable(session, ssl_verify)
68 |
69 | sys.exit(0) # 0 is ok
70 |
--------------------------------------------------------------------------------
/ise-dc-enable.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Enable the ISE Data Connect feature via REST APIs.
4 |
5 | Usage:
6 |
7 | ise-dc-enable.py
8 |
9 | Requires setting the these environment variables using the `export` command:
10 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
11 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
12 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
13 | export ISE_CERT_VERIFY=false # validate the ISE certificate
14 |
15 | You may add these export lines to a text file and load with `source`:
16 | source ise.sh
17 |
18 | """
19 | __author__ = "Thomas Howard"
20 | __email__ = "thomas@cisco.com"
21 | __license__ = "MIT - https://mit-license.org/"
22 |
23 |
24 | import json
25 | import requests
26 | import os
27 | import sys
28 |
29 | DATACONNECT_PASSWORD = "#DataC0nnect"
30 | DATACONNECT_PASSWORD_DAYS_DEFAULT = 90
31 | DATACONNECT_PASSWORD_DAYS_MAX = 3650
32 |
33 | env = { k : v for (k,v) in os.environ.items() } # Load environment variables
34 | ssl_verify = False if env['ISE_CERT_VERIFY'][0:1].lower() in ['f','n'] else True
35 |
36 | with requests.Session() as session:
37 |
38 | # Initialize ISE REST API Session
39 | session = requests.Session()
40 | session.auth = ( env['ISE_REST_USERNAME'], env['ISE_REST_PASSWORD'] )
41 | session.headers.update({'Content-Type': 'application/json', 'Accept': 'application/json'})
42 | session.verify=ssl_verify
43 |
44 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/details"
45 | print(f"ⓘ Data Connect Enabled: {session.get(url).ok}")
46 |
47 | # 💡 Must set password BEFORE enabling!
48 | # - Password must contain one or more special characters [#$%&*+,-.:;] ⚠ No @ or !
49 | # - Password can't be set to one of the earlier 5 password(s)
50 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/settings/password"
51 | print(f"ⓘ Data Connect Password: {session.put(url, json={'password':DATACONNECT_PASSWORD}).json()}")
52 |
53 | # Set Password Expiration
54 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/settings/password/expiry"
55 | print(f"ⓘ Data Connect Password Expiration: {session.put(url, json={'passwordExpiresInDays':DATACONNECT_PASSWORD_DAYS_MAX}).json()}")
56 |
57 | # Enable ISE DataConnect via API
58 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/settings/status"
59 | print(f"ⓘ Data Connect Password: {session.put(url, json={'isEnabled':True}).json()}")
60 |
61 | # Returns the status of the Dataconnect feature.
62 | # {
63 | # "response": {
64 | # "isEnabled": true,
65 | # "isPasswordChanged": true,
66 | # "passwordExpiresInDays": 45,
67 | # "passwordExpiresOn": "15 December 2021 at 18:05 PST"
68 | # }
69 | # }
70 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/settings"
71 | print(f"Data Connect Settings: {session.get(url).json()['response']}")
72 |
73 | # Returns the Dataconnect ODBC details - but these don't change.
74 | # {
75 | # "response": {
76 | # "hostname": "isenode",
77 | # "port": 2484,
78 | # "servicename": "cpm10",
79 | # "username": "Admin"
80 | # }
81 | # }
82 | url = f"https://{env['ISE_PPAN']}/api/v1/mnt/data-connect/details"
83 | print(f"Data Connect Details: {session.get(url).json()['response']}")
84 |
85 | sys.exit(0) # 0 is ok
86 |
--------------------------------------------------------------------------------
/ise-env.sh:
--------------------------------------------------------------------------------
1 | # Example ISE REST API Credentials
2 | # Load them using the `source` command: source ise-env.sh
3 | # Verify using `env` for `echo $ISE_PPAN`
4 | export ISE_PPAN=1.2.3.4 # hostname or IP address of ISE Primary PAN
5 | export ISE_PMNT=1.2.3.4 # hostname or IP address of ISE Primary MNT
6 | export ISE_REST_USERNAME=admin # ISE REST API admin or operator username
7 | export ISE_REST_PASSWORD='ISEisC00L' # ISE REST API admin or operator password
8 | export ISE_VERIFY=false # validate the ISE certificate or not
9 | export ISE_DC_PASSWORD='#DataC0nnect' # Data Connect password
10 |
--------------------------------------------------------------------------------
/ise-ers-count.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Get the total number of a specific ISE ERS resource.
4 | See https://cs.co/ise-api for REST API resource names.
5 |
6 | Usage: ise-ers-count.py {resource_name}
7 |
8 | Requires setting the these environment variables using the `export` command:
9 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
10 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
11 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
12 | export ISE_CERT_VERIFY=false # validate the ISE certificate
13 |
14 | You may add these export lines to a text file and load with `source`:
15 | source ise.sh
16 |
17 | """
18 | __author__ = "Thomas Howard"
19 | __email__ = "thomas@cisco.com"
20 | __license__ = "MIT - https://mit-license.org/"
21 |
22 |
23 | import requests
24 | import os
25 | import sys
26 |
27 |
28 | # Silence any warnings about certificates
29 | requests.packages.urllib3.disable_warnings()
30 |
31 |
32 | """
33 | Return the number of resources of type resource.
34 | """
35 |
36 |
37 | def ise_ers_resource_count(resource):
38 | count = 0
39 | r = requests.get(
40 | f"https://{ENV['ISE_PPAN']}/ers/config/{resource_name}",
41 | auth=(ENV["ISE_REST_USERNAME"], ENV["ISE_REST_PASSWORD"]),
42 | headers={"Accept": "application/json"},
43 | verify=ENV["ISE_CERT_VERIFY"].lower().startswith("t"),
44 | )
45 | if r.status_code == 200:
46 | count = r.json()["SearchResult"]["total"]
47 | elif r.status_code == 404:
48 | print(f"{r.status_code} Unknown resource: {resource}", file=sys.stderr)
49 | else:
50 | print(f"{r.status_code} uh oh {r.text}", file=sys.stderr)
51 | return count
52 |
53 |
54 | """
55 | __main__
56 | """
57 | if __name__ == "__main__":
58 | """
59 | Run from script
60 | """
61 |
62 | # Load Environment Variables
63 | ENV = {k: v for (k, v) in os.environ.items()}
64 |
65 | if len(sys.argv) <= 1:
66 | print("❌ Missing resource name", file=sys.stderr)
67 | print(USAGE, file=sys.stderr)
68 | sys.exit(1) # not OK
69 | resource_name = sys.argv[1]
70 |
71 | count = ise_ers_resource_count(resource_name)
72 | print(count)
73 | sys.exit(0) # 0 == OK
74 |
--------------------------------------------------------------------------------
/ise-get-ers-raw.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | A simple, single GET request for an ISE ERS resource.
4 | See https://cs.co/ise-api for REST API resource names.
5 |
6 | Usage:
7 | ise-get-ers-raw.py {resource}
8 |
9 | Examples:
10 | ise-get-ers-raw.py networkdevice
11 | ise-get-ers-raw.py networkdevice/0b6e9500-8b4a-11ec-ac96-46ca1867e58d
12 | ise-get-ers-raw.py networkdevicegroup
13 | ise-get-ers-raw.py identitygroup
14 | ise-get-ers-raw.py op/systemconfig/iseversion
15 |
16 | Requires setting the these environment variables using the `export` command:
17 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
18 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
19 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
20 | export ISE_CERT_VERIFY=false # validate the ISE certificate
21 |
22 | You may add these export lines to a text file and load with `source`:
23 | source ise.sh
24 |
25 | """
26 | __author__ = "Thomas Howard"
27 | __email__ = "thomas@cisco.com"
28 | __license__ = "MIT - https://mit-license.org/"
29 |
30 | import requests
31 | import json
32 | import os
33 | import sys
34 |
35 | requests.packages.urllib3.disable_warnings() # Silence any warnings about certificates
36 |
37 | HEADERS_JSON = {"Accept": "application/json"}
38 |
39 | # Validate command line arguments
40 | if len(sys.argv) < 2:
41 | print(USAGE)
42 | sys.exit(1)
43 |
44 | resource_name = sys.argv[1]
45 |
46 | #
47 | # Load Environment Variables
48 | #
49 | env = {k: v for (k, v) in os.environ.items()}
50 |
51 | #
52 | # Show the resource
53 | #
54 | url = f"https://{env['ISE_PPAN']}/ers/config/{resource_name}"
55 | r = requests.get(
56 | url,
57 | auth=(env["ISE_REST_USERNAME"], env["ISE_REST_PASSWORD"]),
58 | headers=HEADERS_JSON,
59 | verify=(False if env["ISE_CERT_VERIFY"][0].lower() in ["f", "n"] else True),
60 | )
61 |
62 | if r.status_code == 401:
63 | print(r.status_code, file=sys.stderr)
64 | print(USAGE, file=sys.stderr)
65 | print(r.json())
66 | else:
67 | print(json.dumps(r.json(), indent=2))
68 |
--------------------------------------------------------------------------------
/ise-post-ers-embedded.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 |
4 | A simple POST request for an ISE ERS resource.
5 | See https://cs.co/ise-api for REST API resource names.
6 |
7 | Usage:
8 | ise-post-ers-embedded.py {resource_name} {resource.json}
9 |
10 | Requires setting the these environment variables using the `export` command:
11 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
12 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
13 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
14 | export ISE_CERT_VERIFY=false # validate the ISE certificate
15 |
16 | You may add these export lines to a text file and load with `source`:
17 | source ise-env.sh
18 |
19 | """
20 | __author__ = "Thomas Howard"
21 | __email__ = "thomas@cisco.com"
22 | __license__ = "MIT - https://mit-license.org/"
23 |
24 |
25 | import requests
26 | import json
27 | import os
28 | import sys
29 |
30 | # Silence any warnings about certificates
31 | requests.packages.urllib3.disable_warnings()
32 |
33 | HEADERS_JSON = { 'Accept': 'application/json',
34 | 'Content-Type': 'application/json' }
35 | # Validate command line arguments
36 | if len(sys.argv) > 1 :
37 | print(USAGE)
38 | sys.exit(1)
39 |
40 | #
41 | # Resource Name and Configuration
42 | # Do not include the 'id' or 'link' attributes when doing a POST
43 | #
44 | resource_name = 'networkdevice'
45 | payload = """
46 | {
47 | "NetworkDevice": {
48 | "name": "my_network_device",
49 | "description": "",
50 | "authenticationSettings": {
51 | "networkProtocol": "RADIUS",
52 | "radiusSharedSecret": "ISEisC00L",
53 | "enableKeyWrap": false,
54 | "dtlsRequired": false,
55 | "keyEncryptionKey": "",
56 | "messageAuthenticatorCodeKey": "",
57 | "keyInputFormat": "ASCII",
58 | "enableMultiSecret": "false"
59 | },
60 | "profileName": "Cisco",
61 | "coaPort": 1700,
62 | "NetworkDeviceIPList": [
63 | {
64 | "ipaddress": "10.20.30.40",
65 | "mask": 32
66 | }
67 | ],
68 | "NetworkDeviceGroupList": [
69 | "Location#All Locations",
70 | "IPSEC#Is IPSEC Device#No",
71 | "Device Type#All Device Types"
72 | ]
73 | }
74 | }
75 | """
76 |
77 | #
78 | # Load Environment Variables
79 | #
80 | env = { k : v for (k, v) in os.environ.items() }
81 |
82 | #
83 | # POST the resource
84 | #
85 | url = 'https://'+env['ISE_PPAN']+'/ers/config/'+resource_name
86 | r = requests.post(url,
87 | auth=(env['ISE_REST_USERNAME'], env['ISE_REST_PASSWORD']),
88 | headers=HEADERS_JSON,
89 | data=payload,
90 | verify=(False if env['ISE_CERT_VERIFY'][0].lower() in ['f','n'] else True)
91 | )
92 | print(r.status_code)
93 |
94 | if r.status_code == 201 :
95 | print(f'✅ View your new {resource_name}\n {r.headers["Location"]}')
96 | elif r.status_code == 401 :
97 | print('Verify you have set the environment variables and your credentials are correct', file=sys.stderr)
98 | print(r.json())
99 | else :
100 | print(json.dumps(r.json(), indent=2))
101 |
--------------------------------------------------------------------------------
/ise-post-ers-from-file.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | A simple POST request for an ISE ERS resource.
4 | See https://cs.co/ise-api for REST API resource names.
5 |
6 | Usage:
7 | ise-post-ers-from_file.py {resource_name} {resource_file.json}
8 | ise-post-ers-from_file.py networkdevice my_network_device.json
9 |
10 | Requires setting the these environment variables using the `export` command:
11 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
12 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
13 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
14 | export ISE_CERT_VERIFY=false # validate the ISE certificate
15 |
16 | You may add these export lines to a text file and load with `source`:
17 | source ise-env.sh
18 |
19 | """
20 | __author__ = "Thomas Howard"
21 | __email__ = "thomas@cisco.com"
22 | __license__ = "MIT - https://mit-license.org/"
23 |
24 |
25 | import requests
26 | import json
27 | import os
28 | import sys
29 |
30 | requests.packages.urllib3.disable_warnings() # Silence any warnings about certificates
31 |
32 | # Validate command line arguments
33 | if len(sys.argv) < 3 :
34 | print(__doc__)
35 | sys.exit(1)
36 |
37 | resource_name = sys.argv[1]
38 | json_filepath = sys.argv[2]
39 |
40 | # Load the JSON data
41 | json_data = ''
42 | with open(json_filepath) as f: json_data = f.read()
43 | print(json_data)
44 |
45 | env = {k:v for (k,v) in os.environ.items() } # Load Environment Variables
46 |
47 | # POST the resource
48 | url = f"https://{env['ISE_PPAN']}/ers/config/{resource_name}"
49 | basic_auth = (env['ISE_REST_USERNAME'], env['ISE_REST_PASSWORD'])
50 | json_headers = { 'Accept': 'application/json', 'Content-Type': 'application/json' }
51 | ssl_verify = False if env['ISE_CERT_VERIFY'][0].lower() in ['f','n'] else True
52 | r = requests.post(url, auth=basic_auth, headers=json_headers, data=json_data, verify=ssl_verify)
53 | print(r.status_code)
54 |
55 | if r.status_code == 201 :
56 | print(f'✅ View your new {resource_name}\n {r.headers["Location"]}')
57 | elif r.status_code == 401 :
58 | print(f'X {r.status_code}\n {json.dumps(r.json(), indent=2)}')
59 | print(USAGE, file=sys.stderr)
60 | else :
61 | print(json.dumps(r.json(), indent=2))
62 |
--------------------------------------------------------------------------------
/ise-up.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # Simple URL monitoring script.
4 | #
5 | # Requires setting the these environment variables using the `export` command:
6 | # export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
7 | # export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
8 | # export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
9 | # export ISE_CERT_VERIFY=false # validate the ISE certificate
10 | #
11 | # You may add these export lines to a text file and load with `source`:
12 | # source ise-env.sh
13 |
14 | SERVER=$ISE_PPAN
15 | USERNAME=$ISE_REST_HOSTNAME
16 | PASSWORD=$ISE_REST_PASSWORD
17 | HEADER_XML='Accept: application/xml'
18 | HEADER_JSON='Accept: application/json'
19 | HEADER=$HEADER_JSON
20 | # URI=/ers/config/internaluser
21 | # URI=/ers/config/adminuser
22 | URI=/
23 | SLEEP=5
24 |
25 | while [ 1 ]; do
26 |
27 | date
28 | curl -k \
29 | --connect-timeout 3 \
30 | --max-time 10 \
31 | --location \
32 | --header "${HEADER}" \
33 | --head \
34 | --user $USERNAME:$PASSWORD \
35 | --request GET https://${SERVER}${URI}
36 | printf "_____\n"
37 | sleep $SLEEP
38 |
39 | done
--------------------------------------------------------------------------------
/ise-version.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Get the ISE node version information.
4 |
5 | Usage: ise-version.py
6 |
7 | Requires setting the these environment variables using the `export` command:
8 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
9 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
10 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
11 | export ISE_CERT_VERIFY=false # validate the ISE certificate
12 |
13 | You may add these export lines to a text file and load with `source`:
14 | source ise-env.sh
15 |
16 | """
17 | __author__ = "Thomas Howard"
18 | __email__ = "thomas@cisco.com"
19 | __license__ = "MIT - https://mit-license.org/"
20 |
21 |
22 | import json
23 | import os
24 | import requests
25 | import sys
26 |
27 | requests.packages.urllib3.disable_warnings() # Silence any warnings about certificates
28 |
29 | env = { k:v for (k, v) in os.environ.items() } # Load Environment Variables
30 |
31 | with requests.Session() as session:
32 | # Initialize ISE REST API Session
33 | session.auth = ( env['ISE_REST_USERNAME'], env['ISE_REST_PASSWORD'] )
34 | session.headers.update({'Accept': 'application/json'})
35 | session.verify = False if env['ISE_CERT_VERIFY'][0:1].lower() in ['f','n'] else True
36 |
37 | url = f"https://{env['ISE_PPAN']}/ers/config/op/systemconfig/iseversion"
38 | r = session.get(url)
39 |
40 | # Sample output:
41 | #
42 | # {
43 | # "OperationResult" : {
44 | # "resultValue" : [ {
45 | # "value" : "3.1.0.518",
46 | # "name" : "version"
47 | # }, {
48 | # "value" : "1",
49 | # "name" : "patch information"
50 | # } ]
51 | # }
52 | # }
53 | #
54 |
55 | values = r.json()['OperationResult']['resultValue']
56 |
57 | version_info = {}
58 | for item in values:
59 | version_info[item['name']] = item['value']
60 |
61 | # Rename patch key
62 | version_info['patch'] = version_info['patch information']
63 | del version_info['patch information']
64 |
65 | # Split version into sequence identifiers
66 | (version_info['major'],
67 | version_info['minor'],
68 | version_info['maintenance'],
69 | version_info['build']
70 | ) = version_info['version'].split('.')
71 | version_info['semver'] = f"{version_info['major']}.{version_info['minor']}.{version_info['patch']}"
72 |
73 | print(json.dumps(version_info, indent=2))
74 |
75 |
--------------------------------------------------------------------------------
/ise-walk.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | """
3 | Walk the ISE ERS resource endpoints.
4 | Get the total number of a specific ISE ERS resource.
5 |
6 | Usage: ise-walk.py
7 |
8 | Requires setting the these environment variables using the `export` command:
9 | export ISE_PPAN='1.2.3.4' # hostname or IP address of ISE Primary PAN
10 | export ISE_REST_USERNAME='admin' # ISE ERS admin or operator username
11 | export ISE_REST_PASSWORD='C1sco12345' # ISE ERS admin or operator password
12 | export ISE_CERT_VERIFY=false # validate the ISE certificate
13 |
14 | You may add these export lines to a text file and load with `source`:
15 | source ise-env.sh
16 |
17 | """
18 | __author__ = "Thomas Howard"
19 | __email__ = "thomas@cisco.com"
20 | __license__ = "MIT - https://mit-license.org/"
21 |
22 |
23 | import os
24 | import requests
25 | import sys
26 | import time
27 |
28 | # Silence any warnings about certificates
29 | requests.packages.urllib3.disable_warnings()
30 |
31 | # List of supported ISE resources
32 | RESOURCE_NAMES = [
33 | # Deployment
34 | "node",
35 | "sessionservicenode",
36 | # Network Devices
37 | "networkdevicegroup",
38 | "networkdevice",
39 | # Endpoints
40 | "endpointgroup",
41 | "endpoint",
42 | "endpointcert", # POST(create) only!!!
43 | "profilerprofile",
44 | # RADIUS Authentications
45 | "activedirectory",
46 | "allowedprotocols",
47 | "adminuser",
48 | "identitygroup",
49 | "internaluser",
50 | "externalradiusserver",
51 | "radiusserversequence",
52 | "idstoresequence",
53 | "restidstore", # RESTIDStore must be enabled / 404 if not configured
54 | # RADIUS Authorizations / Policy
55 | "authorizationprofile",
56 | "downloadableacl",
57 | "filterpolicy", # 404 if none configured
58 | # Portals
59 | "portal",
60 | "portalglobalsetting",
61 | "portaltheme",
62 | "hotspotportal",
63 | "selfregportal",
64 | # Guest
65 | "guestlocation",
66 | "guestsmtpnotificationsettings",
67 | "guestssid",
68 | "guesttype",
69 | "guestuser", # 🛑 requires sponsor account!!!
70 | "smsprovider",
71 | "sponsorportal",
72 | "sponsoredguestportal",
73 | "sponsorgroup",
74 | "sponsorgroupmember",
75 | # BYOD
76 | "certificateprofile",
77 | "certificatetemplate",
78 | "byodportal",
79 | "mydeviceportal",
80 | "nspprofile",
81 | # SDA
82 | "sgt",
83 | "sgacl",
84 | "sgmapping",
85 | "sgmappinggroup",
86 | "sgtvnvlan",
87 | "egressmatrixcell",
88 | "sxpconnections",
89 | "sxplocalbindings",
90 | "sxpvpns",
91 | # TACACS
92 | "tacacscommandsets",
93 | "tacacsexternalservers", # 404 if none configured
94 | "tacacsprofile",
95 | "tacacsserversequence", # 404 if none configured
96 | # pxGrid / ANC / RTC / TC-NAC
97 | # 'pxgridnode', # 🐛 🛑 404 always whether pxGrid is enabled or not
98 | "ancendpoint",
99 | "ancpolicy",
100 | ]
101 |
102 |
103 | def resource_count(resource):
104 | """
105 | Walk through the list of ISE Resources and count them.
106 | """
107 | LEAF = " ┣╸"
108 | count = 0
109 | try:
110 | url = "https://" + env["ISE_PPAN"] + "/ers/config/" + resource
111 | r = requests.get(
112 | url,
113 | auth=(env["ISE_REST_USERNAME"], env["ISE_REST_PASSWORD"]),
114 | headers={"Accept": "application/json"},
115 | verify=(False if env["ISE_CERT_VERIFY"][0:1].lower() in ["f", "n"] else True),
116 | )
117 |
118 | if r.status_code == 401:
119 | if resource == "guestuser":
120 | print(f"{LEAF}{resource} [{count}] ⟁ requires sponsor account")
121 | elif r.status_code == 404:
122 | print(f"{LEAF}{resource} [{count}] ⟁ Not configured")
123 | else:
124 | count = r.json()["SearchResult"]["total"]
125 | print(f"{LEAF}{resource} [{count}]")
126 |
127 | except Exception as e:
128 | if resource == "endpointcert":
129 | print(f"{LEAF}{resource} [{count}] ⟁ POST endpointcert only!")
130 | else:
131 | print(f"{LEAF}{resource} [{count}] ⟁ Exception ")
132 |
133 |
134 | if __name__ == "__main__":
135 | """
136 | Run from script
137 | """
138 |
139 | # Load Environment Variables
140 | env = {k: v for (k, v) in os.environ.items()}
141 |
142 | print("C▶" + env["ISE_PPAN"])
143 | for resource in RESOURCE_NAMES:
144 | resource_count(resource)
145 |
--------------------------------------------------------------------------------
/my_network_device.json:
--------------------------------------------------------------------------------
1 | {
2 | "NetworkDevice": {
3 | "name": "my_network_device",
4 | "description": "",
5 | "authenticationSettings": {
6 | "networkProtocol": "RADIUS",
7 | "radiusSharedSecret": "C1sco12345",
8 | "enableKeyWrap": false,
9 | "dtlsRequired": false,
10 | "keyEncryptionKey": "",
11 | "messageAuthenticatorCodeKey": "",
12 | "keyInputFormat": "ASCII",
13 | "enableMultiSecret": "false"
14 | },
15 | "profileName": "Cisco",
16 | "coaPort": 1700,
17 | "NetworkDeviceIPList": [
18 | {
19 | "ipaddress": "10.20.30.40",
20 | "mask": 32
21 | }
22 | ],
23 | "NetworkDeviceGroupList": [
24 | "Location#All Locations",
25 | "IPSEC#Is IPSEC Device#No",
26 | "Device Type#All Device Types"
27 | ]
28 | }
29 | }
--------------------------------------------------------------------------------
/pyenv-install.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | python3 -m ensurepip --upgrade
4 | python3 -m pip install --upgrade pipenv # get the pipev virtual development environment
5 | pipenv install python@3.11 # create your virtual development environment
6 | pipenv install -r requirements.txt # install required packages into enviroment
7 |
--------------------------------------------------------------------------------
/pyenv-uninstall.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | rm -rf ./.venv/
4 | rm ./Pipfile
5 | rm ./Pipfile.lock
6 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | asyncio # async I/O whenever possible
2 | aiocsv # async CSV files
3 | aiofiles # async file I/O
4 | aiohttp # asynchronous HTTP/S
5 | aiohttp_client_cache # caching!
6 | aiosqlite # AIO HTTP Client cache backend
7 |
8 | argparse # CLI commands and options
9 | bs4 # HTML parsing
10 | ciscoisesdk # ISE Python REST API wrapper
11 | faker # generate fake users, MACs, IPs
12 | meraki # Cisco Meraki
13 | oracledb # Oracle DB thin client for ISE Data Connect queries
14 | pandas # import and manipulate data in Pandas DataFrames
15 | pxgrid-util # Cisco pxGrid utilities
16 | pytest # unit testing
17 | PyYAML # YAML
18 | requests # synchronous HTTP/S
19 | semantic-version # semantic version comparisons
20 | setuptools # run scripts without needing .py extension
21 | tabulate # dump data in tables
22 | tqdm # terminal progress bar
23 | urllib3 # URLs
24 |
--------------------------------------------------------------------------------