ISE Endpoint Topic

ISE endpoints are client devices, for example, workstations, mobiles, printers etc. which are connected to the ISE managed network devices like switches, WLC etc. ISE service provides access to these ISE endpoints via the object named Endpoints through the endpointTopic. This topic provides events of Endpoint updates. Events are published only when there is a change in the endpoint attributes apart from timestamps and statistics. For more information on ISE Endpoint topic, see Endpoint.

Prerequisites on ISE for Endpoint topic subscription

Configure these prerequisites on ISE to seamlessly subscribe to the Endpoint topic using pxGrid.

  1. In the ISE GUI, navigate to Administration > System > Profiling.
  2. In the Profiler Settings section, check the Custom Attribute for Profiling Enforcement and Profiler Forwarder Persistence Queue checkboxes.
  3. In the MFC Profiling and AI Rules section, check the Enable checkbox to enable MFC profiling.
  4. In the Endpoint Analytics Settings section, check the Publish Endpoint Attributes to AI Endpoint Analytics and Consume Endpoint Profiles from AI Endpoint Analytics checkboxes.
  5. Click Save to save your configuration on ISE.

Code Step-Through

ServiceLookup may return more than one nodes providing this service. Each node is a replica of each other. In other words, connecting to one of these nodes is sufficient.

Go through the list of nodes until one succeed. If none of them work, sleep for retry. Redo ServiceLookup before retry as there may be service updates.

For // ServiceLookup for endpoint service, we lookup the endpoint service, com.cisco.ise.endpoint, since we are interested in obtaining information about the endpoints. This returns a list of the SXP-enabled ISE nodes that are publishing the restBaseURL that will be used for WebSockets REST API calls.

For //Account Activate, we wait 60 seconds for the account to be enabled. The ISE admin needs to approve the pxGrid client account. We retrieve the pxGrid controller version.

For //pxGrid getAccessSecret, we get the accessecret from the ISE pxGrid node containing the pubsub service.

Complete Java SampleCode

{
    "services": [
        {
            "name": "com.cisco.ise.endpoint",
            "nodeName": "~nodename",
            "properties": {
                "wsPubsubService": "com.cisco.ise.pubsub",
                "restBaseUrl": "https://[ise-host1]:8910/pxgrid/ise/endpoint",
                "topic": "/topic/com.cisco.ise.endpoint"
            }
        }
    ]
}

Sample Request

{ 
    "order":"DESC",
    "startCreateTimestamp":"2024-07-20T00:00:00.000+05:30",
    "startIndex":0,
    "count":1000,
    "skipConfigCheck":true 
}

Sample Response

{
    "endpoints": [
        {
            "macAddress": "00:50:56:B2:FE:BF",
            "attributes": {
                "destinationPort": "1813",
                "policyVersion": "1",
                "oui": "VMware, Inc.",
                "mfcInfoHardwareModel": "VMWare-Device",
                "mfcInfoEndpointType": "Workstation",
                "matchedPolicyID": "3af39770-8c00-11e6-996c-525400b48521",
                "framedIpAddress": "9.133.10.39",
                "totalCertaintyFactor": "10",
                "portalUser": "",
                "timeToProfile": "19",
                "edfCreateTime": "2024-07-19T11:10:08.654Z",
                "identityGroup": "Profiled",
                "lastNmapScanTime": "0",
                "nmapScanCount": "0",
                "firstCollection": "1721387408615",
                "edfUpdateTime": "",
                "nasIpAddress": "9.129.4.78",
                "logicalProfile": "",
                "mfcInfoDeviceType": "Workstation",
                "endPointPolicyID": "3af39770-8c00-11e6-996c-525400b48521",
                "mfcInfoOperatingSystem": "",
                "endpointSource": "RADIUS Probe",
                "nmapSubnetScanID": "0",
                "ip": "9.133.10.39",
                "postureApplicable": "Yes",
                "endPointProfilerServer": "podN-Ise9.sta-lab.com",
                "deviceRegistrationStatus": "NotRegistered",
                "staticGroupAssignment": "false",
                "updateTime": "0",
                "mfcInfoHardwareManufacturer": "VMware, Inc.",
                "deviceIpAddress": "9.129.4.78",
                "matchedPolicy": "VMWare-Device",
                "byodRegistration": "Unknown",
                "identityGroupID": "aa10ae00-8bff-11e6-996c-525400b48521",
                "macAddress": "00:50:56:B2:FE:BF",
                "failureReason": "5436 RADIUS packet already in the process",
                "messageCode": "5436",
                "devicePort": "59323",
                "lastActivity": "1721387408616",
                "staticAssignment": "false",
                "endPointPolicy": "VMWare-Device",
                "destinationIpAddress": "9.132.5.143",
                "callingStationId": "00-50-56-B2-FE-BF"
            },
            "customAttributes": {},
            "timestamp": "2024-07-19T11:10:08.654Z"
        }
    ]
}