Retrieving RADIUS Failure Messages

The pxGrid client will receive all RADIUS Failure Attribute Information. For more information on RADIUS Failures, please see RADIUS FAILURES

Code Step-Through

The public class RadiusFailure calls the sessionQueryrequest to obtain timestamps.

The private static void downloadAccessSecret method calls SampleConfigObject. The Sample config object contains the pxGrid connection parameters such as the ISE pxGrid name hostname, identity filename keystore (.jks) filename and the truststore keystore (.jks)filename and we receive the new pxGrid control object. The pxGrid control configuration contains the pxGrid client account, service lookup, and access secret obtained from the ISE pxGrid node

Under //pxGrid ServiceLookup for session service, a service lookup is performed for the ISE node publishing the com.cisco.ise.radius service. If there were more the (1) ISE node in the pxGrid, randomization would be performed to find the availble node. This of this is as load balancing to evenly distribute the load.

Under //User first service, we get WebSockets URL from "restBaseUrl" + /getFailures

Under //pxGrid AccessSecret for the node, we obtain the secret from the ISE pxGrid node and we make a session request to obtain RADIUS failures

SampleHelper.postObjectAndPrint obtains the ISE pxGrid node, access secret, WebSocket URL, and trust information from the Client Manager.

Main parses the SampleObject Parameters

Under //Account Activate we obtain the pxGridcontrol and wait 60 seconds for the pxGrid client account to be activated, the pxGrid controller version is received, and we receive the radius failure messages

JAVA Sample Code

package com.cisco.pxgrid.samples.ise;

import java.time.OffsetDateTime;

import org.apache.commons.cli.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.cisco.pxgrid.samples.ise.model.AccountState;
import com.cisco.pxgrid.samples.ise.model.Service;

/**
 * Demonstrates how to query all sessions for RADIUS Failure service
 */
public class RadiusFailure {
    private static Logger logger = LoggerFactory.getLogger(RadiusFailure.class);
    
    private static class SessionQueryRequest {
        OffsetDateTime startTimestamp;
    }

    private static void downloadUsingAccessSecret(SampleConfiguration config) throws Exception {
        OffsetDateTime startTimestamp = SampleHelper.promptDate("Enter start time (ex. '2015-01-31T13:00:00-07:00' or <enter> for no start time): ");
        
        PxgridControl https = new PxgridControl(config);
        
        // pxGrid ServiceLookup for session service
        Service[] services = https.serviceLookup("com.cisco.ise.radius");
        if (services == null || services.length == 0) {
            logger.warn("Service unavailabe");
            return;
        }
        
        // Use first service
        Service service = services[0];
        String url = service.getProperties().get("restBaseUrl") + "/getFailures";
        logger.info("url={}", url);
        
        // pxGrid AccesssSecret for the node
        String secret = https.getAccessSecret(service.getNodeName());

        SessionQueryRequest request = new SessionQueryRequest();
        request.startTimestamp = startTimestamp;
        SampleHelper.postObjectAndPrint(url, config.getNodeName(), secret, config.getSSLContext().getSocketFactory(), request);
    }

    public static void main(String [] args) throws Exception {
        // Parse arguments
        SampleConfiguration config = new SampleConfiguration();
        try {
            config.parse(args);
        } catch (ParseException e) {
            config.printHelp("RADIUS failures");
            System.exit(1);
        }

        // AccountActivate
        PxgridControl control = new PxgridControl(config);
        while (control.accountActivate() != AccountState.ENABLED)
            Thread.sleep(60000);
        logger.info("pxGrid controller version={}", control.getControllerVersion());

        downloadUsingAccessSecret(config);
    }
}

Output

18:51:40.044 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
18:51:40.223 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"ENABLED","version":"2.0.0.13"}
18:51:40.223 [main] INFO com.cisco.pxgrid.samples.ise.RadiusFailure - pxGrid controller version=2.0.0.13
Enter start time (ex. '2015-01-31T13:00:00-07:00' or <enter> for no start time): 

18:51:45.557 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.radius"}
18:51:45.576 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.radius","nodeName":"ise-mnt-ise24fc3","properties":{"wsPubsubService":"com.cisco.ise.pubsub","restBaseUrl":"https://ise24fc3.lab10.com:8910/pxgrid/ise/radius","failureTopic":"/topic/com.cisco.ise.radius.failure"}}]}
18:51:45.577 [main] INFO com.cisco.pxgrid.samples.ise.RadiusFailure - url=https://ise24fc3.lab10.com:8910/pxgrid/ise/radius/getFailures
18:51:45.586 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret request={"peerNodeName":"ise-mnt-ise24fc3"}
18:51:45.734 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret response={"secret":"Wuup6IBIKP5MJlGD"}
18:51:45.900 [main] INFO com.cisco.pxgrid.samples.ise.SampleHelper - postData={}
18:51:46.244 [main] INFO com.cisco.pxgrid.samples.ise.SampleHelper - Response status=200
Content: {"failures":[{"id":"1535297722346473","timestamp":"2018-08-26T22:50:13.778Z","messageCode":5200,"userName":"44:32:C8:93:A0:E0","serverName":"ise24fc3","auditSessionId":"0A0000010000009601CE0DAA","ipAddresses":["21.25.91.209"],"nasIpAddress":"192.168.1.3","nasPortId":"GigabitEthernet1/0/3","nasPortType":"Ethernet","nasName":"Switch","callingStationId":"44:32:C8:93:A0:E0","originalCallingStationId":"44-32-C8-93-A0-E0","userType":"Host","accessService":"Default Network Access","identityStore":"Internal Endpoints","identityGroup":"Unknown","authenticationMethod":"mab","authenticationProtocol":"Lookup","serviceType":"Call Check","deviceType":"All Device Types","location":"All Locations","selectedAuthorizationProfiles":["PermitAccess"],"response":"{UserName\u003d44:32:C8:93:A0:E0; User-Name\u003d44-32-C8-93-A0-E0; State\u003dReauthSession:0A0000010000009601CE0DAA; Class\u003dCACS:0A0000010000009601CE0DAA:ise24fc3/324672264/56; cisco-av-pair\u003dprofile-name\u003dUnknown; LicenseTypes\u003d1; }","responseTime":494,"executionSteps":["11001","11017","11027","15049","15008","15041","15048","15013","24209","24211","22037","24715","15036","15048","15048","15048","15016","11002"],"credentialCheck":"Lookup","endpointProfile":"Unknown","policySetName":"Default","authorizationRule":"Basic_Authenticated_Access"}]}

What you see in ISE

Select Administration->**pxGrid Services->Web Clients