Subscribing to RADIUS Falilure Topic

The pxGrid client subscribes to the RADIUS failure topic so they can obtain RADIUS failure information in real-time. For more information on RADIUS Failure topic, please see RADIUS Failures

Code Step-Through

The public class RadiusFailureSubscribe calls the session handler class which will print the contents of the session that is opened by STOMP.

Main parses the SampleConfiguration config file. The sample config object contains the pxGrid client connection parameters such as the pxGrid hostname, identity filename (.jks file) and trusted keystore filesname (.jks file) or pre-share keys if implemented. The For //Account Activate, we wait 60 seconds for the account to be enabled. The ISE admin need to approve the pxGrid client account. We retrieve the pxGrid controller version.

For // pxGrid ServiceLookup for session service, we lookup the session service, com.cisco.ise.radius, since we are interested in obtaining the session information. The session service can be found:Github. This returns a list of the ISE nodes that are publishing the restBaseURL that will be used for WebSockets REST API calls.

For // Use first service. Note that ServiceLookup randomize ordering of services. The pubsub service provides a list of ISE pxGrid nodes, if you have Active/Active.
For example if you have (3) ISE pxGrid nodes, the value is randomized so you will only connect to one pxGrid node. However the service will be shared across all three ISE pxGrid nodes, this distributes the load. We get the properties for “wsPubService” and “sessionTopic” service names. All the services use WebSockets Pubsub service name, “com.cisco.ise.pubsub” and here we interested in the sessionTopic, failureTopic

For //pxGrid service Lookup for pubsub service, this provides us with the ISE pxgrid node the publishes the session service

For //Use first service, we get pubsub service which resturns the “wsUrl” or WebSockets URL value

For //pxGrid get AccessSecret, we get the accessecret from the ISE pxGrid node containing the pubsub service.

For //WebSocket config, we get the credentials

For //WebSocket connect, we first make a WebSockets connection and then create a STOMP over WebSockets connection

For //Stompconnect, the pxGrid client connects

For //Subscribe, the pxGrid client subscribes to the session topic over STOMP

For //Give time for connection to establish before prompt disconnect. Once the endpoint disconnects, the ID “ID-123”, which can be any value, provides a receipt. The ISE pxGrid node will send back an acknowledgement to say that the pxGrid client has disconnected

JAVA sample code

package com.cisco.pxgrid.samples.ise;

import java.net.URI;

import org.apache.commons.cli.ParseException;
import org.glassfish.tyrus.client.ClientManager;
import org.glassfish.tyrus.client.ClientProperties;
import org.glassfish.tyrus.client.SslEngineConfigurator;
import org.glassfish.tyrus.client.auth.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.cisco.pxgrid.samples.ise.model.AccountState;
import com.cisco.pxgrid.samples.ise.model.Service;

/**
 * Demonstrates how to subscribe to RADIUS Failure Topic
 */
public class RadiusFailureSubscribe {
    private static Logger logger = LoggerFactory.getLogger(RadiusFailureSubscribe.class);

    // Subscribe handler class
    private static class SessionHandler implements StompSubscription.Handler {
        @Override
        public void handle(StompFrame message) {
            logger.info("Content={}", new String(message.getContent()));
        }
    }

    public static void main(String[] args) throws Exception {
        // Parse arguments
        SampleConfiguration config = new SampleConfiguration();
        try {
            config.parse(args);
        } catch (ParseException e) {
            config.printHelp("SessionSubscribe");
            System.exit(1);
        }
        
        // AccountActivate
        PxgridControl control = new PxgridControl(config);
        while (control.accountActivate() != AccountState.ENABLED) {
            Thread.sleep(60000);
        }
        logger.info("pxGrid controller version={}", control.getControllerVersion());

        // pxGrid ServiceLookup for session service
        Service[] services = control.serviceLookup("com.cisco.ise.radius");
        if (services.length == 0) {
            logger.info("Session service unavailabe");
            return;
        }
        
        // Use first service. Note that ServiceLookup randomize ordering of services
        Service sessionService = services[0];
        String wsPubsubServiceName = sessionService.getProperties().get("wsPubsubService");
        String sessionTopic = sessionService.getProperties().get("failureTopic");
        logger.info("wsPubsubServiceName={} sessionTopic={}", wsPubsubServiceName, sessionTopic);
        
        // pxGrid ServiceLookup for pubsub service
        services = control.serviceLookup(wsPubsubServiceName);
        if (services.length == 0) {
            logger.info("Pubsub service unavailabe");
            return;
        }

        // Use first service
        Service wsPubsubService = services[0];
        String wsURL = wsPubsubService.getProperties().get("wsUrl");
        logger.info("wsUrl={}", wsURL);

        // pxGrid get AccessSecret
        String secret = control.getAccessSecret(wsPubsubService.getNodeName());


        // WebSocket config
        ClientManager client = ClientManager.createClient();
        SslEngineConfigurator sslEngineConfigurator = new SslEngineConfigurator(config.getSSLContext());
        client.getProperties().put(ClientProperties.SSL_ENGINE_CONFIGURATOR, sslEngineConfigurator);
        client.getProperties().put(ClientProperties.CREDENTIALS,
                new Credentials(config.getNodeName(), secret.getBytes()));
        
        // WebSocket connect
        StompPubsubClientEndpoint endpoint = new StompPubsubClientEndpoint();
        URI uri = new URI(wsURL);
        javax.websocket.Session session = client.connectToServer(endpoint, uri);

        // STOMP connect
        endpoint.connect(uri.getHost());
        
        // Subscribe
        StompSubscription subscription = new StompSubscription(sessionTopic, new SessionHandler());
        endpoint.subscribe(subscription);

        // Give time for connection to establish before prompt
        Thread.sleep(1000);
        SampleHelper.prompt("press <enter> to disconnect...");

        // STOMP disconnect
        endpoint.disconnect("ID-123");
        // Wait for disconnect receipt
        Thread.sleep(3000);
        
        // Websocket close
        session.close();
    }
}

Output

------ config ------
  hostname = ise24fc3.lab10.com
  hostname = 192.168.1.251
  nodename = mac10
  password = (not specified)
  description = (not specified)
  keystorefilename = /Applications/master_rest_samples/sw1.jks
  keystorepassword = Cisco123
  truststorefilename = /Applications/master_rest_samples/sw1root.jks
  truststorepassword = Cisco123
--------------------
19:14:58.790 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate request={}
19:14:59.567 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccountActivate response={"accountState":"ENABLED","version":"2.0.0.13"}
19:14:59.567 [main] INFO com.cisco.pxgrid.samples.ise.RadiusFailureSubscribe - pxGrid controller version=2.0.0.13
19:14:59.597 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.radius"}
19:14:59.616 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.radius","nodeName":"ise-mnt-ise24fc3","properties":{"wsPubsubService":"com.cisco.ise.pubsub","restBaseUrl":"https://ise24fc3.lab10.com:8910/pxgrid/ise/radius","failureTopic":"/topic/com.cisco.ise.radius.failure"}}]}
19:14:59.617 [main] INFO com.cisco.pxgrid.samples.ise.RadiusFailureSubscribe - wsPubsubServiceName=com.cisco.ise.pubsub sessionTopic=/topic/com.cisco.ise.radius.failure
19:14:59.617 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup request={"name":"com.cisco.ise.pubsub"}
19:14:59.631 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - ServiceLookup response={"services":[{"name":"com.cisco.ise.pubsub","nodeName":"ise-pubsub-ise24fc3","properties":{"wsUrl":"wss://ise24fc3.lab10.com:8910/pxgrid/ise/pubsub"}}]}
19:14:59.631 [main] INFO com.cisco.pxgrid.samples.ise.RadiusFailureSubscribe - wsUrl=wss://ise24fc3.lab10.com:8910/pxgrid/ise/pubsub
19:14:59.637 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret request={"peerNodeName":"ise-pubsub-ise24fc3"}
19:14:59.766 [main] INFO com.cisco.pxgrid.samples.ise.PxgridControl - AccessSecret response={"secret":"OiaMtLknaXPKRafG"}
19:15:01.449 [Grizzly(1)] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - WS onOpen
19:15:01.478 [main] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP CONNECT host=ise24fc3.lab10.com
19:15:01.483 [main] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP SUBSCRIBE topic=/topic/com.cisco.ise.radius.failure
19:15:01.485 [Grizzly(1)] INFO com.cisco.pxgrid.samples.ise.StompPubsubClientEndpoint - STOMP CONNECTED version=1.2
press <enter> to disconnect...
19:27:16.753 [Grizzly(2)] INFO com.cisco.pxgrid.samples.ise.RadiusFailureSubscribe - Content={"failures":[{"id":"1535297722346514","timestamp":"2018-08-26T23:27:12.972Z","failureReason":"24485 Machine authentication against Active Directory has failed because of wrong password","messageCode":5400,"userName":"host/DESKTOP-RQPBKDM","serverName":"ise24fc3","auditSessionId":"0A000001000000630030871A","ipAddresses":["192.168.1.19"],"nasIpAddress":"192.168.1.3","nasPortId":"GigabitEthernet1/0/10","nasPortType":"Ethernet","nasName":"Switch","callingStationId":"00:0E:C6:8F:B4:9B","originalCallingStationId":"00-0E-C6-8F-B4-9B","accessService":"Default Network Access","identityStore":"pxGridUsers","authenticationMethod":"dot1x","authenticationProtocol":"PEAP (EAP-MSCHAPv2)","serviceType":"Framed","deviceType":"All Device Types","location":"All Locations","response":"{RadiusPacketType\u003dAccessReject; }","responseTime":166,"executionSteps":["11001","11017","15049","15008","11507","12500","12625","11006","11001","11018","12301","12300","12625","11006","11001","11018","12302","12319","12800","12805","12806","12807","12808","12810","12811","12305","11006","11001","11018","12304","12305","11006","11001","11018","12304","12305","11006","11001","11018","12304","12319","12812","12813","12804","12801","12802","12816","12310","12305","11006","11001","11018","12304","12313","11521","12305","11006","11001","11018","12304","11522","11806","12305","11006","11001","11018","12304","11808","15041","22072","15013","24210","24216","15013","24431","24325","24313","24319","24313","24366","24313","24366","24323","24344","24485","22057","22061","11823","12305","11006","11001","11018","12304","11810","11815","11520","22028","12305","11006","11001","11018","12304","61025","12307","11504","11003"],"credentialCheck":"MSCHAPV2","policySetName":"Default"}]}