Skip to main content

Cisco ISE

Overview​

Cisco Identity Service Engine is network administration solution designed to simplify and control security and access on your company's network.

The Centreon Monitoring Connector Cisco ISE aims to collect the number of active and profiler service sessions and the number of postured endpoints by requesting the dedicated built-in REST API.

Monitoring Connector assets​

Monitored objects​

  • Cisco Identity Service Engine

Monitored metrics​

Metric nameDescriptionUnit
sessions.active.countThe number of active sessionsCount
endpoints.postured.countThe number of postured endpointsCount
sessions.profiler.countThe number of profiler service sessionsCount

Prerequisites​

The users used in the Host Macro (more information here must be assigned to one of the following Admin Groups and must be authenticated against the credentials stored in the Cisco ISE internal database (internal admin users):

  • Super Admin

  • System Admin

  • MnT Admin

Futhermore, the Centreon Pollers must be able to reach the Ciso ISE Rest API on the TCP/80 or TCP/443 port(s). More information on the official Cisco website: https://developer.cisco.com/docs/identity-services-engine/3.0/#!introduction-to-monitoring-rest-apis/verifying-a-monitoring-node

Setup​

  1. Install the Centreon package on every Centreon poller expected to monitor a Cisco Identity Service Engine:
yum install centreon-plugin-Applications-Cisco-Ise-Restapi
  1. On the Centreon Web interface, install the Cisco ISE Centreon Monitoring Connector on the Configuration > Monitoring Connector Manager page

Configuration​

Host​

  • Log into Centreon and add a new Host through "Configuration > Hosts".
  • Fill the "Name", "Alias" & "IP Address / DNS" fields according to your Cisco Identity Service Engine settings
  • Apply the Applications-Cisco-Ise-Restapi-custom template and configure all the mandatory Macros :
MandatoryNameDescription
XISECUSTOMMODEMode used by plugin (Default: 'xmlapi')
XISEAPIURLPATHPath to the ISE API (Default: '/admin/API/mnt')
XISEAPIPORTPort of the ISE API instance (Default: '443')
XISEAPIPROTOProtocol used by the ISE API (Default : 'https')
XUSERNAMEUsername to access ISE API
XPASSWORDPassword to access ISE API
EXTRAOPTIONSAny extra option you may want to add to every command_line (eg. a --verbose flag)

FAQ​

How to check in the CLI that the configuration is OK and what are the main options for ?​

Once the plugin installed, log into your Centreon Poller CLI using the centreon-engine user account and test the Plugin by running the following command:

/usr/lib/centreon/plugins/centreon_cisco_ise_restapi.pl \
--plugin=apps::cisco::ise::restapi::plugin \
--mode=session \
--custommode='xmlapi' \
--hostname='10.0.0.1' \
--url-path='admin/API/mnt' \
--username='user' \
--password='password' \
--port='443' \
--proto='https' \
--filter-counters='' \
--warning-active-sessions='20' \
--critical-active-sessions='50' \
--warning-postured-endpoints='' \
--critical-postured-endpoints='' \
--warning-profiler-service-sessions='' \
--critical-profiler-service-sessions='' \
--use-new-perfdata

Expected command output is shown below:

OK : Active sessions: 10, Postured endpoints: 20, Profiler service sessions: 20 | 'sessions.active.count'=10;0:20;0:50;0; 'endpoints.postured.count'=20;;;0 'sessions.profiler.count'=20;;;0;

This command triggers a WARNING alarm in the following cases if the number of active session is greater than 20 (--warning-active-sessions='20').

A CRITICAL alarm is however triggered if he number ofactive session is greater than 50 (--critical-active-sessions='50').

All available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins/centreon_cisco_ise_restapi.pl \
--plugin=apps::cisco::ise::restapi::plugin \
--mode=session \
--help

All plugin modes can be listed with the following command:

/usr/lib/centreon/plugins/centreon_cisco_ise_restapi.pl \
--plugin=apps::cisco::ise::restapi::plugin \
--list-mode

Why do I get the following message: UNKNOWN: 500 Can't connect to 10.0.0.1:443 |​

This error message means that the Centreon Plugin couldn't successfully connect to the Cisco ISE REST API. Check that no third party device (such as a firewall) is blocking the request. A proxy connection may also be necessary to connect to the API. This can be done by using this option in the command: --proxyurl='http://proxy.mycompany:8080'.

UNKNOWN: 501 Protocol scheme 'connect' is not supported |​

When using a proxy to connect to Cisco ISE REST API, this error message means that the Centreon Plugin library does not support the proxy connection protocol.

In order to prevent this issue, use the curl HTTP backend by adding the following option to the command: --http-backend='curl'.