Data Connect has been available since ISE 3.2, giving you direct SQL access to ISE's operational database. The problem? Getting it running has been a pain. The official setup involves JDBC drivers, JAR files, Java trust stores, and keytool commands for certificate imports. If you're not already comfortable with that work flow, it's a lot of work just to run a query. And even after setup, you need to write Oracle PL/SQL. It's nor surprising that most ISE administrators have either never tried using Data Connect or tried and gave up. That's too bad because Data Connect is a powerful tool.
If you're extracting data from ISE programmatically, you have a few options: REST API, pxGrid, Syslog, or Data Connect. Each has tradeoffs.
Data Connect is the only programmatic method that gives you access to authentication data alongside configuration and session data. REST can pull configs and active sessions, but not historical authentications. pxGrid streams authentication data in real-time via WebSockets, but that's a different use case than querying historical records.
The other advantage is query flexibility and performance. REST API filters are limited to predefined parameters. With SQL, you write whatever query you need. And because you're pulling bulk data in a single request instead of making dozens of REST calls, it's significantly faster for large datasets.
The GUI works fine for one-off questions. But if you're repeatedly generating the same reports, automating operational data collection, or need answers the default reports don't provide—Data Connect is the tool. One SQL query to find network devices that haven't authenticated in 30+ days, or authentication pass/fail rates by policy, or posture non-compliance trends over the past week. No clicking through screens and exporting CSVs.
Earlier this year, Thomas Howard at Cisco shared scripts - specifically iseql.py - on his GitHub repository called ISE_Python_Scripts that cuts through most of the setup friction. Key to this is leveraging Python's oracledb package which runs as a "thin client," meaning no Oracle Instant Client libraries, no JDBC drivers, no Java trust stores.
The setup is straightforward:
pip install the dependencies80+ pre-built SQL queries. You don't have to write SQL to get started. The repo includes ready-to-run queries for all the things you might want to know: RADIUS authentication summaries, pass/fail counts by policy, endpoint profiling stats, posture compliance trends, TACACS command accounting, stale network devices, etc. Just point iseql.py at a .sql file in the SQL folder and get results. Once you're comfortable, you could tweak them or use them as templates to learn the Data Connect schema.
Flexible output formats. CSV, JSON, YAML, Markdown tables, or formatted ASCII tables. CSV pipes cleanly into spreadsheets or other scripts. JSON and YAML integrate with automation workflows. Table format is great for quick terminal inspection. Pick whatever fits how you're consuming the data.
Connection handling baked in. All the Oracle connection parameters—port 2484, service name cpm10, username dataconnect, TLS context—are already configured. All you have to do is provide a hostname and password.
git clone https://github.com/1homas/ISE_Python_Scripts.git
cd ISE_Python_Scripts
pip install -r requirements.txt
export ISE_PMNT='your-mnt-node.example.com'
export ISE_DC_PASSWORD='YourDataConnectPassword'
export ISE_VERIFY=False # for self-signed certs
# Run a query
./iseql.py "SELECT * FROM node_list" -f table
# Or use a pre-built query
./iseql.py data/SQL/radius_auths_by_policy.sql -f table
Note: Data Connect runs against the MNT node, not the PAN. In distributed deployments, it's enabled on the Secondary MNT by default. Otherwise, you'll need to enable it before running queries. To do so, navigate to Administration > Settings > Data Connect.
Thomas Howard's YouTube walkthrough covers setup and demos example queries. Be sure to take a look. And please feel free to reach out with any ISE questions you might have.