topic ISE endpoint puge no profiler service in Network Access Control

ISE endpoint puge no profiler service

marco.merlo — Fri, 23 Aug 2019 06:48:53 GMT

Hi to all,

I am trying to overrun some "cumbersome" limitations of ISE purge endpoints function when profiler service is not active.

I am trying to leverage on ISE restful API.

Essentially I want to get the list of endpoints with "ElapsedDays" attribute greater than a certain value and then delete only the endpoints that do not have an active session.

Now ISE MGT API can be easily queried to understand if there is an active session associated to a given mac address, but I have not been able to understand how to ask ERS or MGT APIs for endpoints with a given ElapsedDays attribute.

Any idea?

Regards

Re: ISE endpoint puge no profiler service

Damien Miller — Fri, 23 Aug 2019 22:46:48 GMT

Not a direct answer to your question, but buying 100 plus licenses would save you the headache and allow you to use the built in purging like you need. List price price would be 864 / yr or less depending on the term.

Re: ISE endpoint puge no profiler service

Arne Bier — Sun, 25 Aug 2019 22:47:46 GMT

Hi @Damien Miller

Why do you need a Plus license to purge endpoints? I have a customer with Base licenses only and we purge all the time.

@marco.merlo - I found that the REST API doesn't return all the properties of the endpoint as seen in the UI. ISE may expose an API, but in my experience I am left feeling disappointed because I cannot do that I want to do. If this were a proper RESTful API then it would mimic the GUI and allow every GUI action to be done via API. And it would also expose the same data model that is available to us as GUI users. But it doesn't. Long live DevOps ... ? Not so fast ... 😞

Below is a call to the API for an arbitrary endpoint

/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b -H 'ACCEPT: application/json'

Not a lot of detail. If there is another call I should be using then please advise. I could not see anything more detailed than this one.

{
  "ERSEndPoint" : {
    "id" : "3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
    "name" : "00:1E:F7:C3:CB:8C",
    "mac" : "00:1E:F7:C3:CB:8C",
    "profileId" : "1513b300-8c00-11e6-996c-525400b48521",
    "staticProfileAssignment" : false,
    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",
    "staticGroupAssignment" : false,
    "portalUser" : "",
    "identityStore" : "",
    "identityStoreId" : "",
    "link" : {
      "rel" : "self",
      "href" : "https://192.168.0.221:9060/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
      "type" : "application/xml"
    }
  }

Re: ISE endpoint puge no profiler service

Damien Miller — Sun, 25 Aug 2019 22:52:18 GMT

My understanding was that if you don't have any plus licenses, you couldn't leverage any of the features that leverage that data.

I've never run a deployment without plus, so just sounded like adding them would allow inactive days could be leveraged here since it sounded like it wasn't available.

Re: ISE endpoint puge no profiler service

Arne Bier — Sun, 25 Aug 2019 23:16:21 GMT

Hey Damien

I can assure you that with Base licenses only, the menus are restricted to the allowed feature set (e.g. no Profiling or BYOD menu etc) and the endpoints' profiles are fuzzed out. But we are able to purge endpoints without any issues.

Below is the restricted view that you get when only Base Licenses are installed:

And Context Visibility teases us with the fuzzed-out columns as shown below (I did not fuzz them out - this is how ISE displays them)

Re: ISE endpoint puge no profiler service

Damien Miller — Sun, 25 Aug 2019 23:29:49 GMT

That's pretty rough!

It would seem the easiest way to address this purging process would then be to use the built in purging tool, then setting a rule up for "elapsed days and endpoint:inactive days". This would avoid purging active sessions assuming inactive days were 1+.

Re: ISE endpoint puge no profiler service

marco.merlo — Mon, 26 Aug 2019 06:28:46 GMT

Hi Arnie,

I am afraid I forgot to share some information: we are able to purge endpoints as well but with a lot of limitations.

Our ISE Deployment is going to authenticate both wireless guest users and wired/wireless corporate users/end point.

Without plus license installed there is no way to purge and endpoint looking at its "last seen" attribute (InactiveDays attribute is not reset when getting an account packet from the NAD), so the main option you have is to look at InactiveDays. Of course if ones sets up the purge rule with a number of elapsed days greater than the maximum re-autenticatication timer taht is configured on the authentication profiles there will be no issue. Unfortunately we are migrating from an environment in which NADs get a "never reaunteticate" profile for a lot of endpoints (dot1x voip phones). So in order to avoid to purge them while keeping on to purge old guest (LWA ....) endpoints , I need to get a purge rule able to recognize such endpoints.
My idea wasto exploit the fact that such endpoints will have an high "elapseddays" value but an active session.

At the end I think I'll buy a 100 endpoint plus license.

Regards

Re: ISE endpoint puge no profiler service

marco.merlo — Mon, 26 Aug 2019 06:31:14 GMT

Hi,

unfortunately "InactiveDays" is useless without plus license installed because is no re-set to zero when getting an accounting update.

Regards