https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3748321#M488249 <P>I imagine&nbsp;ISE calculates the expiry date by deducting the expiration date of the cert from the current date. All X.509 certs have validity attributes.&nbsp;</P> <P>&nbsp;</P> <P>BTW why wait for the MICs to expire? Why risk having phones not register some day in the future when you can just install your LSCs during a maintenance window?&nbsp;&nbsp;</P> Fri, 16 Nov 2018 18:57:50 GMT Nadav 2018-11-16T18:57:50Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3746611#M488243 <P>Hi,</P> <P>&nbsp;</P> <P>Customer is trying to figure out a way to create a report of the MIC certificates in their Cisco IP Phones and their date of expiration to plan for&nbsp;the implementation of LSC.</P> <P>&nbsp;</P> <P>Since we can use the "Days to Expiry" attribute in an AuthZ policy and it provides the quantity of days to expiry, it means that the expiration date is extracted and logged somewhere I guess. In which log can I find this information?</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 14 Nov 2018 15:17:02 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3746611#M488243 slevesqu 2018-11-14T15:17:02Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3746633#M488246 ISE does not store those attributes anywhere and the conditions are run in a Just In Time(JIT) fashion where they are evaluated at the runtime and a decision is taken based on the values returned. They are logged at TRACE level on the logs that reside on the ISE which are written locally. So in short, there is no way you can pull those attributes from ISE.<BR /> Wed, 14 Nov 2018 15:39:52 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3746633#M488246 Surendra 2018-11-14T15:39:52Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3747656#M488247 <P>100% clear thank you sir!</P> Thu, 15 Nov 2018 20:55:45 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3747656#M488247 slevesqu 2018-11-15T20:55:45Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3748321#M488249 <P>I imagine&nbsp;ISE calculates the expiry date by deducting the expiration date of the cert from the current date. All X.509 certs have validity attributes.&nbsp;</P> <P>&nbsp;</P> <P>BTW why wait for the MICs to expire? Why risk having phones not register some day in the future when you can just install your LSCs during a maintenance window?&nbsp;&nbsp;</P> Fri, 16 Nov 2018 18:57:50 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3748321#M488249 Nadav 2018-11-16T18:57:50Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3759004#M488251 <P>Not that easy the CUCM is managed by a 3rd party which makes it challenging to deploy LSCs in the short term</P> Thu, 06 Dec 2018 15:06:49 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/3759004#M488251 slevesqu 2018-12-06T15:06:49Z https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/4136986#M562366 <P>One alternative in this case, would be to write a duplicate policy for authenticating your phones on top of the existing policy but name this policy something like 'Phone-Auth-expires-less-than-100' and add the expire attribute as something that must be matched. You can then easily report on the devices that match this policy instead of your already existing policy.</P> Mon, 17 Aug 2020 16:36:40 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-days-to-expiry-log/m-p/4136986#M562366 gnegronida 2020-08-17T16:36:40Z