topic Re: Endpoint attribute filter (whitelist filter) and "dropped attributes" in Network Access Control

Endpoint attribute filter (whitelist filter) and "dropped attributes"

Johannes Luther — Mon, 22 Oct 2018 12:47:33 GMT

Hi board,

Currently I try to understand the whole ISE replication stuff and stumbled upon the "endpoint attribute filter".

As described in various CiscoLive slides (e.g. BRKSEC-3699), it is best practive to have it enabled and I do it all the time without any issues.

As far as I understood the feature, only significant and whitelist attributes are stored by a PSN node.

Changes in significant attributes trigger global replication (PSN -> PAN -> all secondary nodes)

Changes in whitelist attributes trigger node group level replication

All other attribures are dropped and are therefore not replicated.

First question: Correct so far? 🙂

If I now check an endpoint in the ISE 2.4 GUI, a see all the important attributes, but I also see "ElapsedDays" or "InactiveDays" for example. These attributes are very important for endpoint purging policies.

However based on the CiscoLive slides and the ISE 2.4 admin guide, "ElapsedDays" or "InactiveDays" are not significant or whitelist attributes. So these attributes are not subject to collection or replication if the endpoint attribute filter is in place.

So how and why are these attributes visible for a specific endpoint in the ISE GUI?

Are these values updated by the MNT node with Syslogs or RADIUS accounting information?

Re: Endpoint attribute filter (whitelist filter) and "dropped attributes"

hslai — Mon, 22 Oct 2018 21:28:51 GMT

... All other attribures are dropped and are therefore not replicated.

First question: Correct so far? 🙂

Essentially correct. There are also some attributes for context visibility but only replicated for the context visibility services on the primary admin node but does not persistent to the ISE configuration database.

... "ElapsedDays" or "InactiveDays" are not significant or whitelist attributes. So these attributes are not subject to collection or replication if the endpoint attribute filter is in place.

So how and why are these attributes visible for a specific endpoint in the ISE GUI?

Are these values updated by the MNT node with Syslogs or RADIUS accounting information?

These attributes are derived and calculated. ElapsedDays derived from the timestamp recording when the endpoint is created and InactiveDays from the timestamp of LastActivity.

Re: Endpoint attribute filter (whitelist filter) and "dropped attributes"

Johannes Luther — Tue, 23 Oct 2018 04:55:21 GMT

Hi, thank you for the answer.

So I see "ElapsedDays" and "InactivityDays" in the ISE GUI. But which node actually derives and calculates these values?

It cannot be the PSN, because these attributes are not subject to replication with the "endpoint collection filter".

So at the end of the day it must be the MNT, right?

Re: Endpoint attribute filter (whitelist filter) and "dropped attributes"

hslai — Thu, 25 Oct 2018 05:32:57 GMT

Their values are calculated on the primary PAN when we go to the particular page to view the attributes of the endpoint.