topic Endpoint Purge Default Behaviour in Network Access Control

Endpoint Purge Default Behaviour

chbudima — Tue, 01 Aug 2017 06:52:44 GMT

Hi Team,

We have a query from customer about Endpoint Purge.

This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days from following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html

We advised customer that the ISE default endpoint purge is set to purge endpoints and registered devices that are older than 30 days from above information.

Customer has asked confirmation for “older than 30 days”. Does this mean inactive for 30 days rather than endpoints registered 30 days ago?

Could anyone please help on this query?

Thank you in advance for your help.

Regards,

Charles

Re: Endpoint Purge Default Behaviour

Jason Kunst — Tue, 01 Aug 2017 14:02:00 GMT

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Setup Adaptive Network Control [Cisco Identity Serv…

Endpoints Purge Settings

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.

The following are some of the conditions with examples you can use for purging the endpoints:

InactivityDays— Number of days since last profiling activity or update on endpoint.
- This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
- When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
ElapsedDays—Numbers days since object is created.
- This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
PurgeDate—Date to purge the endpoint.
- This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.

Re: Endpoint Purge Default Behaviour

chbudima — Tue, 01 Aug 2017 23:11:03 GMT

Hi Jason,

Thank you for sharing the information. I found this information too from configuration guide.

Customer does not have any policy configured related with InactivityDays, ElapsedDays and PurgeDate.

Therefore where this query comes from the customer, what is the default behavior for endpoint purge for “older than 30 days”. The query from customer with endpoint purge for “older than 30 days” meaning inactive for 30 days or endpoints registered 30 days ago?

Could you please help on this query?

Thanks for your help.

Regards,

Charles

Re: Endpoint Purge Default Behaviour

Jason Kunst — Tue, 01 Aug 2017 23:18:51 GMT

I don't understand, do they have anything configured for a purge policy? If so what does the line say? Send a screenshot of their purge policy?

The default rules are guest endpoints or registered endpoints are purged after 30 days (elapsed meaning after the action of them being put into the database they are removed)

The only time inactivity is considered is if you select inactive days

Re: Endpoint Purge Default Behaviour

chbudima — Wed, 02 Aug 2017 00:39:51 GMT

Hi Jason,

Customer has configured a daily purge policy for Guest Wifi User. However customer does not have a purge policy for their BYOD Wifi User.

Thanks for your confirmation the default endpoint purge rule is, registered endpoints are purged after 30 days.

Regards,

Charles

Re: Endpoint Purge Default Behaviour

marco.merlo — Thu, 18 Oct 2018 15:50:27 GMT

Hi,

I need some more details about "Inactivitydays".

Actually on ise 2.3 I found two objects in dictionary to build purge conditions:

ElapsedDays and Inactivedays.

But I am not sure that Inactivedays is a counter of the number of days from device "last seen" event.

Indeed I gave a look at a currently connected device and I saw that the two counters have the same value. Why Inactivedays attribute is not zero being the device connected?

Is a 2.3 patch 3 bug?

Regards

Re: Endpoint Purge Default Behaviour

gbekmezi-DD — Fri, 01 Mar 2019 02:08:58 GMT

I know this is old, but from Jason's post above:

When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.

Was profiling enabled?

Re: Endpoint Purge Default Behaviour

marco.merlo — Fri, 01 Mar 2019 07:17:00 GMT

You are right.

I had missed that statement in the guide. Without a license that enable profiling "Inactivedays" counter is unusable.

Regard