topic Cisco ISE - purge inactive endpoints in Network Access Control

Cisco ISE - purge inactive endpoints

milos_p — Mon, 23 May 2022 10:29:37 GMT

Hi guys,

Do you have any recommendation/best practice how to purge inactive endpoints from the database, in order to keep it clean and tidy, let's say, anything inactive for more then 100 days?

I am running Cisco ISE 3.1 with Essential licensing.

Thanks a lot!

Milos

Re: Cisco ISE - purge inactive endpoints

Mark Elsen — Mon, 23 May 2022 10:38:39 GMT

- FYI : https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/b_ISE_admin_30_maintain_monitor.html#concept_0776B37A2C3542189950F5DFB1961FA2

Re: Cisco ISE - purge inactive endpoints

milos_p — Mon, 23 May 2022 10:55:03 GMT

Hi marc1000,

Thanks for reply, just referring to the manual is not very helpful in this case.

I would like to see some real world examples for this, if someone is using any purge policy effectively in their deployment for purging inactive endpoints.

Re: Cisco ISE - purge inactive endpoints

Jonatan Jonasson — Mon, 23 May 2022 14:19:29 GMT

It may be somewhat different between environments and how the groups are effectively used, how they are initially populated (dynamic vs static), and how quickly they grow.

For example I've frequently seen deployments where the purge policy for guest endpoints is set to purge after 30 days (sometimes less).

I know of an environment where group that's primarily used to identify devices being staged, and the purge policy on that group is only a few days. (Since effectively the endpoint should have been moved into another group post staging anyway.)

60/90/120 inactive-days is what I frequently run into for different groups/use cases, but I also see an even longer time and/or combination with "never purge" for certain groups.

It really is an "it depends".

Re: Cisco ISE - purge inactive endpoints

Marcelo Morais — Tue, 24 May 2022 02:19:52 GMT

Hi @milos_p ,

I prefer to use a combination of Conditions in a Purge rule, for examples:

NotRegistered-Inactivity:

(EndpointPurge.DeviceRegistrationStatus Equals NotRegistered) AND (EndpointPurge.InactiveDays GreaterThan 30)

I also use the ElapsedDays in some cases, for example:

Portal-Test

(Portal-Test) AND (EndpointPurge.ElapsedDays GreaterThan 1)

Note:

1. at Context Visibility > Endpoints > Authentications you are able to check the Dashboard - Inactive Endpoints.

2. at Operations > Report > Reports > Audit > Endpoints Purge Activities, you are able to check your Purge rules.

Hope this helps !!!

Re: Cisco ISE - purge inactive endpoints

milos_p — Tue, 24 May 2022 07:27:33 GMT

Hi Marcelo,

This is super useful, especially report for Endpoint Purge Activities, thanks a lot!

Do you know some easy way to display all endpoints with Inactive days larger then X (let's say, I want to see all endpoints with inactive days more than 30 etc.).

I found a way to export all endpoints to CSV and find it from there, but a view/report from ISE GUI would be more useful.

Regards,

Milos

Re: Cisco ISE - purge inactive endpoints

Marcelo Morais — Tue, 24 May 2022 13:12:45 GMT

Hi @milos_p ,

at Context Visibility > Endpoints > Authentication > Inactive Endpoints dashboard, you are able to see and select (like a filter) the Inactive Endpoints:

After selecting, the list of Inactive Endpoints (23723 in the example above) will be listed bellow (this is a way "to see all endpoints with inactive days more than").

Hope this helps !!!

Re: Cisco ISE - purge inactive endpoints

milos_p — Tue, 24 May 2022 13:30:30 GMT

Hi Marcelo,

I am still not sure if that "INACTIVE ENDPOINTS" chart will present all inactive endpoints, or just for certain amount of time, as it looks like chart is divided in 30 columns, so I guess it will show for last 30 days.

Now, clicking on the chart on certain date will put in the filter "Inactive since X days" and show endpoints only for that date, not also before or after, I tested it.

You can try to click on your chart on a bar before or after the one with 23723 endpoints, and see if it will bring you 23723+X or just endpoints from that day.

For me, it shows only for the day that I clicked on the chart.

Thanks a lot!

Milos

Re: Cisco ISE - purge inactive endpoints

Marcelo Morais — Tue, 24 May 2022 21:51:52 GMT

Hi @milos_p ,

yes, your understanding is correct.

When you click on the column the filter is applied to all Endpoint that are inactive for exactly X days:

Regards

Re: Cisco ISE - purge inactive endpoints

milos_p — Tue, 24 May 2022 22:06:50 GMT

Hi Marcelo,

Great, so I understood it good, it's exactly for X days.

Is there a trick so I can see endpoints inactive for more than X days?

Regards,

Milos

Re: Cisco ISE - purge inactive endpoints

Marcelo Morais — Wed, 25 May 2022 02:33:08 GMT

Hi @milos_p ,

sorry, not that I know.

Regards

Re: Cisco ISE - purge inactive endpoints

JasonPawlowski6638 — Mon, 06 Jan 2025 19:19:20 GMT

Hey Marcelo!

Is there something similar for inactive Network Devices? I have hundreds of network devices that have been retired and not cleaned up. Is there a purge option for something like that?

Re: Cisco ISE - purge inactive endpoints

Marcelo Morais — Mon, 06 Jan 2025 19:51:19 GMT

Hi @JasonPawlowski6638 ,

the Endpoint Purge (at Administration > Identity Management > Settings) is for Endpoints only !!!

At Administration > Network Resources > Network Devices > you can select the Network Devices and choose Delete > Delete Selected.

To check the Authentications of a Network Device:

At Operations > Reports > Reports > Authentication Summary > check Authentications by Device Name
At Operations > Reports > Reports > Top N Authentications by Network Device

Hope this helps !!!