https://community.cisco.com/t5/network-access-control/endpoints-with-failure-22056-clogging-database/m-p/4914874#M583761 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291510">@Josh Morris</a>&nbsp;</P> <P>Strangely enough, I have seen the same thing in ISE 3.1 p3 (as it happens). But that might just be a coincidence.</P> <P>I saw hundreds of bogus MAC addresses learned from a single port and when I investigated the port, there was just a phone connected. Since I was not involved in the day to day operations of the network, I could only guess what happened. I purged the endpoints and will see if it re-occurs.</P> <P>I would not change your MAB policy to Reject/Drop if not found. That breaks MAB, because you must fail through to Authorization to allow new Endpoints to be Authorized (if an applicable Rule is matched). In a Monitor Mode and Low Impact Mode you would never fail anything in the Authorization phase - you have to handle all endpoints.</P> Wed, 30 Aug 2023 21:29:13 GMT Arne Bier 2023-08-30T21:29:13Z https://community.cisco.com/t5/network-access-control/endpoints-with-failure-22056-clogging-database/m-p/4913115#M583689 <P>ISE v3.1p3</P><P>I am getting thousands of endpoints clogging my context visibility. They have little-to-no attribute information and mostly seem to fail with&nbsp;<SPAN>22056 Subject not found in the applicable identity store(s). I have purge policies in place, but I'm not able to capture all these for some reason. And funny enough, many of these (potentially bogus) MAC addresses appear to be coming from the same switchport. I have investigated the endpoints connected on this switchport and I don't see anything fishy there. No hubs, no container or virtualization software, no apparent foul play.</SPAN></P><P><SPAN>Is there another way I should be dealing with these beside regular observation, manual removal, and trying to optimize endpoint purge rules?</SPAN></P><P>Edit: Here is my authentication policy for this. Its very simple, but I wonder if I should DROP instead of REJECT if User not found? Would this keep the endpoint from showing up in the CV?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JoshMorris_0-1693237575435.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/195495i4B756D9B010539AB/image-size/medium?v=v2&amp;px=400" role="button" title="JoshMorris_0-1693237575435.png" alt="JoshMorris_0-1693237575435.png" /></span></P><P>&nbsp;</P> Mon, 28 Aug 2023 15:46:23 GMT https://community.cisco.com/t5/network-access-control/endpoints-with-failure-22056-clogging-database/m-p/4913115#M583689 Josh Morris 2023-08-28T15:46:23Z https://community.cisco.com/t5/network-access-control/endpoints-with-failure-22056-clogging-database/m-p/4914874#M583761 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/291510">@Josh Morris</a>&nbsp;</P> <P>Strangely enough, I have seen the same thing in ISE 3.1 p3 (as it happens). But that might just be a coincidence.</P> <P>I saw hundreds of bogus MAC addresses learned from a single port and when I investigated the port, there was just a phone connected. Since I was not involved in the day to day operations of the network, I could only guess what happened. I purged the endpoints and will see if it re-occurs.</P> <P>I would not change your MAB policy to Reject/Drop if not found. That breaks MAB, because you must fail through to Authorization to allow new Endpoints to be Authorized (if an applicable Rule is matched). In a Monitor Mode and Low Impact Mode you would never fail anything in the Authorization phase - you have to handle all endpoints.</P> Wed, 30 Aug 2023 21:29:13 GMT https://community.cisco.com/t5/network-access-control/endpoints-with-failure-22056-clogging-database/m-p/4914874#M583761 Arne Bier 2023-08-30T21:29:13Z