Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28000
Views
38
Helpful
7
Replies

Endpoint Purge Default Behaviour

Go to solution
chbudima
Cisco Employee
Cisco Employee

‎07-31-2017 11:52 PM

Hi Team,

We have a query from customer about Endpoint Purge.

This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days from following link:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01100.html

We advised customer that the ISE default endpoint purge is set to purge endpoints and registered devices that are older than 30 days from above information.

Customer has asked confirmation for “older than 30 days”. Does this mean inactive for 30 days rather than endpoints registered 30 days ago?

Could anyone please help on this query?

Thank you in advance for your help.

Regards,

Charles

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-01-2017 07:02 AM

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Setup Adaptive Network Control [Cisco Identity Serv…

Endpoints Purge Settings

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.

The following are some of the conditions with examples you can use for purging the endpoints:

  • InactivityDays— Number of days since last profiling activity or update on endpoint.
    • This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
    • When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
  • ElapsedDays—Numbers days since object is created.
    • This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
  • PurgeDate—Date to purge the endpoint.
    • This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.

View solution in original post

7 Replies 7

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-01-2017 07:02 AM

Cisco Identity Services Engine Administrator Guide, Release 2.2 - Setup Adaptive Network Control [Cisco Identity Serv…

Endpoints Purge Settings

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.

The following are some of the conditions with examples you can use for purging the endpoints:

  • InactivityDays— Number of days since last profiling activity or update on endpoint.
    • This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
    • When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
  • ElapsedDays—Numbers days since object is created.
    • This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
  • PurgeDate—Date to purge the endpoint.
    • This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.

Go to solution
chbudima
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎08-01-2017 04:11 PM

Hi Jason,

Thank you for sharing the information. I found this information too from configuration guide.

Customer does not have any policy configured related with InactivityDays, ElapsedDays and PurgeDate.

Therefore where this query comes from the customer, what is the default behavior for endpoint purge for “older than 30 days”. The query from customer with endpoint purge for “older than 30 days” meaning inactive for 30 days or endpoints registered 30 days ago?

Could you please help on this query?

Thanks for your help.

Regards,

Charles

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to chbudima

‎08-01-2017 04:18 PM

I don't understand, do they have anything configured for a purge policy? If so what does the line say? Send a screenshot of their purge policy?

The default rules are guest endpoints or registered endpoints are purged after 30 days (elapsed meaning after the action of them being put into the database they are removed)

The only time inactivity is considered is if you select inactive days

0 Helpful

Go to solution
chbudima
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎08-01-2017 05:39 PM

Hi Jason,

Customer has configured a daily purge policy for Guest Wifi User. However customer does not have a purge policy for their BYOD Wifi User.

Thanks for your confirmation the default endpoint purge rule is, registered endpoints are purged after 30 days.

Regards,

Charles

0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to Jason Kunst

‎10-18-2018 08:50 AM

Hi,

I need some more details about "Inactivitydays".

Actually on ise 2.3 I found two objects in dictionary to build purge conditions:

ElapsedDays and Inactivedays.

But I am not sure that Inactivedays is a counter of the number of days from device "last seen" event.

Indeed I gave a look at a currently connected device and I saw that the two counters have the same value. Why Inactivedays attribute is not zero being the device connected?

Is a 2.3 patch 3 bug?

Regards

MM

0 Helpful

Go to solution
gbekmezi-DD
Level 5
Level 5
In response to marco.merlo

‎02-28-2019 06:08 PM

I know this is old, but from Jason's post above:

 

  • When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.

Was profiling enabled?

Go to solution
marco.merlo
Level 1
Level 1
In response to gbekmezi-DD

‎02-28-2019 11:17 PM

You are right.

I had missed that statement in the guide. Without a license that enable profiling "Inactivedays" counter is unusable.

Regard

M

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents