This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hi, currently I configure the purge policy to execute everyday at 0300. I would like to know how to configure the " condition" in order to meet the requirement to purge everyday.
My intention is to let the self register Guest and sponsored guest everyday morning login to captive portal and register the endpoint under "Guest_Endpoint" group. After the first time login, the user no longer required to login again for the whole day until the endpoint is purged. Regardless when the endpoint is registered.
example A : Guest A login the captive portal and registered the Endpoint at morning 0800. So during the day, he no longer required to login. His endpoint will be purged at second day 0300 hour. When he come back second day, he need to login again.
Example B. Guest B login the captive portal and registered endpoint at night 2300. So his endpoint will be purged at second day 0300 hour. When he back second day, he need to login again.
I have tried the following "Condition"
1. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays LESSTHAN 2"
2. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays GREATERTHAN 0"
With either one, I noticed that the endpoint will be purged every 2 days. Is there any better condition I can use?
Solved! Go to Solution.
What version&patch of ISE? There were issues in some versions.
I have not seen any issues with ISE 2.3 (any patch)
In your case, what status was the Guest account in? (created == never logged in, and active == guest has logged in) - I might be wrong, but I thought the elapsed days applies to the number of days from which the account became 'active'
How do you define account lifetime? From time of creation, or from time of first login?
The ISE is ver 2.1 patch 3.
I have 2 policies for guest.
1. use guest flow after login.
2. if Guest Endpoint Group, then permit access.
After the first time login, thus item 1, endpoint will be registered. When second attempt of connection, item 2 will take over. So, what I want is, at 0300, all endpoint in Guest Endpoints Group will be purged, regardless when the guest login or created.
thanks and if this doesn't work, likely a bug and would try a later patch. your release is old and there are many patches after that.
Patch 6 and you're on patch 3
For example patch 4 looks like this might be the same -
My first trial is less than 2. Before I try this condition, I already make sure the endpoint MAC address been cleared from the endpoint group. But during the week, I notice that the endpoint required login every 2 days. Thus I move to greater than 0. and it gave the same results. I guess i am hitting the bugs.
You can also try setting purge on ID group with PurgeDate set < some date in future if end goal is to simply delete any members in GuestEndpoints, for example. And yes, Paul did provide a good explanation of the nuances of purge logic.
Let me explain the 9999 logic in case others read this. There are several way to try and tackle purging: