cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1648
Views
13
Helpful
9
Replies
Highlighted
Beginner

Purge Endpoint everyday

Hi, currently I configure the purge policy to execute everyday at 0300.  I would like to know how to configure the " condition" in order to meet the requirement to purge everyday.

My intention is to let the self register Guest and sponsored guest everyday morning login to captive portal and register the endpoint under "Guest_Endpoint" group.  After the first time login, the user no longer required to login again for the whole day until the endpoint is purged.  Regardless when the endpoint is registered.

example A :  Guest A login the captive portal and registered the Endpoint at morning 0800.  So during the day, he no longer required to login.  His endpoint will be purged at second day 0300 hour.  When he come back second day, he need to login again.

Example B.  Guest B login the captive portal and registered endpoint at night 2300.  So his endpoint will be purged at second day 0300 hour.  When he back second day, he need to login again.

I have tried the following "Condition"

1. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays LESSTHAN 2"

2. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays GREATERTHAN 0"

With either one, I noticed that the endpoint will be purged every 2 days.  Is there any better condition I can use?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Purge Endpoint everyday

You conditions are wrong.  The most reliable condition is "Elapsed Days less than 9999".  That guarantees any MAC address in the endpoint identity group on the purge rule gets dumped at 3:00.  I use that on all my installs to guarantee purging.

View solution in original post

9 REPLIES 9
VIP Advocate

Re: Purge Endpoint everyday

What version&patch of ISE?  There were issues in some versions.

I have not seen any issues with ISE 2.3 (any patch)

In your case, what status was the Guest account in? (created == never logged in, and active == guest has logged in) - I might be wrong, but I thought the elapsed days applies to the number of days from which the account became 'active'

How do you define account lifetime?  From time of creation, or from time of first login?

Beginner

Re: Purge Endpoint everyday

The ISE is ver 2.1 patch 3.

I have 2 policies for guest.

1. use guest flow after login.

2. if Guest Endpoint Group, then permit access.

After the first time login, thus item 1, endpoint will be registered.  When second attempt of connection, item 2 will take over.  So, what I want is, at 0300, all endpoint in Guest Endpoints Group will be purged, regardless when the guest login or created.   

VIP Engager

Re: Purge Endpoint everyday

You conditions are wrong.  The most reliable condition is "Elapsed Days less than 9999".  That guarantees any MAC address in the endpoint identity group on the purge rule gets dumped at 3:00.  I use that on all my installs to guarantee purging.

View solution in original post

Cisco Employee

Re: Purge Endpoint everyday

thanks and if this doesn't work, likely a bug and would try a later patch. your release is old and there are many patches after that.

Patch 6 and you're on patch 3

For example patch 4 looks like this might be the same -

CSCvb46440

After upgrading from ISE 1.3 patch 7 to ISE 2.0.1, purge rules are not working as expected.

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

Beginner

Re: Purge Endpoint everyday

My first trial is less than 2.  Before I try this condition, I already make sure the endpoint MAC address been cleared from the endpoint group.  But during the week,  I notice that the endpoint required login every 2 days.  Thus I move to greater than 0.  and it gave the same results.    I guess i am hitting the bugs.

Cisco Employee

Re: Purge Endpoint everyday

Yes you’re running several patches back

Sent from my iPhone

Advocate

Re: Purge Endpoint everyday

You can also try setting purge on ID group with PurgeDate set < some date in future if end goal is to simply delete any members in GuestEndpoints, for example.   And yes, Paul did provide a good explanation of the nuances of purge logic.

VIP Engager

Re: Purge Endpoint everyday

Let me explain the 9999 logic in case others read this.  There are several way to try and tackle purging:

  1. Elapsed Days greater than 0- this is a common one people try to use, but yields inconsistent purging because the timer starts when the endpoint is first learned by ISE.  So endpoint is learned at 9:00 a.m., at 3:00 a.m. when purge runs the elapsed days is still 0.  At 9:00 a.m. next day elapsed days goes to 1 then when purge runs second night.
  2. Elapsed Days less than 1 (less than 2, whatever).  This should work for brand new endpoints, but what if you implement this purge rule after ISE has already learned the MAC addresses for a few days.  Now they will never get purged.
  3. Elapsed Days equals 0.  Same as #2.  For new endpoints this works fine, but what if the MAC address is already in the system.
  4. Elapsed Days less than 9999.  I haven't found a scenario (other than a bug) where this doesn't dump the endpoint identity group every night.  All MAC addresses in ISE are less that 9,999 days old.  If the MAC address is in the endpoint identity group it will get purged.
VIP Advocate

Re: Purge Endpoint everyday

Thanks Paul.  You should write that up as a best practice.