Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
0
Helpful
3
Replies

Self-Registered Guest Portal purge of users from context visibility

Go to solution
piotrPaszk
Level 1
Level 1

‎02-17-2020 08:04 AM

Dear experts,

 

I have a Self-Registered Guest Portal with 6h duration. The users have its own identity group and the endpoints have it own endpoint identity group. I have removed both the users and the devices. I do not see them on the WLC either but i still can see them in context visibility on ISE, why ?  I want to remove them completely from the system as soon as they have expired. I have Guest Account Purge Policy to delete expired accounts everyday, but nothing happens. I have a purge policy for endpoint as well.

 

Thanks for any suggestions

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-17-2020 05:36 PM

The Guest account purge will only delete the Guest accounts from the internal ISE database. It does not affect the endpoint used by that guest, so you would rely on the Endpoint Purge policy to delete the endpoint (MAC Address).

With the Endpoint Purge Policy, you are typically using attributes such as 'ElapsedDays' or 'InactiveDays' to specify when to purge the endpoint.

Check the endpoint attributes to determine if these values are past the threshold specified in your Purge Policy. Also, check the endpoint attributes to ensure it is in the correct Endpoint Identity Group used by your Purge Policy.

There have been bugs in past versions of ISE related to aspects of the endpoint purge (endpoint purge policy itself, inactive days not incrementing, etc). Depending on what version of ISE you are using, you could be running into a bug.

If you have confirmed the Endpoint Purge Policy is configured correctly and the endpoints attributes exceed those thresholds, I would suggest opening a TAC case to investigate further.

 

Cheers,

Greg

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎02-17-2020 04:52 PM

How did you remove the users and devices?  Your purge rules may not be configured properly or not working for some reason.  If the devices are purged, they should not show up in Context Visibility.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-17-2020 05:36 PM

The Guest account purge will only delete the Guest accounts from the internal ISE database. It does not affect the endpoint used by that guest, so you would rely on the Endpoint Purge policy to delete the endpoint (MAC Address).

With the Endpoint Purge Policy, you are typically using attributes such as 'ElapsedDays' or 'InactiveDays' to specify when to purge the endpoint.

Check the endpoint attributes to determine if these values are past the threshold specified in your Purge Policy. Also, check the endpoint attributes to ensure it is in the correct Endpoint Identity Group used by your Purge Policy.

There have been bugs in past versions of ISE related to aspects of the endpoint purge (endpoint purge policy itself, inactive days not incrementing, etc). Depending on what version of ISE you are using, you could be running into a bug.

If you have confirmed the Endpoint Purge Policy is configured correctly and the endpoints attributes exceed those thresholds, I would suggest opening a TAC case to investigate further.

 

Cheers,

Greg

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-21-2020 01:25 PM

If you really needing the endpoints purged right away, then this has to be done manually.

Endpoint purges are resource intensive so ISE scheduling it once a day.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents