03-13-2017 12:17 AM - edited 03-11-2019 12:32 AM
We have an issue in ISE BYOD service. The registered BYOD devices are getting denied to connect after 1 month from registered date. Is there any settings in ISE that we can avoid this.
ISE Version : 2.1
Patch Level : 3
Solved! Go to Solution.
03-13-2017 01:46 AM
If the endpoint had been previously purged, changing the setting will not "unpurge" it.
The endpoint will need to first be re-registered and then it will follow the new policy going forward.
03-13-2017 12:39 AM
Sure - this is documented in the Admin Guide as follows:
You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.
You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary Administration Node (PAN).
The following are some of the conditions with examples you can use for purging the endpoints:
InactivityDays— Number of days since last profiling activity or update on endpoint.
This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.
When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.
ElapsedDays—Numbers days since object is created.
This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.
PurgeDate—Date to purge the endpoint.
This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.
03-13-2017 01:01 AM
Thank you Marvin for your valuable comments
However, the registered devices that are more than 30 days are still getting denied.
Does it require to be registered again? I thought after increasing the number of days, these devices should be able to connect back?
03-13-2017 01:46 AM
If the endpoint had been previously purged, changing the setting will not "unpurge" it.
The endpoint will need to first be re-registered and then it will follow the new policy going forward.
03-13-2017 02:16 AM
Thanks for the comment. Appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide