cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1612
Views
0
Helpful
4
Replies

BYOD devices are getting denied

deepuvarghese1
Spotlight
Spotlight

We have an issue in ISE BYOD service. The registered BYOD devices are getting denied  to connect after 1 month from registered date. Is there any settings in ISE that we can avoid this.

ISE Version : 2.1

Patch Level : 3

1 Accepted Solution

Accepted Solutions

If the endpoint had been previously purged, changing the setting will not "unpurge" it.

The endpoint will need to first be re-registered and then it will follow the new policy going forward. 

View solution in original post

4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure - this is documented in the Admin Guide as follows:

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary Administration Node (PAN).

The following are some of the conditions with examples you can use for purging the endpoints:

  • InactivityDays— Number of days since last profiling activity or update on endpoint.

    • This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.

    • When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.

  • ElapsedDays—Numbers days since object is created.

    • This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.

  • PurgeDate—Date to purge the endpoint.

    • This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.

Thank you Marvin for your valuable comments

However, the registered devices that are more than 30 days are still getting denied.

Does it require to be registered again? I thought after increasing the number of days, these devices should be able to connect back?

If the endpoint had been previously purged, changing the setting will not "unpurge" it.

The endpoint will need to first be re-registered and then it will follow the new policy going forward. 

Thanks for the comment. Appreciated.