cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1826
Views
0
Helpful
0
Replies

Cisco ISE 2.1 log retention period and purge

Hi guys

I have some questions about Cisco ISE (2.1) log retention and guest user / endpoint purge, would be nice if someone could hep me out. The infrastructure / setup is as followed:

  • The operational data purge is configured for 365 days -> Operational Data Purging.png
  • Our customer is using Cisco ISE 2.1 guest access with a self-registration portal to let their guests create accounts on them self. The accounts are generated with a guest type of 365 days -> Guest Type.png
  • The guest devices get registered into endpoint group GuestEndpoints -> Guest Portal.png
  • The guest accounts get purged every 15 days and the portal-users should stay for another 365 days after the expired -> Guest Account Purge.png
  • The endpoint purge is configured to purge after 365 days elapsed -> Endpoint Purge.png

Some of my questions:

  1. The operational data does include all the logs seen under Operations > RADIUS / TACACS > Live Logs, ist that correct?
  2. If yes, I configured the operational data to retain for 365 days (Operational Data Purging.png), so I can go back 365 days in the reports (for example Reports > Endpoints and Users > RADIUS Authentications) and see all the authentications that happend back then?
  3. I would like to be able to see a mapping of guest users to guest devices on Cisco ISE for at least 365 days after the account expired. Do I understand correctly, that the portal users (self registered guest users) must still be present, so I can see the portal user under the endpoint details here: Context Visibility > Endpoints > MAC Address? Is my configuration correct to accomplish that (Guest Account Purge.png)?

One big goal is to have a log for 365 days to go back and search for the MAC address and to find the mobile number, with which the guest user registered them self back then -> one way to provide a unique identification in Switzerland when used for guest access providers.

I now there is the report Reports > Guest > Master Guest Report, where I can find all the disred information like session start date/time, guest username, MAC address and so on and there I can see the mobile number under Guest User Name > Click for full details too. I think this report would be enough for a crime investigation (MAC address, IP address, guest username and unique mobile number)? The other questions are more to understand the hole data / log retention and purge game :-)

Thanks a lot in advance and best regards
Dominic

0 Replies 0