10-22-2018 05:47 AM
Hi board,
Currently I try to understand the whole ISE replication stuff and stumbled upon the "endpoint attribute filter".
As described in various CiscoLive slides (e.g. BRKSEC-3699), it is best practive to have it enabled and I do it all the time without any issues.
As far as I understood the feature, only significant and whitelist attributes are stored by a PSN node.
Changes in significant attributes trigger global replication (PSN -> PAN -> all secondary nodes)
Changes in whitelist attributes trigger node group level replication
All other attribures are dropped and are therefore not replicated.
First question: Correct so far? :)
If I now check an endpoint in the ISE 2.4 GUI, a see all the important attributes, but I also see "ElapsedDays" or "InactiveDays" for example. These attributes are very important for endpoint purging policies.
However based on the CiscoLive slides and the ISE 2.4 admin guide, "ElapsedDays" or "InactiveDays" are not significant or whitelist attributes. So these attributes are not subject to collection or replication if the endpoint attribute filter is in place.
So how and why are these attributes visible for a specific endpoint in the ISE GUI?
Are these values updated by the MNT node with Syslogs or RADIUS accounting information?
Solved! Go to Solution.
10-22-2018 02:28 PM
... All other attribures are dropped and are therefore not replicated.
First question: Correct so far? :)
Essentially correct. There are also some attributes for context visibility but only replicated for the context visibility services on the primary admin node but does not persistent to the ISE configuration database.
... "ElapsedDays" or "InactiveDays" are not significant or whitelist attributes. So these attributes are not subject to collection or replication if the endpoint attribute filter is in place.
So how and why are these attributes visible for a specific endpoint in the ISE GUI?
Are these values updated by the MNT node with Syslogs or RADIUS accounting information?
These attributes are derived and calculated. ElapsedDays derived from the timestamp recording when the endpoint is created and InactiveDays from the timestamp of LastActivity.
10-22-2018 02:28 PM
... All other attribures are dropped and are therefore not replicated.
First question: Correct so far? :)
Essentially correct. There are also some attributes for context visibility but only replicated for the context visibility services on the primary admin node but does not persistent to the ISE configuration database.
... "ElapsedDays" or "InactiveDays" are not significant or whitelist attributes. So these attributes are not subject to collection or replication if the endpoint attribute filter is in place.
So how and why are these attributes visible for a specific endpoint in the ISE GUI?
Are these values updated by the MNT node with Syslogs or RADIUS accounting information?
These attributes are derived and calculated. ElapsedDays derived from the timestamp recording when the endpoint is created and InactiveDays from the timestamp of LastActivity.
10-22-2018 09:55 PM
Hi, thank you for the answer.
So I see "ElapsedDays" and "InactivityDays" in the ISE GUI. But which node actually derives and calculates these values?
It cannot be the PSN, because these attributes are not subject to replication with the "endpoint collection filter".
So at the end of the day it must be the MNT, right?
10-24-2018 10:32 PM
Their values are calculated on the primary PAN when we go to the particular page to view the attributes of the endpoint.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide