Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1002
Views
6
Helpful
7
Replies

Endpoint never purge group.

pielunswe
Level 1
Level 1

‎11-04-2024 04:17 AM - edited ‎11-04-2024 04:56 AM

Hi!

I have about 30 Endpoint identity groups used for wired MAB. They are all below one Parent group called "MAB".

Would the no-purge rule in picture include all sub-groups or do I need one rule for every specific Endpoint group?

ISE 3.1P9

BR,

Preview file
11 KB
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎11-04-2024 04:33 AM - edited ‎11-04-2024 05:07 AM

OK, get it I will check and update you

thanks a lot 

MHM

pielunswe
Level 1
Level 1
In response to MHM Cisco World

‎11-04-2024 04:51 AM - edited ‎11-04-2024 04:59 AM

Hi

Thanks for reply. But I can choose it from the menu, where the groups are located. added pic.

BR,

Preview file
75 KB
0 Helpful

Aref Alsouqi
VIP
VIP

‎11-04-2024 08:28 AM

I would expect that to include all the sub groups.

0 Helpful

Arne Bier
VIP
VIP

‎11-04-2024 12:20 PM

In my lab I did the following.

Create a parent Identity Group 'MAB', with two child groups 'MAB1' and 'MAB2'. In MAB1 I put some endpoints, and in MAB2 I put some endpoints I created with Context Visibility, starting with 00:00:00 (Xerox-Device).  My plan is to have a rule that purges all Xerox-Device endpoints (perhaps I consider them as garbage) ... BUT - I have some protected endpoints under my MAB parent groups - those must never be purged.

I tested this and the nesting does seem to work.

 

ArneBier_0-1730751502526.png

 

ArneBier_1-1730751529709.png

 

Purge Rules

The Condition is always a bit tricky - I had to make it always be TRUE - so I said Elapsed Days Less than 9999 Days.

 

ArneBier_2-1730751572886.png

 

Arne Bier
VIP
VIP
In response to Arne Bier

‎11-04-2024 02:14 PM

Having said that, the test I did should have worked (in my opinion) but when I moved a Xerox-Device out of that Endpoint Group and place it in Profiled Group, then the purge rule "PurgeWeirdMAC" doesn't catch it. I used a rule "If Profile-Policy = Xerox-Device" and that doesn't relate to the Endpoint Group - it relates to Profiling Policy called Xerox-Device - and that endpoint matches that Policy. Strange.  I f have never had much joy or luck with Purge rules. It seems the code is as old as ISE itself and it's a clunky interface.  I'll try again but my point would be that you should test this in your own environment until you are 100% sure it work. I am testing in ISE 3.4

pielunswe
Level 1
Level 1
In response to Arne Bier

‎11-04-2024 10:16 PM - edited ‎11-04-2024 10:18 PM

Hi!

Thanks for the testing! 
I very much agree with the clunky GUI experience. 

My problem and the reason to the question here, is that we have about 2k mac-addresses (and increasing) from about 100+ different brands in the different Endpoint groups, and none of them should never be purged automatically. And their groups assignment is the 'only' thing they have in common and what I can filter on. Seems some of them have been deleted during the years in some purge rule by mistake, when they where cathed in some other condition matching.

We are using profiling for printers, APs, media-devices and so on, which we have control over, and that works great, but the IOT OT Proptech etc is out of our control at the moment. (yes, that is an issue as well)

BR, 

0 Helpful

Arne Bier
VIP
VIP

‎11-04-2024 05:57 PM

And now I am doubly annoyed, because there is a bug CSCwm87358 that is preventing me from deleting Purge Rules. Come on Cisco, this is bread and butter feature ... why should I ever have to worry about this not working?

ArneBier_0-1730771805213.png

 

Customers Also Viewed These Support Documents