Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3395
Views
6
Helpful
22
Replies

Help Understanding Context Visibility

DannyDulin
Level 1
Level 1

‎08-16-2023 12:44 PM

Hello everyone.

We are using ISE version 3.1.0.518.

When I take a look at Context Visibility/Endpoint Classification is see over 900 endpoints that ISE sees.

I have created a profile policy that groups endpoints that are joined to our AD domain. I purge all the rest of the endpoints. However, they keep coming back. Within a day or so, the total endpoints grow to over 900 endpoints. 

If I don't have over 900 endpoints authenticating through ISE, why are these endpoints keep coming back?

I've even deleted endpoints that are categorized as Unknown, buth these still keep coming back. 

How do I permanently remove these endpoints that are most likely stale.

0 Helpful
22 Replies 22

Rob Ingram
VIP
VIP

‎08-16-2023 01:02 PM

@DannyDulin are these random MAC addresses? (these change everytime). https://community.cisco.com/t5/security-knowledge-base/random-mac-address-how-to-deal-with-it-using-ise/ta-p/4049321

Typically you'd create a purge schedule to clear down these endpoints at regular intervals.

 

0 Helpful

DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎08-18-2023 06:25 AM

Good question are they random? I'll start to keep track to determine. Thank you for the link.

I have the default purge rules in play. Any tips on best practices for tis.

0 Helpful

DannyDulin
Level 1
Level 1
In response to Rob Ingram

‎08-21-2023 06:05 AM

Rob, I did an export of all the endpoints. It appears that there are many duplications of endpoints, with different MAC addresses. There are duplicate hostnames with different MAC addresses. There are duplicate endpoint email addresses with different MAC addresses. There are duplicate endpoint IP addresses with different MAC addresses.

I also noticed that 2/3 of the endpoints ISE PAN 1 is the Endpoint Profile Server and 1/3 use IS PAN 2. Is this correct.

How do I know which is the right instance of an enpoint to purge?

This seems much more complex than I first expected. 

 

0 Helpful

ahollifield
VIP
VIP

‎08-17-2023 03:56 AM

What are your use-cases for ISE?  Wireless?  Do you have guest wireless deployed on ISE?  What NADs are these MAC addresses showing connected to?

0 Helpful

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-18-2023 06:22 AM

The immediate use case 3 years ago was to upgrade from ACS -> ISE for VPN and Wireless AAA with the eye on leveraging posturing and profiling.

Good question whether we have Guest Wireless deployed on ISE. I do not think so, but that's something I'll verify.

Another good question NADs MACs are connected to. What would be the relevance here?

 

0 Helpful

Arne Bier
VIP
VIP

‎08-17-2023 03:37 PM

In addition to what Rob and Adam have said, are you using Profiling and perhaps also running regular SNMP queries against your NAD devices (SNMP configured in the ISE Network Devices definitions)?  I have noticed that when I do that, ISE gets a dump of all the MAC addresses of switches, whether those MAC addresses are subject to NAC or not - it's a useful discovery method, but it can also pollute the Context Visibility.

DannyDulin
Level 1
Level 1
In response to Arne Bier

‎08-18-2023 06:26 AM

Good question Arne. It's quite possible. I'll check that too.

0 Helpful

DannyDulin
Level 1
Level 1
In response to Arne Bier

‎08-21-2023 05:56 AM

I checked a sample of network devices and neither of them are configured for SNMP. Additionally, I do not have SNMP probes enabled.

0 Helpful

ahollifield
VIP
VIP
In response to DannyDulin

‎08-21-2023 06:09 AM

So are these wireless MACs then? On a guest network? What NAD are they connected to?

Do you use the DHCP probe?
0 Helpful

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-21-2023 06:18 AM

Are these wireless MACs? - Mixed. As you know typically remote users are wireless who connect to our network via VPN and the NAD for those endpoints is our ASA. I should point out that VPN users are authenticated via Duo SSO and Authorized by ISE.

On prem users connect via Wired and Wireless. We are only authenticating the Wireless users via ISE and the NAD is WLC.

We are not utilizing ISE for Wired.

The DHCP probe is being used.

0 Helpful

ahollifield
VIP
VIP
In response to DannyDulin

‎08-21-2023 06:27 AM

So if you take one of these "unknown" MACs what is it connected to?  The ASA VPN?  Wireless? 

Do you use ISE for guest wireless?  WLC?  AireOS or 9800? 

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-21-2023 09:16 AM

Connected to both ASA VPN and WLC.

We are not using ISE for guest wireless.

The WLC is 5500.

0 Helpful

ahollifield
VIP
VIP
In response to DannyDulin

‎08-21-2023 09:31 AM

So are those MAC addresses actual clients properly authenticating to your network?  Do you have a matching Live Log entry for these MAC addresses?  

0 Helpful

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-21-2023 09:57 AM

I ran a RADIUS authentications report for the last 3 weeks. Approximately 300 endpoints that have authenticated in this time frame match the overall inventory list.

 

 

0 Helpful
Customers Also Viewed These Support Documents