Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3372
Views
6
Helpful
22
Replies

Help Understanding Context Visibility

DannyDulin
Level 1
Level 1

‎08-16-2023 12:44 PM

Hello everyone.

We are using ISE version 3.1.0.518.

When I take a look at Context Visibility/Endpoint Classification is see over 900 endpoints that ISE sees.

I have created a profile policy that groups endpoints that are joined to our AD domain. I purge all the rest of the endpoints. However, they keep coming back. Within a day or so, the total endpoints grow to over 900 endpoints. 

If I don't have over 900 endpoints authenticating through ISE, why are these endpoints keep coming back?

I've even deleted endpoints that are categorized as Unknown, buth these still keep coming back. 

How do I permanently remove these endpoints that are most likely stale.

0 Helpful
22 Replies 22

ahollifield
VIP
VIP
In response to DannyDulin

‎08-21-2023 10:07 AM

Got it, then this is normal.  When an authentication occurs ISE adds the MAC address into the Context Visibility database to give you an view of all of the endpoints which authenticate against ISE.  If you wish to remove old entries you can use endpoint purge rules.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#:~:text=Endpoints%20Purge%20Settings,-You%20can%20define&text=You%20can%20choose%20not%20to,are%20older%20than%2030%20days.

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-22-2023 06:17 AM - edited ‎08-22-2023 06:18 AM

Thank you for the info.

I created a schedule to purge inactive devices. Last night 1004 inactive devices were purged. This morning when I checked Contex Visibility there were 594 endpoints.

I sorted those on endpoints that were connected and there were only 49. I compared that to Live Sessions, which had 50 connected endpoints, and only 5 MAC addresses matched between the two. A mixture of VPN connected devices and Wireless.

At this point, it seems best to turn off all the probes, purge all the endpoints until the database is clear and start adding probes one at a time in order to get useful data.

What do you think about this course of action?

I just don't know why Context Visisbility>Endpoints continues to grow in the several hundreds when I'm certain not that many devices are connecting.

We are a 2 node deployment in HA and Policy Services is enabled on both Nodes.

At present, I have the following probes enabled:

  • DHCP - with relay sent to ISE
  • RADIUS - We are not doing any wired authentication. This is only for Wireless and VPN
  • NMAP
  • DNS
  • Active Directory
  • pxGrid

 

0 Helpful

ahollifield
VIP
VIP
In response to DannyDulin

‎08-22-2023 06:36 AM

So those hundreds of other MACs, where are they connected? What do you show in the details page for these?

Are you using profiling at all? Do you have authz policies that rely on profiling? Do you use pxGrid?

Are your non-wireless or VPN NADs (and their associated SVIs) forwarding DHCP packets to ISE? You should only bother relaying from the wireless and VPN networks to match only the NADs that ISE will actually authenticate.

I would recommend disabling the NMAP probe.
0 Helpful

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-22-2023 06:49 AM

Thanks for bearing with me.

Those hundreds of other MACs are not connected to anything. If I filter in Context Visbility on "connected" the list reduces from several hundred to 30-50 endpoints. Additionally, Live logs only lists about 50-70 sessions.

We are not using profiling yet. We're trying to get there, but I'm not comfortable to relying on profiling for authz policies yet.

Don't have any use for pxGrid at this time.

The non-wireless NADs are forwarding DHCP packets to ISE. VPN NAD is not using DHCP rather IP pools.

Regarding this statement "You should only bother relaying from the wireless and VPN networks to match only the NADs that ISE will actually authenticate."

This makes sense now that we're seeing so many duplicate endpoints with different MACs.

Disabling PxGrid and NMAP.

Is it a problem having Policy Services enabled on both Nodes?

ahollifield
VIP
VIP
In response to DannyDulin

‎08-22-2023 07:11 AM

Policy Services is the PSN role for RADIUS, this must be enabled for ISE to process RADIUS.

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-23-2023 05:40 AM

Thanks but should I have Policy Services enabled on both my nodes?

0 Helpful

ahollifield
VIP
VIP
In response to DannyDulin

‎08-23-2023 06:02 AM

What is your deployment type? A small deployment with only two nodes correct? If so, yes Policy Services needs to be enabled on both nodes.

DannyDulin
Level 1
Level 1
In response to ahollifield

‎08-23-2023 06:25 AM

Yes...small deployment. Thanks for the affirmation.

0 Helpful
Customers Also Viewed These Support Documents