Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
709
Views
10
Helpful
2
Replies

Identification of MAB entry last used.

Go to solution
westie1981
Level 1
Level 1

‎11-29-2018 02:15 AM - edited ‎11-29-2018 02:16 AM

Hi,

 

We have an extensive MAB database which was created a long time ago, which has fallen by the wayside.

 

We are running ISE 2.4 patch 3 and I want to find a way of identifying when a statically configured MAB entry was last used to tidy up the existing database.

 

Is it possible to identify when a MAB entry was last used?

 

Thanks

 

Paul

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 02:42 AM

You can configure purge policies to clear out the endpoints based on Inactive Days. More information here :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html#concept_0776B37A2C3542189950F5DFB1961FA2

If you would like to see all the endpoints and their attributes and filter them to see how many endpoints have been inactive for how many days, you can use the the following commands:

application configure ise
Choose option 16 [16]Get all Endpoints

This will generate a file in the local disk which you can export using the command

copy disk:/<filename> ftp://<ip and path of the ftp server>

Once you have this, you can filter/sort the column Inactive Days.

View solution in original post

Go to solution
paul
Level 10
Level 10
In response to Surendra

‎12-12-2018 07:51 AM

You have to be careful with using Inactive days.  There are two gotchas:

 

  1. If you aren't properly doing reauthentication on the wired network or periodic accounting updates (not sure if that updates Inactive days) you will have devices that never leave the network show long Inactive days.
  2. If a device has never authenticated against ISE the Inactive days field doesn't work.  ISE needs to see one authentication request to start the timer.  So you will probably find many devices in your database that have Inactive days at 0 that have never authenticated.

 

View solution in original post

2 Replies 2

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎12-11-2018 02:42 AM

You can configure purge policies to clear out the endpoints based on Inactive Days. More information here :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01101.html#concept_0776B37A2C3542189950F5DFB1961FA2

If you would like to see all the endpoints and their attributes and filter them to see how many endpoints have been inactive for how many days, you can use the the following commands:

application configure ise
Choose option 16 [16]Get all Endpoints

This will generate a file in the local disk which you can export using the command

copy disk:/<filename> ftp://<ip and path of the ftp server>

Once you have this, you can filter/sort the column Inactive Days.

Go to solution
paul
Level 10
Level 10
In response to Surendra

‎12-12-2018 07:51 AM

You have to be careful with using Inactive days.  There are two gotchas:

 

  1. If you aren't properly doing reauthentication on the wired network or periodic accounting updates (not sure if that updates Inactive days) you will have devices that never leave the network show long Inactive days.
  2. If a device has never authenticated against ISE the Inactive days field doesn't work.  ISE needs to see one authentication request to start the timer.  So you will probably find many devices in your database that have Inactive days at 0 that have never authenticated.

 

Customers Also Viewed These Support Documents