Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2105
Views
0
Helpful
2
Replies
Highlighted
bgl-group
Beginner
Beginner
‎11-06-2017 07:40 AM
‎11-06-2017 07:40 AM

ISE automatic purge of endpoints in a specific group

I'm not sure if this possible so if someone could help me that would be good.

 

We want to lock down our ISE policies so that unauthenticated machines get very limited access. However our desktop support team still wants to be able to build PCs at desks.

 

To do this they need access to loads of AD and SCCM servers, which the unauth acl will not allow them to access.

 

They are happy to add the endpoints manually into a specific group. But may forget to take them out after the machine has been built - is it possible to automatically remove any endpoint in a specified group on a scheduled basis?

Labels:
1 person had this problem
0 Helpful
Reply
2 REPLIES 2
Highlighted
agrissimanis
Beginner
Beginner
‎11-06-2017 08:46 AM
‎11-06-2017 08:46 AM

Under Administration -> Identity management -> Settings -> Endpoint Purge you can create rules that remove old endpoints from the database completely (used mainly to clear up old guest users, etc.), but I believe there is no functionality to just remove endpoint from a particular group automatically.

0 Helpful
Reply
Highlighted
ajc
Frequent Contributor
Frequent Contributor
‎11-06-2017 11:25 AM
‎11-06-2017 11:25 AM

If you are running 2.2 version, the purge does not work properly when the Endpoint Group = BLANK (which is automatically assigned no matter if you have profiling enabled or not in the PSN's (failed or successful authentications does not matter, the MAC address is still added to the ISE DB).

 

Another detail, IF the purge process requires to remove a significant number of entries (+20K), the process fails and the entries are not deleted completely as expected.

 

I have not tried what happens if I try to delete the entries in the UNKNOWN Endpoint Group.

0 Helpful
Reply
Latest Contents
ISE Performance & Scale
Created by howon on 02-24-2021 08:26 PM
11
214
11
214
  ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsMaximum Network Latency Between NodesISE Hardware PlatformsISE PSN PerformanceISE TACACS+ PerformanceISE 2.6 RADIUS PerformanceISE 2.4 RADIUS PerformanceISE 2.3 RADIUS PerformanceIS... view more
Detecting and Responding to the SolarWinds Infrastructure At...
Created by aligarci on 02-23-2021 08:19 AM
0
5
0
5
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr... view more
Arista CloudVision WiFi Dictionary and NAD Profile for ISE I...
Created by hslai on 02-21-2021 01:59 PM
0
10
0
10
Attached are the dictionary and NAD profile as described in Arista CloudVision WiFi Integration with Cisco ISE .
Cisco Secure Endpoint Free Trial Guide
Created by E.L. Howard on 02-15-2021 07:36 PM
0
0
0
0
ISE Node TerminologyISE DeploymentsISE Deployment Scale and LimitsISE Hardware PlatformsISE PSN PerformanceISE TrustSec ScalingISE Storage RequirementsISE ERS ScaleISE WAN Bandwidth CalculatorSources   About this Document Cisco Secure Endpoint (for... view more
Firepower 6.7 Release Demonstration - Health Monitoring
Created by Namit Agarwal on 02-08-2021 11:42 AM
0
0
0
0
  In this video, Namit reviews Health Monitoring improvements and introduces the new Unified Health Monitoring dashboard on the FMC. 
Content for Community-Ad