ISE automatic purge of endpoints in a specific group

bgl-group · ‎11-06-2017

I'm not sure if this possible so if someone could help me that would be good.

We want to lock down our ISE policies so that unauthenticated machines get very limited access. However our desktop support team still wants to be able to build PCs at desks.

To do this they need access to loads of AD and SCCM servers, which the unauth acl will not allow them to access.

They are happy to add the endpoints manually into a specific group. But may forget to take them out after the machine has been built - is it possible to automatically remove any endpoint in a specified group on a scheduled basis?

agrissimanis · ‎11-06-2017

Under Administration -> Identity management -> Settings -> Endpoint Purge you can create rules that remove old endpoints from the database completely (used mainly to clear up old guest users, etc.), but I believe there is no functionality to just remove endpoint from a particular group automatically.

ajc · ‎11-06-2017

If you are running 2.2 version, the purge does not work properly when the Endpoint Group = BLANK (which is automatically assigned no matter if you have profiling enabled or not in the PSN's (failed or successful authentications does not matter, the MAC address is still added to the ISE DB).

Another detail, IF the purge process requires to remove a significant number of entries (+20K), the process fails and the entries are not deleted completely as expected.

I have not tried what happens if I try to delete the entries in the UNKNOWN Endpoint Group.