Solved: ISE clean unnecessary endpoints

voipleo · ‎11-29-2019

In endpoints list I see a lot of devices which I don't need to be managed by ISE such as IP phones. Even MAC addresses that coming from telecom providers are listed there. Those devices are not even in our network! Devices takes licenses, why should we pay for them? About 60% of endpoints are useless.

Is there any way to filter collected devices and can someone explain the gathering algorithm?

Colby LeMaire · ‎11-29-2019

Extraneous MAC addresses in ISE do not count against licensing unless those devices are authenticating to ISE. It is common for ISE to pick up a bunch of MAC addresses that don't event authenticate to ISE. This can happen if you are doing SNMP Polling from ISE for profiling. With SNMP Polling, ISE hits a particular switch and grabs all MAC addresses that the switch knows about. On the Wireless side, it is possible that you only have one SSID authenticating to ISE but ISE is picking up MAC addresses from other SSIDs. That will happen if you have the ISE server setup as a Radius accounting server with the "Network User" option checked globally. Uncheck that and then only assign ISE nodes as accounting servers on the SSIDs that actually authenticate to ISE.

View solution in original post

Mike.Cifelli · ‎11-29-2019

In ISE there are ways to setup device purging. See Administration->Identity Management->Settings->Endpoint purge. You have the ability to purge based on endpoint id groups, &/or profiling/logical profiles. For example, you could purge endpoints from an imaging L2 mab group every 5 days if you wish. You have quite a bit of options. As far as MACs from devices that you claim are not a part of your network, your NADs in the field have to be configured for AAA and dot1x/mab services that specifically point back to your ISE cluster. Is it possible that there is something deployed that you are unaware of? For the licensing concern are you pushing authz policy to the devices for those devices? How is that setup? ISE base licensing is consumed when utilizing basic access via radius with aaa/8021x features. If pushing authz policy via profiled groups then a base + plus license would be consumed. HTH!

Colby LeMaire · ‎11-29-2019

Extraneous MAC addresses in ISE do not count against licensing unless those devices are authenticating to ISE. It is common for ISE to pick up a bunch of MAC addresses that don't event authenticate to ISE. This can happen if you are doing SNMP Polling from ISE for profiling. With SNMP Polling, ISE hits a particular switch and grabs all MAC addresses that the switch knows about. On the Wireless side, it is possible that you only have one SSID authenticating to ISE but ISE is picking up MAC addresses from other SSIDs. That will happen if you have the ISE server setup as a Radius accounting server with the "Network User" option checked globally. Uncheck that and then only assign ISE nodes as accounting servers on the SSIDs that actually authenticate to ISE.

voipleo · ‎12-02-2019

Indeed collected endpoints don't affect license counter. I was confused because of warning but as it turned out it was related to other issue.

We currently have basic and device admin license used with some tacacs and radius policies. Average active endpoints count is miserable so there is nothing to worry about.

Thank you guys for comprehensive explanation.