ISE cleaning unused objects/devices

valentinrosic · ‎06-28-2023

Hello,

I'm currently in process of migrating old ISE 2.7 to ISE 3.1. Old ISE is actually filled with garbage from old ACS.

Do you have any recommendations how to find and clean unused/obsolete:

1. TACACS/RADIUS: network devices and device admin policy sets

2. Network access: policy elements (authorization profiles, downloadable ACL's, etc.)

Aref Alsouqi · ‎06-28-2023

Try please to look at Operations > Reports, you might find some useful reports templates in there.

valentinrosic · ‎06-28-2023

Hello Aref,

I'm aware of Reports but unfortunately I'm unable to generate anything that's usefull to me. That's why I created this post.

Nancy Saini · ‎06-28-2023

There is no tool to clear unused network devices and policy elements.

For the policy elements, you may try deleting it manually, if it gets deleted without any error that means it's not being referred in any policy.

valentinrosic · ‎06-28-2023

Thank you Nancy.

We have script which daily uses ssh to login to the device and to copy running configuration to linux server.

Is there possibility of creating report which will tell me which network devices werent accessed for last month or were timedout?

Nancy Saini · ‎06-29-2023

You can check last 30 days RADIUS/TACACS authentication report on ISE and filter by network device name to check which devices were logged in.

hslai · ‎02-12-2024

@valentinrosic The hit for each policy set and policy rule should help identify which policy set or rule is actively used. Once the policy sets are clean, then we may tackle the policy elements. Exporting the policies to an XML file might help with that.