Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1614
Views
20
Helpful
7
Replies

ISE endpoint puge no profiler service

Go to solution
marco.merlo
Level 1
Level 1

‎08-22-2019 11:48 PM

Hi to all,

I am trying to overrun some "cumbersome" limitations of ISE purge endpoints function when profiler service is not active.

 

I am trying to leverage  on ISE restful API.

Essentially I want to get the list of endpoints with "ElapsedDays" attribute  greater than a certain value and then delete only the endpoints that do not have an active session.

Now ISE MGT API can be easily queried to understand if there is an active session associated to a given mac address, but I have not been able to understand how to ask ERS or MGT APIs for endpoints with a given ElapsedDays attribute.

Any idea?

Regards

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marco.merlo
Level 1
Level 1
In response to Damien Miller

‎08-25-2019 11:31 PM

Hi,

unfortunately "InactiveDays" is useless without plus license installed  because is no re-set to zero when getting an accounting update.

Regards

MM

View solution in original post

7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-23-2019 03:46 PM

Not a direct answer to your question, but buying 100 plus licenses would save you the headache and allow you to use the built in purging like you need. List price price would be 864 / yr or less depending on the term.

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎08-25-2019 03:47 PM

Hi @Damien Miller 

 

Why do you need a Plus license to purge endpoints?  I have a customer with Base licenses only and we purge all the time.

 

@marco.merlo - I found that the REST API doesn't return all the properties of the endpoint as seen in the UI.  ISE may expose an API, but in my experience I am left feeling disappointed because I cannot do that I want to do.  If this were a proper RESTful API then it would mimic the GUI and allow every GUI action to be done via API. And it would also expose the same data model that is available to us as GUI users.  But it doesn't.  Long live DevOps ... ?  Not so fast ... :(

 

Below is a call to the API for an arbitrary endpoint

 

/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b -H 'ACCEPT: application/json'

 

Not a lot of detail.  If there is another call I should be using then please advise.  I could not see anything more detailed than this one.

 

{
  "ERSEndPoint" : {
    "id" : "3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
    "name" : "00:1E:F7:C3:CB:8C",
    "mac" : "00:1E:F7:C3:CB:8C",
    "profileId" : "1513b300-8c00-11e6-996c-525400b48521",
    "staticProfileAssignment" : false,
    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",
    "staticGroupAssignment" : false,
    "portalUser" : "",
    "identityStore" : "",
    "identityStoreId" : "",
    "link" : {
      "rel" : "self",
      "href" : "https://192.168.0.221:9060/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
      "type" : "application/xml"
    }
  }
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎08-25-2019 03:52 PM

My understanding was that if you don't have any plus licenses, you couldn't leverage any of the features that leverage that data.

I've never run a deployment without plus, so just sounded like adding them would allow inactive days could be leveraged here since it sounded like it wasn't available.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎08-25-2019 04:16 PM

Hey Damien

 

I can assure you that with Base licenses only, the menus are restricted to the allowed feature set (e.g. no Profiling or BYOD menu etc) and the endpoints' profiles are fuzzed out.  But we are able to purge endpoints without any issues.

 

Below is the restricted view that you get when only Base Licenses are installed:

 

Base-only-menu.png

 

And Context Visibility teases us with the fuzzed-out columns as shown below (I did not fuzz them out - this is how ISE displays them)

 

 

EndPointFuzzt.PNG

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎08-25-2019 04:29 PM

That's pretty rough!

It would seem the easiest way to address this purging process would then be to use the built in purging tool, then setting a rule up for "elapsed days and endpoint:inactive days". This would avoid purging active sessions assuming inactive days were 1+.
0 Helpful

Go to solution
marco.merlo
Level 1
Level 1
In response to Damien Miller

‎08-25-2019 11:31 PM

Hi,

unfortunately "InactiveDays" is useless without plus license installed  because is no re-set to zero when getting an accounting update.

Regards

MM

Go to solution
marco.merlo
Level 1
Level 1
In response to Arne Bier

‎08-25-2019 11:28 PM

Hi Arnie,

I am afraid I forgot to share some information: we are able to purge endpoints as well but with a lot  of limitations.

 

Our  ISE Deployment is going to authenticate both wireless guest users and wired/wireless corporate users/end point.

Without plus license installed there is no way to purge and endpoint looking at its "last seen" attribute (InactiveDays attribute is not reset when getting an account packet from the NAD), so the main option you have is to look at InactiveDays. Of course if ones sets up the purge rule with a number of elapsed days greater than the maximum re-autenticatication timer taht is configured on the authentication profiles there will be no issue. Unfortunately we are migrating from an environment in which NADs get a "never  reaunteticate" profile for a lot of endpoints (dot1x voip phones). So in order to avoid to purge them while keeping on to purge old guest (LWA ....) endpoints , I need to get a purge rule able to recognize such endpoints.
My idea wasto exploit the fact that such endpoints will have an high "elapseddays" value but an active session.

At the end I think I'll buy a 100 endpoint plus license.

Regards

MM

 

Customers Also Viewed These Support Documents