ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

417
Views
20
Helpful
7
Replies
Highlighted
Beginner

ISE endpoint puge no profiler service

Hi to all,

I am trying to overrun some "cumbersome" limitations of ISE purge endpoints function when profiler service is not active.

 

I am trying to leverage  on ISE restful API.

Essentially I want to get the list of endpoints with "ElapsedDays" attribute  greater than a certain value and then delete only the endpoints that do not have an active session.

Now ISE MGT API can be easily queried to understand if there is an active session associated to a given mac address, but I have not been able to understand how to ask ERS or MGT APIs for endpoints with a given ElapsedDays attribute.

Any idea?

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: ISE endpoint puge no profiler service

Hi,

unfortunately "InactiveDays" is useless without plus license installed  because is no re-set to zero when getting an accounting update.

Regards

MM

View solution in original post

7 REPLIES 7
Highlighted
VIP Advisor

Re: ISE endpoint puge no profiler service

Not a direct answer to your question, but buying 100 plus licenses would save you the headache and allow you to use the built in purging like you need. List price price would be 864 / yr or less depending on the term.
Highlighted
VIP Advisor

Re: ISE endpoint puge no profiler service

Hi @Damien Miller 

 

Why do you need a Plus license to purge endpoints?  I have a customer with Base licenses only and we purge all the time.

 

@marco.merlo - I found that the REST API doesn't return all the properties of the endpoint as seen in the UI.  ISE may expose an API, but in my experience I am left feeling disappointed because I cannot do that I want to do.  If this were a proper RESTful API then it would mimic the GUI and allow every GUI action to be done via API. And it would also expose the same data model that is available to us as GUI users.  But it doesn't.  Long live DevOps ... ?  Not so fast ... :(

 

Below is a call to the API for an arbitrary endpoint

 

/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b -H 'ACCEPT: application/json'

 

Not a lot of detail.  If there is another call I should be using then please advise.  I could not see anything more detailed than this one.

 

{
  "ERSEndPoint" : {
    "id" : "3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
    "name" : "00:1E:F7:C3:CB:8C",
    "mac" : "00:1E:F7:C3:CB:8C",
    "profileId" : "1513b300-8c00-11e6-996c-525400b48521",
    "staticProfileAssignment" : false,
    "groupId" : "14f5cac0-8c00-11e6-996c-525400b48521",
    "staticGroupAssignment" : false,
    "portalUser" : "",
    "identityStore" : "",
    "identityStoreId" : "",
    "link" : {
      "rel" : "self",
      "href" : "https://192.168.0.221:9060/ers/config/endpoint/3b2c05a0-9176-11e9-90fa-6e3ca0c7485b",
      "type" : "application/xml"
    }
  }
Highlighted
VIP Advisor

Re: ISE endpoint puge no profiler service

My understanding was that if you don't have any plus licenses, you couldn't leverage any of the features that leverage that data.

I've never run a deployment without plus, so just sounded like adding them would allow inactive days could be leveraged here since it sounded like it wasn't available.

Highlighted
VIP Advisor

Re: ISE endpoint puge no profiler service

Hey Damien

 

I can assure you that with Base licenses only, the menus are restricted to the allowed feature set (e.g. no Profiling or BYOD menu etc) and the endpoints' profiles are fuzzed out.  But we are able to purge endpoints without any issues.

 

Below is the restricted view that you get when only Base Licenses are installed:

 

Base-only-menu.png

 

And Context Visibility teases us with the fuzzed-out columns as shown below (I did not fuzz them out - this is how ISE displays them)

 

 

EndPointFuzzt.PNG

 

 

Highlighted
VIP Advisor

Re: ISE endpoint puge no profiler service

That's pretty rough!

It would seem the easiest way to address this purging process would then be to use the built in purging tool, then setting a rule up for "elapsed days and endpoint:inactive days". This would avoid purging active sessions assuming inactive days were 1+.
Highlighted
Beginner

Re: ISE endpoint puge no profiler service

Hi,

unfortunately "InactiveDays" is useless without plus license installed  because is no re-set to zero when getting an accounting update.

Regards

MM

View solution in original post

Highlighted
Beginner

Re: ISE endpoint puge no profiler service

Hi Arnie,

I am afraid I forgot to share some information: we are able to purge endpoints as well but with a lot  of limitations.

 

Our  ISE Deployment is going to authenticate both wireless guest users and wired/wireless corporate users/end point.

Without plus license installed there is no way to purge and endpoint looking at its "last seen" attribute (InactiveDays attribute is not reset when getting an account packet from the NAD), so the main option you have is to look at InactiveDays. Of course if ones sets up the purge rule with a number of elapsed days greater than the maximum re-autenticatication timer taht is configured on the authentication profiles there will be no issue. Unfortunately we are migrating from an environment in which NADs get a "never  reaunteticate" profile for a lot of endpoints (dot1x voip phones). So in order to avoid to purge them while keeping on to purge old guest (LWA ....) endpoints , I need to get a purge rule able to recognize such endpoints.
My idea wasto exploit the fact that such endpoints will have an high "elapseddays" value but an active session.

At the end I think I'll buy a 100 endpoint plus license.

Regards

MM