Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8467
Views
10
Helpful
3
Replies

ISE Endpoint Purging when older than 60 days

Go to solution
gtognin
Level 1
Level 1

‎03-09-2018 05:57 AM - edited ‎02-21-2020 10:48 AM

Hi folks,

Due huge MAC Address DB I'd like to set a policy that clean up old devices.

I'm not able to remove/purge ISE 1.4 Endpoints that don't belong to any group.

My target is remove any device older than 60 (or more) days.

 

I've tried with no success this rule (Administration->Identity Management->Settings->Endpoint Purge)

g3UrvwxDFZ.png

 

 

 

Thank you,

Gianluca

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to marco.merlo

‎08-28-2018 04:39 AM

Hi MM

 

Well first off, the good news.  It seems that somewhere along the line in ISE 2.4 patching, there now seems to be some automatic purging of Endpoints with "blank" EIG's!  That's good news.  There is no new purge rule for them, it just seems to happen by itself.

As for the use case, I don't know why this happens.  I would call it a bug (Cisco would call it a feature ... ha - that old joke ...) - seriously, this violates some fundamental law of data structures or database design, when a field is left blank.  It makes no sense to me.  It's garbage data.

 

Many of my deployments do not have Plus licenses, and therefore I cannot enable Profiling. Having said that, I CAN enable Profiling, but I cannot use Authorization rules in my Policy Sets, because it would violate the license agreement.  I mostly don't care about Profiling and perhaps in some time in the future I will see the point of using it.  Right now I am enjoying the free "profiling" data that the Cisco device sensors deliver me via Radius Accounting. I can see the hostname, operating system and browser type etc.  It's just a nice bit of extra information but I cannot build policies with this - nor do I want to.

ISE is many things to many different people - I have never had the urge to throw a device into a VLAN because I believe with a % certainty that it's a light bulb, or an iPhone.  Call me old fashioned :-p

 

View solution in original post

3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎03-11-2018 05:42 PM

Believe it or not, this same problem exists in latest ISE 2.3 patch 2.  Endpoints that do not belong to any Endpoint Identity Group (EIG).  In fact, the EIG is Empty.  ISE 2.3 has a GUI filter that allows us to filter for endpoints that have "Empty"EIG.  Then you manually select them and delete them. 

But this doesn't solve our requirement of having an automatic Purge facility. 

I raised a TAC case and they created a new bug CSCvg46494 - they say that this might be possible in ISE 2.4 - that version will probably be generally available in April

Go to solution
marco.merlo
Level 1
Level 1
In response to Arne Bier

‎08-28-2018 01:51 AM - edited ‎08-28-2018 01:52 AM

Hi Arne,

It seems that in my ISE 2.3 installation all devices that are not profiled are placed in the Unknown Identity Group that can be used to build purge policies. Might you be so kind to tell me which are the use cases that end up with a device with empty Identitygroup attribute?

Regards

MM

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to marco.merlo

‎08-28-2018 04:39 AM

Hi MM

 

Well first off, the good news.  It seems that somewhere along the line in ISE 2.4 patching, there now seems to be some automatic purging of Endpoints with "blank" EIG's!  That's good news.  There is no new purge rule for them, it just seems to happen by itself.

As for the use case, I don't know why this happens.  I would call it a bug (Cisco would call it a feature ... ha - that old joke ...) - seriously, this violates some fundamental law of data structures or database design, when a field is left blank.  It makes no sense to me.  It's garbage data.

 

Many of my deployments do not have Plus licenses, and therefore I cannot enable Profiling. Having said that, I CAN enable Profiling, but I cannot use Authorization rules in my Policy Sets, because it would violate the license agreement.  I mostly don't care about Profiling and perhaps in some time in the future I will see the point of using it.  Right now I am enjoying the free "profiling" data that the Cisco device sensors deliver me via Radius Accounting. I can see the hostname, operating system and browser type etc.  It's just a nice bit of extra information but I cannot build policies with this - nor do I want to.

ISE is many things to many different people - I have never had the urge to throw a device into a VLAN because I believe with a % certainty that it's a light bulb, or an iPhone.  Call me old fashioned :-p

 

Customers Also Viewed These Support Documents