cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4267
Views
5
Helpful
3
Replies
Highlighted
Beginner

ISE Endpoint Purging when older than 60 days

Hi folks,

Due huge MAC Address DB I'd like to set a policy that clean up old devices.

I'm not able to remove/purge ISE 1.4 Endpoints that don't belong to any group.

My target is remove any device older than 60 (or more) days.

 

I've tried with no success this rule (Administration->Identity Management->Settings->Endpoint Purge)

g3UrvwxDFZ.png

 

 

 

Thank you,

Gianluca

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hi MM

 

Well first off, the good news.  It seems that somewhere along the line in ISE 2.4 patching, there now seems to be some automatic purging of Endpoints with "blank" EIG's!  That's good news.  There is no new purge rule for them, it just seems to happen by itself.

As for the use case, I don't know why this happens.  I would call it a bug (Cisco would call it a feature ... ha - that old joke ...) - seriously, this violates some fundamental law of data structures or database design, when a field is left blank.  It makes no sense to me.  It's garbage data.

 

Many of my deployments do not have Plus licenses, and therefore I cannot enable Profiling. Having said that, I CAN enable Profiling, but I cannot use Authorization rules in my Policy Sets, because it would violate the license agreement.  I mostly don't care about Profiling and perhaps in some time in the future I will see the point of using it.  Right now I am enjoying the free "profiling" data that the Cisco device sensors deliver me via Radius Accounting. I can see the hostname, operating system and browser type etc.  It's just a nice bit of extra information but I cannot build policies with this - nor do I want to.

ISE is many things to many different people - I have never had the urge to throw a device into a VLAN because I believe with a % certainty that it's a light bulb, or an iPhone.  Call me old fashioned :-p

 

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Believe it or not, this same problem exists in latest ISE 2.3 patch 2.  Endpoints that do not belong to any Endpoint Identity Group (EIG).  In fact, the EIG is Empty.  ISE 2.3 has a GUI filter that allows us to filter for endpoints that have "Empty"EIG.  Then you manually select them and delete them. 

But this doesn't solve our requirement of having an automatic Purge facility. 

I raised a TAC case and they created a new bug CSCvg46494 - they say that this might be possible in ISE 2.4 - that version will probably be generally available in April

Highlighted

Hi Arne,

It seems that in my ISE 2.3 installation all devices that are not profiled are placed in the Unknown Identity Group that can be used to build purge policies. Might you be so kind to tell me which are the use cases that end up with a device with empty Identitygroup attribute?

Regards

MM

Highlighted

Hi MM

 

Well first off, the good news.  It seems that somewhere along the line in ISE 2.4 patching, there now seems to be some automatic purging of Endpoints with "blank" EIG's!  That's good news.  There is no new purge rule for them, it just seems to happen by itself.

As for the use case, I don't know why this happens.  I would call it a bug (Cisco would call it a feature ... ha - that old joke ...) - seriously, this violates some fundamental law of data structures or database design, when a field is left blank.  It makes no sense to me.  It's garbage data.

 

Many of my deployments do not have Plus licenses, and therefore I cannot enable Profiling. Having said that, I CAN enable Profiling, but I cannot use Authorization rules in my Policy Sets, because it would violate the license agreement.  I mostly don't care about Profiling and perhaps in some time in the future I will see the point of using it.  Right now I am enjoying the free "profiling" data that the Cisco device sensors deliver me via Radius Accounting. I can see the hostname, operating system and browser type etc.  It's just a nice bit of extra information but I cannot build policies with this - nor do I want to.

ISE is many things to many different people - I have never had the urge to throw a device into a VLAN because I believe with a % certainty that it's a light bulb, or an iPhone.  Call me old fashioned :-p

 

View solution in original post