Solved: ISE Purge question

danrush · ‎02-26-2018

Hello All,

Customer is asking this question, I have been researching but cannot find an answer. Every day they automatically purge guest users that have been on for 30 days. They are testing a device that needs Internet access for 60 days. Is there a way to mark a device so that it does not get purged at 30 days?

Thanks,

Dan.

Jason Kunst · ‎02-26-2018

Please explain how they are purging. The guest user purging mechanism it only works if the account is expired so as long as you create an account that last for 60 days then it should work fine

View solution in original post

Jason Kunst · ‎02-26-2018

Please explain how they are purging. The guest user purging mechanism it only works if the account is expired so as long as you create an account that last for 60 days then it should work fine

Craig Hyps · ‎02-27-2018

There are two basic purge cycles that can impact the guest user.

One is the purge of expired accounts. This is basically a cleanup function to remove any accounts that have expired due to the validity period assigned at guest creation, or due to an inactivity period for pending accounts.

The other purge cycle is related to device registration. If guest user is auto-registered (MAC address assigned to endpoint identity group such as GuestEndpoints), then the user can reconnect based on MAC address without having to provide credentials. Once the endpoint is purged, the guest will require a new authentication using their guest credentials (assuming they are still valid). By default, Guest Endpoints are purged every 30 days.

You can either change the default purge rule, or create a new rule that matches on specific users/devices to only purge every 60 days. It is possible to assign guests to different endpoint identity groups by redirecting to different portals.