Solved: Sounds like a bug, looks to

brettlarkins · ‎07-13-2015

I'm having an issue where my client MAC addresses are not being automatically purged from ISE. This is a simple pass-thru build, where the users are presented a splash page and have to hit "accept" to gain access to the internet. When the user does this, their MAC address is added to ISE and then they have access.

I need the clients to be presented the splash page at least once a day. Since the MAC address gets added when they hit accept, they never get presented the splash page again, unless I manually delete the MAC from Administration > Identities > Endpoints.

I set the purge frequency under Administration > Identity mgmt > Settings to 1 day and under the Guest Portal settings to "purge endpoints in this identity group every 1 day", but the MAC's stay in that group even after several days.

I also set the reauthentication attribute to be very short (30 min) in the Authorization profiles thinking this might help, but the client never receives the splash page again after hitting accept because the MAC is still listed in the endpoint group. The only way to get the splash page to reappear for clients is to manually delete the MAC from ISE...

Is there something else I am missing to make this Purge feature work?

Attached are some screen shots of the settings.

Thanks!

jan.nielsen · ‎07-15-2015

Sounds like a bug, looks to me like you are doing it correctly,i have it working at a customer in ISE 1.3, just with a much longer period before purging (3 months). What ISE version are you on ?

View solution in original post

jan.nielsen · ‎07-15-2015

Sounds like a bug, looks to me like you are doing it correctly,i have it working at a customer in ISE 1.3, just with a much longer period before purging (3 months). What ISE version are you on ?

brettlarkins · ‎07-15-2015

Yeah, seems like a bug, but I am also running 1.3 (specifically 1.3.0.876)

You have it working okay though, huh?

I spent most of the day yesterday going through everything again and I don't think anything was missed... seems pretty straightforward. It's been over 24 hours now, later the MAC's are still there.

Even when I tell it to "Purge Immediately" from the Administration > Settings > Endpoint Purge page, they don't go away. Only way to kick them is to manually delete them.

brettlarkins · ‎07-20-2015

I have this setup in my lab and it is working properly... I configured the Production box the same the Lab box and the Endpoints do not purge.

Endpoint Purge configuration (under Administration > Identity Management > Settings > Endpoint Purge) is shown on both and customizable on both boxes.

Do you suppose this could be related to Licensing?

The only difference between the 2 devices is the licensing. Lab box is Eval license so it has all features enabled. Production box only has Base licensing... but you would think that the Endpoint Purge option would be missing (like some other features) if it is not included in the Base license.

brettlarkins · ‎07-21-2015

Turns out this was a bug...

ISE 1.3 immediate purge button grayed out and auto EP purge policy fail

CSCus55690

It is fixed in patch 3

ise-patchbundle-1.3.0.876-Auto3-135929.x86_64.tar.gz

Installed, tested and verified.

MAC addresses not purging from ISE MAC Authentication Bypass database