Solved: Re: Purge Endpoint everyday

geeyc5113 · ‎04-22-2018

Hi, currently I configure the purge policy to execute everyday at 0300. I would like to know how to configure the " condition" in order to meet the requirement to purge everyday.

My intention is to let the self register Guest and sponsored guest everyday morning login to captive portal and register the endpoint under "Guest_Endpoint" group. After the first time login, the user no longer required to login again for the whole day until the endpoint is purged. Regardless when the endpoint is registered.

example A : Guest A login the captive portal and registered the Endpoint at morning 0800. So during the day, he no longer required to login. His endpoint will be purged at second day 0300 hour. When he come back second day, he need to login again.

Example B. Guest B login the captive portal and registered endpoint at night 2300. So his endpoint will be purged at second day 0300 hour. When he back second day, he need to login again.

I have tried the following "Condition"

1. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays LESSTHAN 2"

2. "Guest_Endpoint" AND "ENDPOINTPURGE ElapsedDays GREATERTHAN 0"

With either one, I noticed that the endpoint will be purged every 2 days. Is there any better condition I can use?

paul · ‎04-23-2018

You conditions are wrong. The most reliable condition is "Elapsed Days less than 9999". That guarantees any MAC address in the endpoint identity group on the purge rule gets dumped at 3:00. I use that on all my installs to guarantee purging.

View solution in original post

Arne Bier · ‎04-22-2018

What version&patch of ISE? There were issues in some versions.

I have not seen any issues with ISE 2.3 (any patch)

In your case, what status was the Guest account in? (created == never logged in, and active == guest has logged in) - I might be wrong, but I thought the elapsed days applies to the number of days from which the account became 'active'

How do you define account lifetime? From time of creation, or from time of first login?

geeyc5113 · ‎04-22-2018

The ISE is ver 2.1 patch 3.

I have 2 policies for guest.

1. use guest flow after login.

2. if Guest Endpoint Group, then permit access.

After the first time login, thus item 1, endpoint will be registered. When second attempt of connection, item 2 will take over. So, what I want is, at 0300, all endpoint in Guest Endpoints Group will be purged, regardless when the guest login or created.

paul · ‎04-23-2018

You conditions are wrong. The most reliable condition is "Elapsed Days less than 9999". That guarantees any MAC address in the endpoint identity group on the purge rule gets dumped at 3:00. I use that on all my installs to guarantee purging.

Jason Kunst · ‎04-23-2018

thanks and if this doesn't work, likely a bug and would try a later patch. your release is old and there are many patches after that.

Patch 6 and you're on patch 3

For example patch 4 looks like this might be the same -

CSCvb46440

After upgrading from ISE 1.3 patch 7 to ISE 2.0.1, purge rules are not working as expected.

Release Notes for Cisco Identity Services Engine, Release 2.1 - Cisco

geeyc5113 · ‎04-23-2018

My first trial is less than 2. Before I try this condition, I already make sure the endpoint MAC address been cleared from the endpoint group. But during the week, I notice that the endpoint required login every 2 days. Thus I move to greater than 0. and it gave the same results. I guess i am hitting the bugs.

Jason Kunst · ‎04-23-2018

Yes you’re running several patches back

Sent from my iPhone

Craig Hyps · ‎04-25-2018

You can also try setting purge on ID group with PurgeDate set < some date in future if end goal is to simply delete any members in GuestEndpoints, for example. And yes, Paul did provide a good explanation of the nuances of purge logic.

paul · ‎04-23-2018

Let me explain the 9999 logic in case others read this. There are several way to try and tackle purging:

Elapsed Days greater than 0- this is a common one people try to use, but yields inconsistent purging because the timer starts when the endpoint is first learned by ISE. So endpoint is learned at 9:00 a.m., at 3:00 a.m. when purge runs the elapsed days is still 0. At 9:00 a.m. next day elapsed days goes to 1 then when purge runs second night.
Elapsed Days less than 1 (less than 2, whatever). This should work for brand new endpoints, but what if you implement this purge rule after ISE has already learned the MAC addresses for a few days. Now they will never get purged.
Elapsed Days equals 0. Same as #2. For new endpoints this works fine, but what if the MAC address is already in the system.
Elapsed Days less than 9999. I haven't found a scenario (other than a bug) where this doesn't dump the endpoint identity group every night. All MAC addresses in ISE are less that 9,999 days old. If the MAC address is in the endpoint identity group it will get purged.

Arne Bier · ‎04-23-2018

Thanks Paul. You should write that up as a best practice.

xzatech123 · ‎07-31-2024

What are your thoughts if I want to Purge on hours and not days

Arne Bier · ‎07-31-2024

Not possible. The Endpoint Purge schedule runs at a specific time, and there is only one time entry allowed.

Either put in a feature request via the "Make a Wish" option in the ISE GUI, or write your own code that uses the REST API to purge endpoints. Perhaps the API call will let you put some filters in place to give you the granularity you need. If not, then it would be a pain to first fetch all the endpoint data into your script, and sift out the ones you want to delete ... every hour or so, ouch! I think the endpoint purge feature in ISE could use a few more tweaks.