Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
1
Helpful
7
Replies

Purge endpoints based on blank status?

Josh Morris
Level 3
Level 3

‎02-07-2023 12:03 PM

As you can see by the image below (just a subset), I am getting a lot of endpoints show up that appear to never actually hit one of my rules. It will sit like this until it hits the inactiveDays endpoint purge or I purge manually. Does anyone know a way to either purge these more quickly, or deny them from getting into the database altogether?

JoshMorris_0-1675800173844.png

 

 

0 Helpful
7 Replies 7

hslai
Cisco Employee
Cisco Employee

‎02-09-2023 08:06 AM

@Josh Morris Please drill into a few of such client endpoints and see how they are learned (i.e. which probe(s) used as the source(s)).

0 Helpful

Josh Morris
Level 3
Level 3
In response to hslai

‎02-10-2023 07:12 AM

Most are Radius. I did have the pxGrid profiler enabled and was getting a lot of blank endpoints from that but have since disabled the profiler. 

0 Helpful

Rodrigo Diaz
Cisco Employee
Cisco Employee

‎02-09-2023 09:41 AM

The information you are displaying is from the context visibility, this information is purged regularly depending upon the rules you have configured in Administration>Identity Management> Settings> Endpoint Purge , see example below , when an endpoint attempts to log in your network with base on attributes this is going to be classified accordingly , if you have identified a group of endpoints what you can do is to set a rule that make the purge quicker, for your reference https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215931-ise-guest-account-management.html 

RodrigoDiaz_0-1675964409574.png

Let me know if that helped you . 

 

Josh Morris
Level 3
Level 3
In response to Rodrigo Diaz

‎02-10-2023 07:14 AM

Thanks. I am using quite a few Endpoint Purge rules. The problem here is that there aren't enough attributes to do much with these. I can't get them profiled to a group in order to use in a purge rule. I also am unwilling to create a default purge rule based on Elapsed or Inactive Days because there are many endpoints that would hit that rule that I don't want to purge. 

What I'm really hoping is that ISE has a mechanism to purge endpoints when the attributes are blank.

0 Helpful

Rodrigo Diaz
Cisco Employee
Cisco Employee
In response to Josh Morris

‎02-12-2023 08:35 PM

In addition to what it has been said here, once you checked the livelogs of such endpoints you can elaborate a rule based on the characteristics of those using the attributes option that is available in the endpoint purge page. 

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎02-11-2023 02:13 PM

@Josh Morris We are trying understanding how these endpoints got in as Internal Endpoints. Many of them seem gone through authentication only but not authorization. Please check the auth detail reports for some of such endpoints.

0 Helpful

Josh Morris
Level 3
Level 3
In response to hslai

‎02-15-2023 07:43 AM

@hslai  I think there are two cases here. The first is that an endpoint connects to a switch, and does just enough to get an endpoint created in the context visibility but doesn't go through the full AAA process, as seen with the endpoint details below. This is my main concern. These are the types of situations I'm trying to prevent.

JoshMorris_0-1676475678890.png

Then, there is the following situation, where the endpoint seems to go through the AAA process, and get matched to an authorization rule. 

JoshMorris_1-1676475795601.png

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents