cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1425
Views
1
Helpful
6
Replies
Highlighted
Beginner

Purge endpoints which are not part of a Identity Group

Hi All,

Since we are running ISE version 2.1 we are seeing a huge increase of the amount of learned endpoints.

After investigation it looks like these are endpoints are/were connected to our hotspot SSID but the user didn't accept the AUP.
As soon as a user accept the AUP the endpoint becomes a member of an endpoint identity group which we purge at certain times.

Because the solution is implemented in more than 150 high density locations we're facing about more 20000 endpoints this month which are not part of a scheduled purge operation.

We tried to create a purge policy including never purge rules for certain endpoint Identity groups and one general purge rule which did not have an endpoint identity group as condition. This policy was purging the 'unkown' endpoints but also the endpoints which are member of an endpoint group to which a never purge policy is be applied.

Does anyone see a solution for this?

Thanks in advance,

Jan-Willem Molenaar

Everyone's tags (3)
6 REPLIES 6
Highlighted
Cisco Employee

Re: Purge endpoints which are not part of a Identity Group

Are you saying that this doesn't work for you?:

Purge.PNG

Highlighted
Beginner

Re: Purge endpoints which are not part of a Identity Group

Well, 'Unkown' in your case is an endpoint Identity group and the devices are not a member of this group. Therefore it won't work. But If you remove the condition 'Unknown' all endpoints will be purged including the one which are part of the never purge rules.

Highlighted
Cisco Employee

Re: Purge endpoints which are not part of a Identity Group

An endpoint will be dynamic assigned according to its endpoint attributes collected and to unknown if no attribute presents able to move it to another group or no static assignment.

A better solution might be to try preventing such endpoints getting into the endpoint store in the first place. Is possible to dedicate PSNs for such hot spot use and disable specific profiling probes, such as RADIUS and DHCP probes? Also note that AireOS 8.3 has this new feature -- Enabling RADIUS NAC on a WPA and WPA2-PSK WLAN

Highlighted
Beginner

Re: Purge endpoints which are not part of a Identity Group

Endpoint won't be dynamicly assigned since no profiling license is installed. Its also not required because it is just a basic hotspot functionality. They also don't appear as member of the unknown group.

I would love to know how to prevent them getting into the endpoint database. All profiling probes are disable and we've dedicated PSN's in the DMZ. We can't avoid users from connecting to our hotspot. If we can get them to the endpoint group unknown I would be able to purge them.

Highlighted
Cisco Employee

Re: Purge endpoints which are not part of a Identity Group

Yes this approach using WPAPSK will also protect the ip address pool from exhaustion as well

Highlighted
Cisco Employee

Re: Purge endpoints which are not part of a Identity Group

By no profiling licenses, I assume you meant no ISE advanced or plus licenses. Anyhow, this might be either a bug or some strange configuration issue so I would suggest to log a TAC case to investigate why endpoints getting added to the endpoint store without any enabled profiling probes and not accepting AUP in ISE 2.1.