cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

679
Views
0
Helpful
4
Replies
Highlighted
Cisco Employee

Report of inactive endpoints

I have a customer who's wanting to pull a report of all of his endpoints showing how long they've been inactive.  It looks like I can see that attribute individually when looking at an endpoint, but that's not a field available when you export the endpoints.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Collaborator

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

View solution in original post

Highlighted

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds. 

View solution in original post

4 REPLIES 4
Highlighted
Collaborator

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

View solution in original post

Highlighted

Few notes...  The inactivity time is only valid if your customer has one of two things properly configured:

 

  1. Reauthentication timers to force the devices to reauth periodically.  We have all of our wired results set a reauth timer.
  2. Periodic aaa accounting updates configured on the switch.

We do #1 on our customers and have aaa accounting only set for new info.

 

Also, if you have devices that have never authenticated (i.e. they were learned through profiling discovery) their inactive days will be always 0 making you think they are active.  It takes an authentication from a MAC address to start the inactive clock timer.

Highlighted

DHCP updates, SNMP polling updates, or any other profiling information changes would also change the "Update Time".  So even with a default DHCP lease time of 8 days, there would be a new DHCP request at 4 days.

I do recommend doing some sort of reauthentication timer, just not too low.  Something like every 12 hours is fine so that you can always see the endpoint information in Live Logs.

Highlighted

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds. 

View solution in original post