cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3211
Views
0
Helpful
4
Replies

Report of inactive endpoints

blandrum
Cisco Employee
Cisco Employee

I have a customer who's wanting to pull a report of all of his endpoints showing how long they've been inactive.  It looks like I can see that attribute individually when looking at an endpoint, but that's not a field available when you export the endpoints.

2 Accepted Solutions

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

View solution in original post

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds. 

View solution in original post

4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

Few notes...  The inactivity time is only valid if your customer has one of two things properly configured:

 

  1. Reauthentication timers to force the devices to reauth periodically.  We have all of our wired results set a reauth timer.
  2. Periodic aaa accounting updates configured on the switch.

We do #1 on our customers and have aaa accounting only set for new info.

 

Also, if you have devices that have never authenticated (i.e. they were learned through profiling discovery) their inactive days will be always 0 making you think they are active.  It takes an authentication from a MAC address to start the inactive clock timer.

DHCP updates, SNMP polling updates, or any other profiling information changes would also change the "Update Time".  So even with a default DHCP lease time of 8 days, there would be a new DHCP request at 4 days.

I do recommend doing some sort of reauthentication timer, just not too low.  Something like every 12 hours is fine so that you can always see the endpoint information in Live Logs.

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds.