Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2513
Views
0
Helpful
4
Replies

Report of inactive endpoints

Go to solution
blandrum
Cisco Employee
Cisco Employee

‎09-23-2019 09:49 AM

I have a customer who's wanting to pull a report of all of his endpoints showing how long they've been inactive.  It looks like I can see that attribute individually when looking at an endpoint, but that's not a field available when you export the endpoints.

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Colby LeMaire
Collaborator
Collaborator

‎09-23-2019 11:21 AM

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

View solution in original post

0 Helpful

Go to solution
paul
Advocate
Advocate
In response to Colby LeMaire

‎09-23-2019 12:14 PM

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Colby LeMaire
Collaborator
Collaborator

‎09-23-2019 11:21 AM

You can export the endpoints and there is a column for "Update Time".  That tells you the last time ISE saw anything for the endpoint.  You might have to calculate the field from a Unix timestamp to normal date/time.  Depends on your version of Excel or what you use to open the CSV file with.

0 Helpful

Go to solution
paul
Advocate
Advocate
In response to Colby LeMaire

‎09-23-2019 12:04 PM

Few notes...  The inactivity time is only valid if your customer has one of two things properly configured:

 

  1. Reauthentication timers to force the devices to reauth periodically.  We have all of our wired results set a reauth timer.
  2. Periodic aaa accounting updates configured on the switch.

We do #1 on our customers and have aaa accounting only set for new info.

 

Also, if you have devices that have never authenticated (i.e. they were learned through profiling discovery) their inactive days will be always 0 making you think they are active.  It takes an authentication from a MAC address to start the inactive clock timer.

0 Helpful

Go to solution
Colby LeMaire
Collaborator
Collaborator
In response to paul

‎09-23-2019 12:09 PM

DHCP updates, SNMP polling updates, or any other profiling information changes would also change the "Update Time".  So even with a default DHCP lease time of 8 days, there would be a new DHCP request at 4 days.

I do recommend doing some sort of reauthentication timer, just not too low.  Something like every 12 hours is fine so that you can always see the endpoint information in Live Logs.

0 Helpful

Go to solution
paul
Advocate
Advocate
In response to Colby LeMaire

‎09-23-2019 12:14 PM

DHCP lease times wouldn't affect anything if you are doing IOS device sensor (as all modern installs should be doing) and you have aaa accounting new info only enabled.   Also again if you are doing IOS device sensor you really don't need to SNMP poll either (I still do as a backup).  We set our reauthentication timers to 65,000 seconds. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents