02-17-2020 08:04 AM
Dear experts,
I have a Self-Registered Guest Portal with 6h duration. The users have its own identity group and the endpoints have it own endpoint identity group. I have removed both the users and the devices. I do not see them on the WLC either but i still can see them in context visibility on ISE, why ? I want to remove them completely from the system as soon as they have expired. I have Guest Account Purge Policy to delete expired accounts everyday, but nothing happens. I have a purge policy for endpoint as well.
Thanks for any suggestions
Solved! Go to Solution.
02-17-2020 05:36 PM
The Guest account purge will only delete the Guest accounts from the internal ISE database. It does not affect the endpoint used by that guest, so you would rely on the Endpoint Purge policy to delete the endpoint (MAC Address).
With the Endpoint Purge Policy, you are typically using attributes such as 'ElapsedDays' or 'InactiveDays' to specify when to purge the endpoint.
Check the endpoint attributes to determine if these values are past the threshold specified in your Purge Policy. Also, check the endpoint attributes to ensure it is in the correct Endpoint Identity Group used by your Purge Policy.
There have been bugs in past versions of ISE related to aspects of the endpoint purge (endpoint purge policy itself, inactive days not incrementing, etc). Depending on what version of ISE you are using, you could be running into a bug.
If you have confirmed the Endpoint Purge Policy is configured correctly and the endpoints attributes exceed those thresholds, I would suggest opening a TAC case to investigate further.
Cheers,
Greg
02-17-2020 04:52 PM
How did you remove the users and devices? Your purge rules may not be configured properly or not working for some reason. If the devices are purged, they should not show up in Context Visibility.
02-17-2020 05:36 PM
The Guest account purge will only delete the Guest accounts from the internal ISE database. It does not affect the endpoint used by that guest, so you would rely on the Endpoint Purge policy to delete the endpoint (MAC Address).
With the Endpoint Purge Policy, you are typically using attributes such as 'ElapsedDays' or 'InactiveDays' to specify when to purge the endpoint.
Check the endpoint attributes to determine if these values are past the threshold specified in your Purge Policy. Also, check the endpoint attributes to ensure it is in the correct Endpoint Identity Group used by your Purge Policy.
There have been bugs in past versions of ISE related to aspects of the endpoint purge (endpoint purge policy itself, inactive days not incrementing, etc). Depending on what version of ISE you are using, you could be running into a bug.
If you have confirmed the Endpoint Purge Policy is configured correctly and the endpoints attributes exceed those thresholds, I would suggest opening a TAC case to investigate further.
Cheers,
Greg
02-21-2020 01:25 PM
If you really needing the endpoints purged right away, then this has to be done manually.
Endpoint purges are resource intensive so ISE scheduling it once a day.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide