cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9007
Views
15
Helpful
5
Replies

ISE Best Practice for Purging Endpoints

kknuckles
Level 1
Level 1

Maybe I haven't looked long enough or deep enough through the documents and guides, but I am wondering if there is a best practice for purging endpoints in general. For my guest endpoints, I have it set to purge those endpoints every 3 days. When i look at how many endpoints I have profiled at the current time, its a very large number of devices. I'm sure there is a large number of these that are no longer connecting to our network and probably won't in the future.

 

If there isn't a current best practice, would it sound logical to purge every 180 to 190 days? We are a public school district and we have 180 instructional days. Employees and students alike are able to bring their own devices. I figure with 190 day purge, it would cover the time that employees and students are in session.

 

Thoughts, opinions?

 

Thank you for your time.

 

Kevin

5 Replies 5

Johannes Luther
Level 4
Level 4

Hi board,

I'm pushing this topic of Kevin, because I have the same question.

When we are doing guest or BYOD on the ISE, endpoint purge policies for these endpoints are automatically created.

What about the other endpoints, like 802.1X endpoints or MAC addresses, which hits the CWA guest portal but never got authenticated (meaning they will be eventually in the "unknown" identity group. I assume these EPs are never removed from the system. After half a year of running the ISE in a 802.1X and guest environment, I already collected ~13.000 total known endpoints.

The 802.1X endpoints and clients accessing the guest SSID without actually authenticating at the sponsored guest portal are typically assigned to the "unknown" EP identity group.

How did you guys solve this? Did you deploy an custom purging rule like:

If ["endpoint identity group" is "unknown"] and [inactive days is greater than 60 days]

Or do the most of you just don't care and let the total endpoints known by the ISE just grow over the next few years (until it crashes?!)

Perhaps someone has good thoughts on this!

Cheers

Johannes

I am also toying with this purging of 'Unknown' endpoints. It would appear no one has any best practices on setting this up.

Seems like there should be a default policy to clear out old identities. Some endpoints in our "Unknown" have Inactive Days of 0, but pretty sure they  just never completed the Guest portal process.

In a big customer deployment I use:

if "any" and inactivedays > 90 days then purge

I don't care about any identity group in this deployment. So I covered "unknown" and the "profiled" folder and client that no longer exist due to normal client lifecycle.

It works quite good so far.

Regarding the "inactivedays" = 0 counter of dporod:

This is totally normal. The WLAN controller sends RADIUS accounting start messages independent of the CWA state. So even clients that have not passed the guest portal (CWA) page are accounted.

I also realized, that even "non-ISE" SSIDs (e.g. PSK) have RADIUS accounting enabled by default. So these clients are also in the ISE database, although they have nothing to do with the ISE deployment.

Some of my endpoints have inactive timers larger than 90 days because they are just quiet. I have always thought that I would need to implement a periodic reauthentication timer to use "inactivedays" as purging criteria. Do you use periodic reauthentication for everything?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: