Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
261
Views
0
Helpful
1
Replies

Endpoints with failure 22056 clogging database

Go to solution
Josh Morris
Level 3
Level 3

‎08-28-2023 08:29 AM - edited ‎08-28-2023 08:46 AM

ISE v3.1p3

I am getting thousands of endpoints clogging my context visibility. They have little-to-no attribute information and mostly seem to fail with 22056 Subject not found in the applicable identity store(s). I have purge policies in place, but I'm not able to capture all these for some reason. And funny enough, many of these (potentially bogus) MAC addresses appear to be coming from the same switchport. I have investigated the endpoints connected on this switchport and I don't see anything fishy there. No hubs, no container or virtualization software, no apparent foul play.

Is there another way I should be dealing with these beside regular observation, manual removal, and trying to optimize endpoint purge rules?

Edit: Here is my authentication policy for this. Its very simple, but I wonder if I should DROP instead of REJECT if User not found? Would this keep the endpoint from showing up in the CV?

JoshMorris_0-1693237575435.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎08-30-2023 02:29 PM

Hi @Josh Morris 

Strangely enough, I have seen the same thing in ISE 3.1 p3 (as it happens). But that might just be a coincidence.

I saw hundreds of bogus MAC addresses learned from a single port and when I investigated the port, there was just a phone connected. Since I was not involved in the day to day operations of the network, I could only guess what happened. I purged the endpoints and will see if it re-occurs.

I would not change your MAB policy to Reject/Drop if not found. That breaks MAB, because you must fail through to Authorization to allow new Endpoints to be Authorized (if an applicable Rule is matched). In a Monitor Mode and Low Impact Mode you would never fail anything in the Authorization phase - you have to handle all endpoints.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎08-30-2023 02:29 PM

Hi @Josh Morris 

Strangely enough, I have seen the same thing in ISE 3.1 p3 (as it happens). But that might just be a coincidence.

I saw hundreds of bogus MAC addresses learned from a single port and when I investigated the port, there was just a phone connected. Since I was not involved in the day to day operations of the network, I could only guess what happened. I purged the endpoints and will see if it re-occurs.

I would not change your MAB policy to Reject/Drop if not found. That breaks MAB, because you must fail through to Authorization to allow new Endpoints to be Authorized (if an applicable Rule is matched). In a Monitor Mode and Low Impact Mode you would never fail anything in the Authorization phase - you have to handle all endpoints.

0 Helpful
Customers Also Viewed These Support Documents