Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4392
Views
5
Helpful
3
Replies

Purge/Inactive Days Idea of Purging

Go to solution
paul
Level 10
Level 10

‎05-25-2017 01:29 PM

All,

The attached picture is of an endpoint in my customer's system.  You can see that the endpoint has been in there for 600+ days but the inactive days is 0.  There is no selected authorization profile so most likely this device has never authenticated against ISE.  I am guessing the device needs to authenticate at least once before the Inactive Days counter actually works. 

We think these devices got into the system at some point because their guest wireless SSID which doesn't use ISE had accounting enabled using the global accounting servers which ISE was one of them.  The Endpoint source says FeedService which I am not sure how that can be a source.

We are trying to figure out how to purge these out of the systems since the Inactive Days counter isn't working.  He has 100K+ devices like this and wants to get rid of them. 

I think ultimately he is just going to have to purge everything based on a profiling group and let legitimate stuff get relearned.

Thoughts?

ISE Image.png

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎05-30-2017 12:28 PM

I believe profile updates should also update activity, but there are some purge related defects which may explain your issue:

  • CSCuz76370 Purging of EP's dependency is on Oracle to determine EP Owner

  • CSCvc05024 Endpoint purge going to infinite loop.
  • CSCuz44971 ISE 1.3 Inconsistent Endpoint inactivity timer causing purge issues
  • CSCux50138 ISE1.3 not reset the inactivity timer receiving acc update

Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎05-28-2017 10:01 AM

You are correct that InActiveDays needing at least one RADIUS auth. ISE endpoint purge policy can also based on ElapsedDays. Is that not working?

FeedService as the source is likely due to the last change is due to an update via the endpoint profiling feed.

If the percentage is high (> 75%), then it seems easier to purge everything and re-learn.

Go to solution
paul
Level 10
Level 10
In response to hslai

‎05-29-2017 01:30 PM

The issuing with using Elapsed Days is I have legitimate MAC addresses in the system in whitelists that would get purged if I am not careful. I know I can setup do not purge rules as well, but it seems like it would be a simple coding change to track InActiveDays regardless if authentication has occurred or not. There must be a field in the DB to track when the endpoint was first learned which is how the ElapsedDays is being calculated. If so then seems like it would be an easy if statement:

If

End If

That way InactiveDays would always be a reliable purge field to keep the database clean.

I have floated the idea past the customer to just purge everything and relearn, but they are hesitant to do that.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to paul

‎05-30-2017 12:28 PM

I believe profile updates should also update activity, but there are some purge related defects which may explain your issue:

  • CSCuz76370 Purging of EP's dependency is on Oracle to determine EP Owner

  • CSCvc05024 Endpoint purge going to infinite loop.
  • CSCuz44971 ISE 1.3 Inconsistent Endpoint inactivity timer causing purge issues
  • CSCux50138 ISE1.3 not reset the inactivity timer receiving acc update

Craig

0 Helpful
Customers Also Viewed These Support Documents