05-25-2017 01:29 PM
All,
The attached picture is of an endpoint in my customer's system. You can see that the endpoint has been in there for 600+ days but the inactive days is 0. There is no selected authorization profile so most likely this device has never authenticated against ISE. I am guessing the device needs to authenticate at least once before the Inactive Days counter actually works.
We think these devices got into the system at some point because their guest wireless SSID which doesn't use ISE had accounting enabled using the global accounting servers which ISE was one of them. The Endpoint source says FeedService which I am not sure how that can be a source.
We are trying to figure out how to purge these out of the systems since the Inactive Days counter isn't working. He has 100K+ devices like this and wants to get rid of them.
I think ultimately he is just going to have to purge everything based on a profiling group and let legitimate stuff get relearned.
Thoughts?
Solved! Go to Solution.
05-30-2017 12:28 PM
I believe profile updates should also update activity, but there are some purge related defects which may explain your issue:
Craig
05-28-2017 10:01 AM
You are correct that InActiveDays needing at least one RADIUS auth. ISE endpoint purge policy can also based on ElapsedDays. Is that not working?
FeedService as the source is likely due to the last change is due to an update via the endpoint profiling feed.
If the percentage is high (> 75%), then it seems easier to purge everything and re-learn.
05-29-2017 01:30 PM
The issuing with using Elapsed Days is I have legitimate MAC addresses in the system in whitelists that would get purged if I am not careful. I know I can setup do not purge rules as well, but it seems like it would be a simple coding change to track InActiveDays regardless if authentication has occurred or not. There must be a field in the DB to track when the endpoint was first learned which is how the ElapsedDays is being calculated. If so then seems like it would be an easy if statement:
If
End If
That way InactiveDays would always be a reliable purge field to keep the database clean.
I have floated the idea past the customer to just purge everything and relearn, but they are hesitant to do that.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-30-2017 12:28 PM
I believe profile updates should also update activity, but there are some purge related defects which may explain your issue:
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide