Cisco ISE Loves The Purge

One of the first things you see when you log in to Cisco ISE is the dashboard containing the organization's Total Endpoints and Active Endpoints.

_{Figure 1: Cisco ISE Dashboard - Total Endpoints vs Active Endpoints}

If your ISE dashboard has over 10X the number of active endpoints stored in the database, there is a GOOD CHANCE, you never configured ISE Endpoint Purge Rules. It is also very possible you can see adverse performance as a result of the extra devices. Profiling Activity, RADIUS Authentications (e.g. Any authorization rule that has conditions for matching profiled endpoints), and even context visibility is querying that large endpoint database.

Many organizations refresh laptops, workstations, phones, and devices every few years, without endpoint purge rules, ISE will never forget about those devices.

You can define the endpoint purge policy by configuring rules, based on identity groups and other conditions. In the Cisco ISE GUI, click the Menu icon and choose Administration > Identity Management > Settings > Endpoint Purge.

_{Figure 2: ISE Endpoint Purge Default Settings}

The default rules will take care of deleting guest and registered devices that are older than 30 days. The purge job runs at 3:00 a.m. every day based on the time zone configured in the primary PAN. The endpoint purge schedule is enabled by default. 

The Purge of Old Endpoints​

Unless you are in Higher Education (College or University), where students are gone with their devices for X days of summer, anything that hasn't connected to wired, wireless, or VPN networks in over 90 days is most likely not coming back. Either way, endpoint purge rules allow an organization to determine when to ""age out"" inactive devices.

To configure an endpoint purge rule that will delete endpoints that haven't been active in over 90 days:

1. Add a new rule below the existing rules.
2. Add A Condition to match Any endpoints and InactiveDays greater than 90
3. Click Save in the bottom right of the screen.

_{Figure 3: Adding an Endpoint Purge Rule}

Note: If a device gets purged and then returns to the network, ISE will add it back and perform AAA, Profiling, etc., just like the first time the device connected.

Additional ISE Endpoint Purge Settings​

From the ISE 3.1 Admin Guide:

You can schedule an endpoint purge job.

Endpoint purge deletes over five thousand endpoints every 3 minutes.

• InactivityDays — Number of days since last profiling activity or update on endpoint
  • This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in your deployment as they are no longer active on a network or not likely to be seen in the near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed. 
  • When there are updates from an endpoint, InactivityDays will be reset to 0 only if profiling is enabled. 
• ElapsedDays — Numbers of days since the object is created.
  • This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered. 
• PurgeDate — Date to purge the endpoint.
  • This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at the same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for a specific week or month rather than an absolute day, week, or month. 

ModernCyber's Cisco ISE Health Check Assessment​

Along with checking for endpoint purge settings, ModernCyber's Health Check Assessment of the Cisco Identity Services Engine (ISE) deployed within the Customer’s I.T. organization can help give you an independent review of your deployment. The health check service in short provides a comprehensive review of the Cisco ISE deployment configuration & architecture's overall health, stability, and scalability. The intent is to identify areas for improvement or possible challenges, which may currently exist or arise in the future and document the areas that could potentially be improved upon and gaps that need to be addressed. Ideally, the results of the health check provide data points and tasks that aid in the development of a road map to strengthen, optimize, and/or remediate the Cisco ISE deployment within the customer's Enterprise Network.