Security

Hi there,

 

I'm trying to understand the configuration we need to apply from the 'Custer-Wide parameters' section of Clearpass to keep our Endpoint database in check so we automatically purge nodes on a regular basis.

 

We currently offer BYOD Wireless connectivity for all internal employees, limiting their allowed devices to a maximum of 2. As time has progressed and people's Wireless devices are naturally upgraded/replaced we've found that users are unable to connect to the SSID due to their device limit being reached. Obviously I can manually delete entries, but this is quite a cumbersome process, going forward I believe I can modify the parameters in the Cleanup Intervals tab to remove devices that have previously connected, but have shown no activity in the last 60 days, but I'm just seeking a little clarification on the configuration that is available:

 

Maximum inactive time for an endpoint - Currently set to 0 days - Enable and set to 60 days - Do I need to enable any other options in line with this? Also, if I set this value, I'm assuming it works from the 'Updated At' date of the endpoint?

 

Known endpoints cleanup interval - Currently set to 0 days - Do I need to set this to a value or if I do, will it remove accounts irrespective of their activity timelines, so has the potential to remove devices that are still being used?

 

Profiled Known endpoints cleanup option - Currently Disabled - Set to Enable - Do I need to enable this to work with the inactive time interval specified above?

 

Thanks,

 

Daniel

Once their certificates expire, they will no longer be valid. You can also change the retention values for the CA.

This is just for the endpoint entry - So mac and associated attibutes. There is no certificate information included as far as I'm aware.

I am also curious about these settings. If I just have the "Maximum inactive time for an endpoint" set to 30 days, devices that haven't been on the network for over 2 years are still in the endpoints repository. If I set a number (7) for the "Known endpoints cleanup interval", it wipes out all devices, not just those that have been inactive for 30 days. That's a problem for us since we have a lot of endpoints added with specific attributes that are not replaced when they reconnect to the network on their own.

Have you ever resolved this? 

 

I aswell have the Maximum inactive time for an endpoint defined at 31 days and have inactive known/unknown guest endpoints sitting out there several months past their expiry point.

 

I would think this setting should take precidence over the other cleanup intervals but that doesn't seem to be the case?

 

Thanks,

If you want to delete only inactive endpoints then use Maximum inactive time for an endpoint option and set other cleanup interval to zero, clearpass will delete only inactive endpoints.

 

 

I guess I am not sure I understand the other endpoints your suggesting. This is how it is set and as you can see I have also included an endpoint which is several months old and has not been active and should have been removed.