Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Delete endpoints not updated in the last 14 days

This thread has been viewed 9 times

  • 1.  Delete endpoints not updated in the last 14 days

    Posted Nov 04, 2013 05:37 AM

    Hi,

     

    We'd like to delete endpoints that are not updated in the last 14 days from the Policy Manger Endpoint Database. 

    Can this be managed by setting the "Known endpoints cleanup interval" and "Unknown endpoints cleanup interval" settings to 14 days?

     

    The documentation does not explain if endpoints are deleted every 14 days or if only endpoints not updated for 14 days are deleted. Is this done daily, weekly or only at every configured amount of days?

     

    (On Clearpass Policy Manager 6.2.2)

     

    Regards,

    Erik



  • 2.  RE: Delete endpoints not updated in the last 14 days



  • 3.  RE: Delete endpoints not updated in the last 14 days

    Posted Nov 04, 2013 08:30 AM

    Sorry, no doesn't give a clue.

     

    My question was regarding the Policy Manager Endpoint database. Once a guest has authenticated on the guest captive portal an entry will be created in the Policy Manager Endpoint database. These entries stay there until forever. When we limit a user to only use 2 devices and that users brings in another device, 6 months later, access is denied because of the device limit.

    We only allow MAC authentication for guests for 1 day, so after 1 day the endpoint entry could already be removed. 

     

    So my question was; how can I configure Policy Manager to delete entries from the Endpoint database that have not been used for 14 days (or so)?

     

    Regards,

    Erik



  • 4.  RE: Delete endpoints not updated in the last 14 days

    EMPLOYEE
    Posted Nov 04, 2013 08:50 AM

    Can you paste your enforement policy for the Guest with MAC caching service?



  • 5.  RE: Delete endpoints not updated in the last 14 days

    Posted Nov 04, 2013 09:04 AM

    Hi,

     

    Yes, this is what we output when authenticate:

     

    Bandwidth-Check:Allowed-Limit0
    Bandwidth-Check:Check-TypeToday
    Bandwidth-Check:Limit-UnitsMB
    Endpoint:Guest Role ID2
    Endpoint:Username....@.....com
    Expire-Time-Update:GuestUser0
    Expiry-Check:Expiry-Action4
    Post-Auth-Check:ActionDisconnect
    Radius:IETF:Session-Timeout1200599
    Session-Check:Active-Session-Count2
    Status-Update:EndpointKnown

     

    And this is the enforcement policy: 

     

    Enforcement Policy Details
    Description:
    Limits guests to maximum n device for MAC caching purposes
    Default Profile:
    [Allow Access Profile]
    Rules Evaluation Algorithm:
    first-applicable
     
     ConditionsEnforcement Profiles
    1.(Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  2)[Deny Access Profile]
    2.(Date:Day-of-Week  BELONGS_TO Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday)Wireless Guest Session Timeout, Wireless Guest Bandwidth Limit, Wireless Guest Session Limit, Wireless Guest MAC Caching, [Update Endpoint Known], Wireless Guest Do Expire, Wireless Guest Expire Post Login


  • 6.  RE: Delete endpoints not updated in the last 14 days