Security

Reply
New Contributor
Posts: 3
Registered: ‎11-04-2013

Delete endpoints not updated in the last 14 days

Hi,

 

We'd like to delete endpoints that are not updated in the last 14 days from the Policy Manger Endpoint Database. 

Can this be managed by setting the "Known endpoints cleanup interval" and "Unknown endpoints cleanup interval" settings to 14 days?

 

The documentation does not explain if endpoints are deleted every 14 days or if only endpoints not updated for 14 days are deleted. Is this done daily, weekly or only at every configured amount of days?

 

(On Clearpass Policy Manager 6.2.2)

 

Regards,

Erik

MVP
Posts: 1,382
Registered: ‎05-28-2008

Re: Delete endpoints not updated in the last 14 days

This might give u a clue:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Set-Account-Expiration-to-End-of-Day/m-p/116001#M7597

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
New Contributor
Posts: 3
Registered: ‎11-04-2013

Re: Delete endpoints not updated in the last 14 days

Sorry, no doesn't give a clue.

 

My question was regarding the Policy Manager Endpoint database. Once a guest has authenticated on the guest captive portal an entry will be created in the Policy Manager Endpoint database. These entries stay there until forever. When we limit a user to only use 2 devices and that users brings in another device, 6 months later, access is denied because of the device limit.

We only allow MAC authentication for guests for 1 day, so after 1 day the endpoint entry could already be removed. 

 

So my question was; how can I configure Policy Manager to delete entries from the Endpoint database that have not been used for 14 days (or so)?

 

Regards,

Erik

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Delete endpoints not updated in the last 14 days

Can you paste your enforement policy for the Guest with MAC caching service?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
New Contributor
Posts: 3
Registered: ‎11-04-2013

Re: Delete endpoints not updated in the last 14 days

Hi,

 

Yes, this is what we output when authenticate:

 

Bandwidth-Check:Allowed-Limit0
Bandwidth-Check:Check-TypeToday
Bandwidth-Check:Limit-UnitsMB
Endpoint:Guest Role ID2
Endpoint:Username....@.....com
Expire-Time-Update:GuestUser0
Expiry-Check:Expiry-Action4
Post-Auth-Check:ActionDisconnect
Radius:IETF:Session-Timeout1200599
Session-Check:Active-Session-Count2
Status-Update:EndpointKnown

 

And this is the enforcement policy: 

 

Enforcement Policy Details
Description:
Limits guests to maximum n device for MAC caching purposes
Default Profile:
[Allow Access Profile]
Rules Evaluation Algorithm:
first-applicable
 
 ConditionsEnforcement Profiles
1.(Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  2)[Deny Access Profile]
2.(Date:Day-of-Week  BELONGS_TO Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday)Wireless Guest Session Timeout, Wireless Guest Bandwidth Limit, Wireless Guest Session Limit, Wireless Guest MAC Caching, [Update Endpoint Known], Wireless Guest Do Expire, Wireless Guest Expire Post Login
MVP
Posts: 1,382
Registered: ‎05-28-2008

Re: Delete endpoints not updated in the last 14 days

i asked a smiler quesiton,here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/why-guest-account-dosent-delete-even-with-do-exprie-4/m-p/117335#M7758

 

and here - read good,this is the same thing that you would like to achive:

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/in-cppm-guest-i-would-like-limit-guest-to-use-1-device-per-e/td-p/113115

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: