Security

Is it possible to remove an endpoint attributes using an enforcement policy?

It depends on what attribute you want to remove. You should be able to add an enforcement and leve the attribute empty. I havent tried it so you will need to do a quick test to see if you will get the results you are looking for.

 

 

 

 

 

I will have to take that back. Just tested and it will not let you leave it blank.

Before I take this to engineering what exactly are you trying to do? There might be some other options.

I should be able to just use one of my other attributes that I use later in my authentication. I was just looking to create this attribute restart authentication perform one CLI enforcement to delete the user from the user-table then delete the attribute. Just to keep endpoint database clean. This would be for devices that join the network the very first time so I can get them from entering the initial role set on the controller.  COA's don't seem to do much for devices that are in this Initial Role. 

 

The Bigger picture is that if a COA a user that is in the initial role assigned from the AAA/vap profile it doesn't actually disconnect them so instead I need to perform a CLI enforcement profile on the device to delete them from the user-table. I am not sure if you have any tips on doing CLI enforcement policy but I have one created I just need to troubleshoot to see where the CLI enforcement profile is failing. I think its because I don't have a successful authentication source. Still need to test.