Security

last person joined: 13 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass - Cluster-Wide Parameters - Cleanup Interval

  • 1.  Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Apr 26, 2018 09:35 AM

    Hi there,

     

    I'm trying to understand the configuration we need to apply from the 'Custer-Wide parameters' section of Clearpass to keep our Endpoint database in check so we automatically purge nodes on a regular basis.

     

    We currently offer BYOD Wireless connectivity for all internal employees, limiting their allowed devices to a maximum of 2. As time has progressed and people's Wireless devices are naturally upgraded/replaced we've found that users are unable to connect to the SSID due to their device limit being reached. Obviously I can manually delete entries, but this is quite a cumbersome process, going forward I believe I can modify the parameters in the Cleanup Intervals tab to remove devices that have previously connected, but have shown no activity in the last 60 days, but I'm just seeking a little clarification on the configuration that is available:

     

    Maximum inactive time for an endpoint - Currently set to 0 days - Enable and set to 60 days - Do I need to enable any other options in line with this? Also, if I set this value, I'm assuming it works from the 'Updated At' date of the endpoint?

     

    Known endpoints cleanup interval - Currently set to 0 days - Do I need to set this to a value or if I do, will it remove accounts irrespective of their activity timelines, so has the potential to remove devices that are still being used?

     

    Profiled Known endpoints cleanup option - Currently Disabled - Set to Enable - Do I need to enable this to work with the inactive time interval specified above?

     

    Thanks,

     

    Daniel



  • 2.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Apr 26, 2018 10:02 AM
    Once their certificates expire, they will no longer be valid. You can also change the retention values for the CA.


  • 3.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Apr 26, 2018 10:14 AM

    This is just for the endpoint entry - So mac and associated attibutes. There is no certificate information included as far as I'm aware.



  • 4.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted May 01, 2018 10:29 AM

    I am also curious about these settings. If I just have the "Maximum inactive time for an endpoint" set to 30 days, devices that haven't been on the network for over 2 years are still in the endpoints repository. If I set a number (7) for the "Known endpoints cleanup interval", it wipes out all devices, not just those that have been inactive for 30 days. That's a problem for us since we have a lot of endpoints added with specific attributes that are not replaced when they reconnect to the network on their own.



  • 5.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Aug 06, 2018 09:31 AM

    Have you ever resolved this? 

     

    I aswell have the Maximum inactive time for an endpoint defined at 31 days and have inactive known/unknown guest endpoints sitting out there several months past their expiry point.

     

    I would think this setting should take precidence over the other cleanup intervals but that doesn't seem to be the case?

     

    Thanks,



  • 6.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Aug 06, 2018 10:52 AM

    communitry.PNGIf you want to delete only inactive endpoints then use Maximum inactive time for an endpoint option and set other cleanup interval to zero, clearpass will delete only inactive endpoints.

     

     



  • 7.  RE: Clearpass - Cluster-Wide Parameters - Cleanup Interval

    Posted Aug 06, 2018 11:22 AM

    I guess I am not sure I understand the other endpoints your suggesting. This is how it is set and as you can see I have also included an endpoint which is several months old and has not been active and should have been removed.Capture.JPGUntitled.png