Security

I'm currently migrating from Amigopod/Clearpass 3.9.X to CPPM w/CPGuest 6.2.  Mostly things are going great, but I'm having an issue that I can't seem to pin down to exact cause or location to fix it. Please note, I did a direct import of my settings from my old instance and all other items are working correctly except for this one issue.

On Amigopod/Clearpass 3.9.X, I had it configured to Delete the guest accounts immediately on expiry, without issues.  With CP 6.2 I'm seeing those accounts retained but placed in an "Expired" state.  I have "Data Retention" enabled and Configured on the CPGuest to run at 3AM.  I also found, this morning I might add, the section in the main CPPM server to set the "Cluster-Wide Parameter" for the "Expired Guest Accounts Cleanup Interval", which I changed from the default of 365 down to 1.

Reading through the documentation on Data Retention says "For a data retention policy to take effect, you must schedule and enable database maintenance. To do so, refer to the ClearPass Policy Manager documentation."  I can't find this section in the CPPM Documentation anywhere. 

So my questions are this:

1.  Are the settings I changed going to fix the account retention issue I am having?  If not, what am I missing and can someone point me in the right direction?

2.  Does anyone know where in the documentation, or on the CPPM server, where the "Database maintenance" section is to configure this to work properly?

Thank you all for any help you can provide.

Do you have the “Do Expire” enforcement profile to be part of the Service for Guests.  This post-auth profile deletes the account.  I am checking on the actual mechanism in the background doing this...just making sure that profile is tied to the service for now.

Thanks for the response.  I made the service using the given templates.  I did check and there is a "Do Expire" enforcement profile that was created for my service (along with several other profiles), but within the service itself, I do not see where that is listed anywhere.  So I am unsure if it actually part of my Service or not.  The only Enforcement profile I see in my Service is my guest access policy.  

Does that help at all? The accounts are getting "Expired", they just aren't being deleted like they were previously with Amigopod/CP 3.9.X

Ok, I apologize, I found in the service where it list the profiles attached to the enforcement policy.  I can confirm that the Do Expire profile is attached to my service.  Sorry for the confusion there. 

The "Expired Guest Accounts Cleanup Interval" is the scheduled database maintenance for guests that you are looking for.

Try waiting a day and see if this cleans up the stale guest accounts; if you just changed the value this morning, it will probably take effect overnight (I believe the scheduled task runs sometime in the early morning).

Thanks for the feedback about the documentation, I will raise a bug report to ensure that this documentation issue is corrected.