Automatic purging old records in Control (formerly - Identity and Access) in Netsight

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hello, everybody!

I've detected hundreds of devices using Identity Management feature on Summits and brought this data into the Netsight.

State of some devices is Disconnected, others are Accept. 

My question is: will the disconnected devices be removed automatically in a period of time?

They really saturate the table... 

How long Netsight keeps information for End-Systems?

Many thanks in advance, 

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
Hello,

By default EMC will age out end systems after 90 days of inactivity. 

In NAC Manager click tools --> options --> Data Persistence

This will give you options to modify this scope. 

Inactivity means that the end system has not seen accounting, DHCP, or any other event that has updated the end systems "last seen" timestamp

Thanks
-Ryan
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Thank you, Ryan!

I am thinking... 

I've got a user on a certain port by Kerberos. The question is: what if tomorrow I'll get another user on the same port?

Will Netsight store both users or clear the earlier one? What will happen?

Thank you!
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,470 Points 5k badge 2x thumb
It would depend on if the user logged into the same end system, or if they both had different end systems.

The "hinge" in NAC is always the end system. The way the system works is EMC tracks end systems, and receives updates from potentially multiple sources (mainly EAC) that update the end system. There is an "end system" record, and then there are "end system events" 

When events come in, they are shown historically by event to give you an idea of when certain information was populated at what time, or what happened to the end system over time. These events are used to updated the "end system" to display all the currently known information on an end system in the "end systems" table. 

If these are two different end systems, then you'll see there was an event that was populated by either kerberos snooping, or identity management, that snooped the username and will populate it as the username for both users. EMC will not make the assuming that the user has logged off because there was another authentication event on the same port. EMC will only show the user as disconnected if the switch sends the appropiate information that indicates that session was disconnected. 

If two different users log into the same end system on the same switch port then you'll see two different end system events with two different usernames, and the username that logged in last will be displayed as the username for the end system.

Thanks
-Ryan