Author: greenlingo

Purging ISE endpoint DB


“Could you please check whether do you have PLUS or not ? if don’t have PLUS license ,then check profile service option is enabled from GUI or not ?

If it is enabled ,then disable it and try to delete to it ,then it will work fine .”

I’d suggest using the Context Visibility > Endpoints menu for the two issues you are having. It was revamped in ISE 2.1 and is a great one stop location for ascertaining and modifying endpoint attributes.


“Last Modified

Aug 24, 2017

Products (1)

  • Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases

2.0(0.901) 2.0(0.902) 2.0(0.903) 2.1(0.474) 2.2(0.902)

Description (partial)


Unable to remove endpoint from endpoint group (using endpoint group tab).



For endpoint with Static Group Assignment equal True removing is only changing value to false.


For endpoint with Static Group Assignment equal removing option is disabled.


Endpoint purge”



“I believe the issue is related to a difference in what is stored in Context Visibility as opposed to what is stored in the ISE endpoint database.  This could be related to CSCvf22318 or simply the fact that you learned endpoints which are displayed in Redis but not persisted in ISE endpoint database due to lack of Plus license with Profiling support.  To see what is in the Endpoint DB, you can run the “Get All Endpoints” command from “application configure ise” menu, or else leverage the Endpoint Analysis Tool available at (be sure to register with company email, not personal — the email is not used for marketing, but to verify valid customer).


Unknown and Profiled are placeholder ID groups for endpoints which have not been assigned an explicit Endpoint Identity Group.

Endpoint analysis tool.










NTLM Authentication

Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

The Microsoft Kerberos security package adds greater security than NTLM to systems on a network. Although Microsoft Kerberos is the protocol of choice, NTLM is still supported. NTLM must also be used for logon authentication on stand-alone systems. For more information about Kerberos, see Microsoft Kerberos.

The following steps present an outline of NTLM noninteractive authentication. The first step provides the user’s NTLM credentials and occurs only as part of the interactive authentication (logon) process.

  1. (Interactive authentication only) A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password.
  2. The client sends the user name to the server (in plaintext).
  3. The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client.
  4. The client encrypts this challenge with the hash of the user’s password and returns the result to the server. This is called the response.
  5. The server sends the following three items to the domain controller:
    • User name
    • Challenge sent to the client
    • Response received from the client
  6. The domain controller uses the user name to retrieve the hash of the user’s password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
  7. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful

IPV6 DHCPv6 Guard


Key points

-Define Northbound and Southbound traffic.

-Drop DHCP traffic from Southbound


configure terminal
ipv6 access-list acl1
 permit host FE80::A8BB:CCFF:FE01:F700 any
ipv6 prefix-list abc permit 2001:0DB8::/64 le 128	
ipv6 dhcp guard policy pol1
 device-role server
 match server access-list acl1
 match reply prefix-list abc
 preference min 0
 preference max 255
interface GigabitEthernet 0/2/0
 ipv6 dhcp guard attach-policy pol1 vlan add 1
 vlan 1
  ipv6 dhcp guard attach-policy pol1
show ipv6 dhcp guard policy pol1

IPV6 security RAguard config Key points

IPV6 RAguard – router advertisement guard


Key points

-Need the link local address that RA is coming from

-Need the payload prefix that it will be advertising

Configure interface role  – monitor | router | switch

Configuring the IPv6 RA Guard Policy on the Device


  1.    enable
  2.    configure terminal
  3.    ipv6 nd raguard policy policy-name
  4.    device-role {host | router}
  5.    hop-limit {maximum | minimum limit}
  6.   managed-config-flag {on | off}
  7.    match ipv6 access-list ipv6-access-list-name
  8.    match ra prefix-list ipv6-prefix-list-name
  9.   other-config-flag {on | off}
  10.    router-preference maximum {high | low | medium}
  11.   trusted-port

12.   exit

Example: IPv6 RA Guard Configuration

Device(config)# interface fastethernet 3/13
Device(config-if)# ipv6 nd raguard attach-policy
Device# show running-config interface fastethernet 3/13
Building configuration... 
Current configuration : 129 bytes 
interface FastEthernet3/13 
 switchport access vlan 222 
 switchport mode access 
 access-group mode prefer port 
 ipv6 nd raguard 


Device# show ipv6 snooping capture-policy interface ethernet 0/0

Hardware policy registered on Ethernet 0/0 
Protocol     Protocol value   Message   Value     Action    Feature 
ICMP         58               RS        85        punt      RA Guard 
                                                  punt      ND Inspection 
ICMP         58               RA        86        drop      RA guard 
                                                  punt      ND Inspection 
ICMP         58               NS        87        punt      ND Inspection 
ICM          58               NA        88        punt      ND Inspection 
ICMP         58               REDIR     89        drop      RA Guard 
                                                  punt      ND Inspection