Here is how I usually configure NEW-Guest-Endpoints purge policy and options we have.
Administration > identity Management > Settings > Endpoint Purge
ElapsedDays—Number of days since the object is created.
For every day purge:
" Elapsed Days less than 1 “: This should work for brand new endpoints, but what if you implement this purge rule after ISE has already learned the MAC addresses for a few days. Now they will never get purged.
" Elapsed Days less than 9999 “: All MAC addresses in the ISE are less than 9,999 days old. If the MAC address is in the NEW-Guest-Endpoints group it will get purged. This one is good if ISE already learned MAC addresses and they are already in the system
For after 48 hours purge:
" Elapsed Days EQUALS 2 “. The timer starts when the endpoint is first learned by ISE.
- Example 1
Day 0 - 9 am - an endpoint is learned - elapsed days = 0 Day 1 - 3 am - scheduled purge Day 1 - 9 am - elapsed days = 1 Day 2 - 3 am - scheduled purge Day 2 - 9 am - elapsed days = 2 Day 3 - 3 am - scheduled purge - the endpoint is removed Total: 66 hours
- Example 2
Day 0 - 2:30 am - an endpoint is learned - elapsed days = 0 Day 0 - 3 am - scheduled purge Day 1 - 2:30 am - elapsed days = 1 Day 1 - 3 am - scheduled purge Day 2 - 2:30 am - elapsed days = 2 Day 2 - 3 am - scheduled purge - the endpoint is removed Total: 48.5 hours
How to make it more accurate
Another way to force user for AUP is LastAUPAcceptanceHours attribute in the AuthZ rule:
In this case we still would prefer to purge Guest MAC addresses but it is more accurate in terms of timing. Any there any cons?