https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485532#M496257 <HTML><HEAD></HEAD><BODY><P>Sorry, I did not elaborate enough...... this is for Static assigned IP printers, that ISE uses NMAP, to gather SNMP info from...</P><P><STRONG>go to Administration&gt;System&gt;Settings&gt;Profiling</STRONG></P><P></P><P><SPAN style="color: #545454; font-family: Tahoma; font-size: 14px; font-weight: bold;">Profiler Configuration:</SPAN></P><TABLE class="cpmLocalTableSpacing" style="font-size: 12px; color: #000000; font-family: Arial, Helvetica, sans-serif;"><TBODY><TR><TD style="font-family: Arial;"><P class="dijit dijitReadOnly xwtValidationTextBox xwtValidationTextBoxReadOnly dijitInlineTable dijitTextBox dijitLeft dijitTextBoxReadOnly dijitReset" style="margin: 0 5px 0 0; padding: 2px 5px; font-style: inherit; font-weight: bold; font-family: Tahoma, sans-serif; color: #222222; background-position: inherit;"></P></TD><TD align="right" nowrap="nowrap" style="font-family: Arial;"><LABEL style="margin-bottom: 5px; color: #222222;">Current custom SNMP community strings:</LABEL></TD><TD style="font-family: Arial;"><P class="dijit dijitReadOnly xwtValidationTextBox xwtValidationTextBoxReadOnly dijitInlineTable dijitTextBox dijitLeft dijitTextBoxReadOnly dijitReset" style="margin: 0 5px 0 0; padding: 2px 5px; font-style: inherit; font-weight: bold; font-family: Tahoma, sans-serif; color: #222222; background-position: inherit;"></P><DIV><DIV class="dijitReset dijitValidationIcon" style="background-position: initial;">&lt;v2c sting&gt;<BR /><P></P></DIV></DIV></TD></TR></TBODY></TABLE><P>thanks for any info......</P></BODY></HTML> Wed, 11 Jul 2018 21:28:03 GMT Kevin S Hatch 2018-07-11T21:28:03Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485530#M496255 <HTML><HEAD></HEAD><BODY><P>When will the Profiler configuration in ISE be able to use SNMPv3.&nbsp; I work in the financial/banking industry and our security department is telling that we can't use SNMPv1 or v2c.&nbsp; Is there a work around that will work?</P><P></P><P>thanks,</P><P></P><P><A class="jive-link-email-small" href="mailto:khatch@open-techs.com">khatch@open-techs.com</A></P></BODY></HTML> Wed, 11 Jul 2018 16:51:43 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485530#M496255 Kevin S Hatch 2018-07-11T16:51:43Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485531#M496256 <HTML><HEAD></HEAD><BODY><P>We support SNMPv3. Please see: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100011.html#reference_4D603ADC9DCF45F88982448A99D8EA89" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100011.html#reference_4D603ADC9DCF45F88982448A99D8EA89">https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_010…</A></P></BODY></HTML> Wed, 11 Jul 2018 19:14:58 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485531#M496256 howon 2018-07-11T19:14:58Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485532#M496257 <HTML><HEAD></HEAD><BODY><P>Sorry, I did not elaborate enough...... this is for Static assigned IP printers, that ISE uses NMAP, to gather SNMP info from...</P><P><STRONG>go to Administration&gt;System&gt;Settings&gt;Profiling</STRONG></P><P></P><P><SPAN style="color: #545454; font-family: Tahoma; font-size: 14px; font-weight: bold;">Profiler Configuration:</SPAN></P><TABLE class="cpmLocalTableSpacing" style="font-size: 12px; color: #000000; font-family: Arial, Helvetica, sans-serif;"><TBODY><TR><TD style="font-family: Arial;"><P class="dijit dijitReadOnly xwtValidationTextBox xwtValidationTextBoxReadOnly dijitInlineTable dijitTextBox dijitLeft dijitTextBoxReadOnly dijitReset" style="margin: 0 5px 0 0; padding: 2px 5px; font-style: inherit; font-weight: bold; font-family: Tahoma, sans-serif; color: #222222; background-position: inherit;"></P></TD><TD align="right" nowrap="nowrap" style="font-family: Arial;"><LABEL style="margin-bottom: 5px; color: #222222;">Current custom SNMP community strings:</LABEL></TD><TD style="font-family: Arial;"><P class="dijit dijitReadOnly xwtValidationTextBox xwtValidationTextBoxReadOnly dijitInlineTable dijitTextBox dijitLeft dijitTextBoxReadOnly dijitReset" style="margin: 0 5px 0 0; padding: 2px 5px; font-style: inherit; font-weight: bold; font-family: Tahoma, sans-serif; color: #222222; background-position: inherit;"></P><DIV><DIV class="dijitReset dijitValidationIcon" style="background-position: initial;">&lt;v2c sting&gt;<BR /><P></P></DIV></DIV></TD></TR></TBODY></TABLE><P>thanks for any info......</P></BODY></HTML> Wed, 11 Jul 2018 21:28:03 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485532#M496257 Kevin S Hatch 2018-07-11T21:28:03Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485533#M496258 <HTML><HEAD></HEAD><BODY><P>Not currently. Just curious about the SNMPv3 though. Are the printers enabled with v3 out of the box or is v3 enabled by the admins? Typically NMAP SNMP scan is to provide profiling attributes for endpoints configured with default SNMP string.</P><P></P><P>In terms of the static IP on printers, are they manually configured through printer interface or are they setup as DHCP/BOOTP but the MAC is reserved on the DHCP server. If latter then you can still get it profiled via DHCP.</P></BODY></HTML> Wed, 11 Jul 2018 23:15:08 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485533#M496258 howon 2018-07-11T23:15:08Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485534#M496259 <HTML><HEAD></HEAD><BODY><P>V3 would have to be enabled on the printer (specifically HP printers, I don’t seem to have an issue with any other Printer/MFP manufacturer). The “public”/ default community string; sets of alerts at every security audit and we have been told that we cannot use it ever.</P><P></P><P>They have been set as Static. I have asked them to extend the DHCP range and create DHCP reservation, but they are resistant to change. (ie.. “we have done it this way for the last 20 years, so we don’t want to have to change the way we do everything.”)</P><P></P><P>You can use that custom string with a non “default” v2c string, I have tested this and it does work. But our security team keeps telling us to use only v3 with Auth and Priv options, only.</P><P></P><P>Could ISE be modified to use the v3 strings that are set for network devices to do the NMAP scan, as well? Just an idea….</P></BODY></HTML> Thu, 12 Jul 2018 14:49:29 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485534#M496259 Kevin S Hatch 2018-07-12T14:49:29Z https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485535#M496260 <HTML><HEAD></HEAD><BODY><P>In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.</P><P></P><P>If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.</P></BODY></HTML> Thu, 12 Jul 2018 16:59:06 GMT https://community.cisco.com/t5/network-access-control/ise-profiler-configuration-snmpv3/m-p/3485535#M496260 howon 2018-07-12T16:59:06Z