cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

165
Views
0
Helpful
5
Replies
Beginner

ISE Profiler Configuration: SNMPv3

When will the Profiler configuration in ISE be able to use SNMPv3.  I work in the financial/banking industry and our security department is telling that we can't use SNMPv1 or v2c.  Is there a work around that will work?

thanks,

khatch@open-techs.com

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ISE Profiler Configuration: SNMPv3

In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.

If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.

5 REPLIES
Cisco Employee

Re: ISE Profiler Configuration: SNMPv3

Highlighted
Beginner

Re: ISE Profiler Configuration: SNMPv3

Sorry, I did not elaborate enough...... this is for Static assigned IP printers, that ISE uses NMAP, to gather SNMP info from...

go to Administration>System>Settings>Profiling

Profiler Configuration:

<v2c sting>

thanks for any info......

Cisco Employee

Re: ISE Profiler Configuration: SNMPv3

Not currently. Just curious about the SNMPv3 though. Are the printers enabled with v3 out of the box or is v3 enabled by the admins? Typically NMAP SNMP scan is to provide profiling attributes for endpoints configured with default SNMP string.

In terms of the static IP on printers, are they manually configured through printer interface or are they setup as DHCP/BOOTP but the MAC is reserved on the DHCP server. If latter then you can still get it profiled via DHCP.

Beginner

Re: ISE Profiler Configuration: SNMPv3

V3 would have to be enabled on the printer (specifically HP printers, I don’t seem to have an issue with any other Printer/MFP manufacturer). The “public”/ default community string; sets of alerts at every security audit and we have been told that we cannot use it ever.

They have been set as Static. I have asked them to extend the DHCP range and create DHCP reservation, but they are resistant to change. (ie.. “we have done it this way for the last 20 years, so we don’t want to have to change the way we do everything.”)

You can use that custom string with a non “default” v2c string, I have tested this and it does work. But our security team keeps telling us to use only v3 with Auth and Priv options, only.

Could ISE be modified to use the v3 strings that are set for network devices to do the NMAP scan, as well? Just an idea….

Cisco Employee

Re: ISE Profiler Configuration: SNMPv3

In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.

If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions