Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1007
Views
5
Helpful
3
Replies

SNMP Control plane

Go to solution
rovargas
Cisco Employee
Cisco Employee

‎07-16-2017 07:54 AM

In a Forescout and OpenNac large competitive deal, customer is asking us to provide technical reasons to avoid using SNMP.

Both Forescout and OpenNac support SNMP trap session creation and SNMP based authorisation (similar to what we used to have with CCA).

The main technical objection we have traditionally used is that SNMP based authorisation changes the switch configuration and this might break network management tools.

Knowing that we have been there (CCA), is there anything else we might argue? Maybe NAD impact?

1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-17-2017 12:57 PM

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

View solution in original post

3 Replies 3

Go to solution
thomas
Cisco Employee
Cisco Employee

‎07-17-2017 12:57 PM

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

Go to solution
hariholla
Cisco Employee
Cisco Employee
In response to thomas

‎07-17-2017 01:59 PM

Also, SNMP based port-control breaks daisy-chained endpoints, like a PC behind a phone. Or in other terms, one endpoint can create a DOS for all other endpoints on the same port. 802.1X based sessions on the other hand, can be granular, which specific endpoints subject to specific authorization(s).

Just in case, if the customer does not want to do RADIUS at all, then even ISE can support SNMP based access control, make sure you educate them on the limitations listed above before they decide to go either way.

Go to solution
Ping Zhou
Level 8
Level 8
In response to hariholla

‎07-17-2017 02:33 PM

Could you share some docs for ISE SNMP-based access control?

Enabling dot1x on the access switches and ensuring all wired endpoints 802.1x take time, so in the meanwhile, I would like to look into the SNMP based approach. tks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents