cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

202
Views
5
Helpful
3
Replies
Cisco Employee

SNMP Control plane

In a Forescout and OpenNac large competitive deal, customer is asking us to provide technical reasons to avoid using SNMP.

Both Forescout and OpenNac support SNMP trap session creation and SNMP based authorisation (similar to what we used to have with CCA).

The main technical objection we have traditionally used is that SNMP based authorisation changes the switch configuration and this might break network management tools.

Knowing that we have been there (CCA), is there anything else we might argue? Maybe NAD impact?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: SNMP Control plane

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

3 REPLIES 3
Cisco Employee

Re: SNMP Control plane

A couple of things come to mind...

1) RADIUS is the world standard for session-based network access control (AAA).

2) SNMP based authorization means setting VLANs which are not very granular compared to dACLs

3) changing VLANs (SNMP or RADIUS) may inadvertently orphan an endpoint in a new VLAN with an old IP address because they didnt detect the VLAN change and know they were supposed to re-DHCP. We don't recommend VLAN changes as a best practice even with RADIUS.

4) SNMP does not inherently support Accounting for later audits

Cisco Employee

Re: SNMP Control plane

Also, SNMP based port-control breaks daisy-chained endpoints, like a PC behind a phone. Or in other terms, one endpoint can create a DOS for all other endpoints on the same port. 802.1X based sessions on the other hand, can be granular, which specific endpoints subject to specific authorization(s).

Just in case, if the customer does not want to do RADIUS at all, then even ISE can support SNMP based access control, make sure you educate them on the limitations listed above before they decide to go either way.

Collaborator

Re: SNMP Control plane

Could you share some docs for ISE SNMP-based access control?

Enabling dot1x on the access switches and ensuring all wired endpoints 802.1x take time, so in the meanwhile, I would like to look into the SNMP based approach. tks.