Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9035
Views
16
Helpful
7
Replies

SNMP v3 Polling Configuration with ISE v2.4 P7

Go to solution
Waldis
Level 1
Level 1

‎04-12-2019 07:26 AM

SNMP v3 Polling Configuration with ISE v2.4 P7

Hey

Im trying to setup a SNMP v3 polling for ISE from my switches.

I have got SNMP v3 to work with Cisco Prime, but the same settings don't seem to apply to Cisco ISE.

 

Under "Administration-System-Deployment-Nodes-Profiling Configuration" I have activated SNMPQUERY and SNMPTRAP for each node.

Under each NAD i have configured SNMPv3, user, auth, priv.

 

Each switch is configured with SNMPv3

view- group ISO included

group - read, write, notify and context vlan- match prefix

user - user group version auth priv.

Then snmp-server host <IP> version 3 priv <user>

Enable all traps.

mac address-table notification change

mac address-table notification mac-move

 

Since it works with Prime it should work with ISE.

 

In ISE if I go to Context Visibility - Network Devices, and try to poll a "port config status" I only get error

Opening the report it says under status "Device IP address is not reachable".

But since the switch is added and works with ISE i think its reacheable... ;)

 

Have I forgot any commands or settings in ISE? 

How do i do a SNMPv3 connectivity check in ISE?

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee

‎04-13-2019 11:54 AM - edited ‎04-13-2019 12:00 PM

SNMPv3 is not supppoted for Port config status report/ Network device session report. Same has been called out in

admin guide.

 snmpv3 not supported for report.png

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01.html#id_27044

Also there is defect filed for this, 

CSCvj72980 : Port Config Status SNMP Query for Network Device in Context Visibilty not working SNMPv3
 

I request you to open TAC case and reference this defect that will give weitage to this defect to resolve early.

 

If you would like to test SNMPv3, then connect connect endpoint and check if attributes (ifinedex, etc) are populated in contect visibility.

SNMPV3 does work for ISE 2.4 for profiling , Earlier there was defect related to v3 which got resolved in patch 2.4 P2.

Some reference for SNMPv3 config.

 

https://community.cisco.com/t5/identity-services-engine-ise/ise-test-snmp-access-to-a-node/m-p/3514626#286681

View solution in original post

7 Replies 7

Go to solution
paul
Level 10
Level 10

‎04-12-2019 12:48 PM

Good luck to you.  I have spent hours trying to get SNMPv3 working at multiple customers and never got it working correctly.  I am convinced it never really worked.  I just tell customers to use SNMPv2 read-only community string.

 

If you get it working post your config.

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee

‎04-13-2019 11:54 AM - edited ‎04-13-2019 12:00 PM

SNMPv3 is not supppoted for Port config status report/ Network device session report. Same has been called out in

admin guide.

 snmpv3 not supported for report.png

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01.html#id_27044

Also there is defect filed for this, 

CSCvj72980 : Port Config Status SNMP Query for Network Device in Context Visibilty not working SNMPv3
 

I request you to open TAC case and reference this defect that will give weitage to this defect to resolve early.

 

If you would like to test SNMPv3, then connect connect endpoint and check if attributes (ifinedex, etc) are populated in contect visibility.

SNMPV3 does work for ISE 2.4 for profiling , Earlier there was defect related to v3 which got resolved in patch 2.4 P2.

Some reference for SNMPv3 config.

 

https://community.cisco.com/t5/identity-services-engine-ise/ise-test-snmp-access-to-a-node/m-p/3514626#286681

Go to solution
franklinb
Level 1
Level 1

‎09-03-2019 06:49 PM

I'm not sure the answer provided is related to your problem. I have a basic issue with polling ISE nodes via SNMPv3 auth/priv sha/aes that was working in patch 6 and broke in patch 9. The polling data stopped immediately after rebooting from applying the patch.

If I try an SNMPWalk from the NMS I use it reports auth failure.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to franklinb

‎09-04-2019 05:11 AM

If something broke please report immediately to the TAC so they can get it to engineering to resolve
0 Helpful

Go to solution
franklinb
Level 1
Level 1
In response to Jason Kunst

‎09-11-2019 11:44 PM

TAC resolved it for me - we recreated the v3 user and it started working again. Perhaps the hash is not ported correctly after update. 

 

Also of note is that there is no option to specify priv and auth methods - SHA and AES 128 are default. 

Go to solution
limlayhin
Level 1
Level 1
In response to franklinb

‎08-25-2020 08:46 PM

Hi,

Can share configuration for snmp v3? You can hide sensitive info.

 

Alternatively, do you know any URL reference for such configuration? 

 

Thanks you very much....

0 Helpful

Go to solution
franklinb
Level 1
Level 1
In response to limlayhin

‎08-25-2020 08:53 PM

The CLI configuration is quite simple and is explained in the CLI Reference Guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/cli_guide/b_ise_CLIReferenceGuide_27/b_ise_CLIReferenceGuide_27_chapter_011.html#wp1067793462

 

ise/admin(config)# snmp-server user testuser v3 hash authpassword privpassword

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents