Has anyone been able to use ISE 2.3 to poll NADs (such as Cisco 2960S and 3560 switches) using SNMPv3? I have upgraded to the suggested IOS software in the switches. I believe my configs are correct as using the Paessler SNMP Tester was able to get information back. I have read about the AES256 issue but have only used AES128 encryption. How does ISE use the polled information on the NADs? Where is it recorded?

I spent quite a bit of time trying to get it to work correctly at a customer. The customer also spent a fair amount of time trying to get it to work. We never could get it to work and punted to V2 read-only community string with ACL restrictions.

Thanks for your input as I’m starting to think there is still a bug in this ISE 2.3 release.

I spent a lot of time also on this but have not been able to get it working. It comes back with:

SNMP request times out, or SNMP community/user auth data is incorrect.

I hope we hear from a Cisco TAC on this issue.

This is not Cisco TAC if you’re needing support please reach out to them to troubleshoot and open bugs

Henry's inquiry is actually not related to what asked in the original question, which is about how to use SNMPv3 to monitor ISE.

penncro1: In the future, please start your own thread. If you post your TAC case number and if time permits, I can take a quick look. If not already done, please try using some SNMP tool (e.g. snmpwalk or snmpget from Net-SNMP) to verify the SNMP configuration on your NADs.

Thanks for all the feedback. Sorry about posting the wrong thread but thought it was all related to SNMPv3 on ISE. I did open a case with TAC (684244782) but have not hear back regarding the ability for ISE 2.3 to poll NADs using SNMPv3. Have used snmp test software and verified that the config on the NAD is correct. In addition, I also have Prime Infrastructure that is polling these devices using SNMPv3.

The assigned TAC engineer is currently out of office but he did notify you and provided you an alternative contact.

Meanwhile, I would suggest to turn DEBUG on profiler and also on the switch. Check profiler.log while recreating the issue and provide the debug log file to TAC. Also, it seems possible to perform a wired capture the SNMP exchanges and decode it using WireShark. There are some instructions on the net for that so I would suggest you to try that, as well, to understand better what might have gone wrong.

See also chyps's comment for Re: ISE - Test SNMP Access to a Node