cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3165
Views
0
Helpful
5
Replies

ISE Profiler Configuration: SNMPv3

Kevin S Hatch
Level 1
Level 1

When will the Profiler configuration in ISE be able to use SNMPv3.  I work in the financial/banking industry and our security department is telling that we can't use SNMPv1 or v2c.  Is there a work around that will work?

thanks,

khatch@open-techs.com

1 Accepted Solution

Accepted Solutions

In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.

If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.

View solution in original post

5 Replies 5

Kevin S Hatch
Level 1
Level 1

Sorry, I did not elaborate enough...... this is for Static assigned IP printers, that ISE uses NMAP, to gather SNMP info from...

go to Administration>System>Settings>Profiling

Profiler Configuration:

<v2c sting>

thanks for any info......

Not currently. Just curious about the SNMPv3 though. Are the printers enabled with v3 out of the box or is v3 enabled by the admins? Typically NMAP SNMP scan is to provide profiling attributes for endpoints configured with default SNMP string.

In terms of the static IP on printers, are they manually configured through printer interface or are they setup as DHCP/BOOTP but the MAC is reserved on the DHCP server. If latter then you can still get it profiled via DHCP.

V3 would have to be enabled on the printer (specifically HP printers, I don’t seem to have an issue with any other Printer/MFP manufacturer). The “public”/ default community string; sets of alerts at every security audit and we have been told that we cannot use it ever.

They have been set as Static. I have asked them to extend the DHCP range and create DHCP reservation, but they are resistant to change. (ie.. “we have done it this way for the last 20 years, so we don’t want to have to change the way we do everything.”)

You can use that custom string with a non “default” v2c string, I have tested this and it does work. But our security team keeps telling us to use only v3 with Auth and Priv options, only.

Could ISE be modified to use the v3 strings that are set for network devices to do the NMAP scan, as well? Just an idea….

In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.

If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.