07-11-2018 09:51 AM
When will the Profiler configuration in ISE be able to use SNMPv3. I work in the financial/banking industry and our security department is telling that we can't use SNMPv1 or v2c. Is there a work around that will work?
thanks,
Solved! Go to Solution.
07-12-2018 09:59 AM
In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.
If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.
07-11-2018 12:14 PM
We support SNMPv3. Please see: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_010…
07-11-2018 02:28 PM
Sorry, I did not elaborate enough...... this is for Static assigned IP printers, that ISE uses NMAP, to gather SNMP info from...
go to Administration>System>Settings>Profiling
Profiler Configuration:
<v2c sting> |
thanks for any info......
07-11-2018 04:15 PM
Not currently. Just curious about the SNMPv3 though. Are the printers enabled with v3 out of the box or is v3 enabled by the admins? Typically NMAP SNMP scan is to provide profiling attributes for endpoints configured with default SNMP string.
In terms of the static IP on printers, are they manually configured through printer interface or are they setup as DHCP/BOOTP but the MAC is reserved on the DHCP server. If latter then you can still get it profiled via DHCP.
07-12-2018 07:49 AM
V3 would have to be enabled on the printer (specifically HP printers, I don’t seem to have an issue with any other Printer/MFP manufacturer). The “public”/ default community string; sets of alerts at every security audit and we have been told that we cannot use it ever.
They have been set as Static. I have asked them to extend the DHCP range and create DHCP reservation, but they are resistant to change. (ie.. “we have done it this way for the last 20 years, so we don’t want to have to change the way we do everything.”)
You can use that custom string with a non “default” v2c string, I have tested this and it does work. But our security team keeps telling us to use only v3 with Auth and Priv options, only.
Could ISE be modified to use the v3 strings that are set for network devices to do the NMAP scan, as well? Just an idea….
07-12-2018 09:59 AM
In this case I would configure 802.1X on the printers to authenticate instead of doing profiling + MAB (MAC Authentication Bypass). In general profiling is done for devices that cannot do 802.1X and admin prefer not to touch them. If you are already touching them to configure SNMPv3, I would suggest configuring 802.1X on the printers instead.
If you still want us to consider SNMPv3 for the endpoints, please contact the product management team through your local Cisco contact or you can provide feedback through ISE GUI.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide