Solved: Re: ISE profiler using wrong SNMP v3 USM

christensen · ‎05-23-2018

I have ISE 2.3 and a cisco router. ISE has the router network device configuration set to use SNMPv3 with auth/priv. The router is setup with auth/priv and is able to communicate with the NMS just fine using SNMPv3.

When ISE sends an SNMP get, the router debug shows it is set with noauth and fails with wrong USM. I have checked the configurations several times, but have not been able to figure out what is wrong. Any ideas? I get an alarm stating the profiling failed due to SNMP timeout or something.

RichardAtkin · ‎05-25-2018

The profiler doesn't use the SNMP info you enter when you define the NAD in ISE.

The profiler only uses SNMP v2 and you configure the strings it can use as shown below. As it's profiling (as opposed to properly communicating), most people just use their own default strings, ones they know are installed by default on the kit they use, and generic ones like 'public', 'private', etc...
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html#ID481

View solution in original post

RichardAtkin · ‎05-25-2018

The profiler doesn't use the SNMP info you enter when you define the NAD in ISE.

The profiler only uses SNMP v2 and you configure the strings it can use as shown below. As it's profiling (as opposed to properly communicating), most people just use their own default strings, ones they know are installed by default on the kit they use, and generic ones like 'public', 'private', etc...
https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010100.html#ID481