Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
194
Views
1
Helpful
1
Replies

SNMP for WLC network device

eglinsky2012
Level 3
Level 3

‎02-19-2024 11:10 AM - edited ‎02-19-2024 11:32 AM

I have inherited responsibility for an ISE deployment and have a lot to learn. We're getting alarms like the following for our newer wireless controllers that use ISE for RADIUS authentication. These 9800 controllers were added after our initial ISE deployment, which originally only dealt with 8540 WLCs.

I realized the particular SNMP V3 user that the controller (network device) is configured for in ISE is not configured in the new 9800 controllers, but it is in the old 8540 controllers. Before I add the user to the WLC so ISE can communicate with it by SNMP, I want to understand why this is necessary. I gather it's for device profiling, so ISE can log information about the device type that the WLC is learning? What kind of access does ISE need, read-only? Is there any documentation of this situation I should refer to? TIA.

Alarm Name :

Profiler SNMP Request Failure

 

Details :

Profiler SNMP Request Failure : Server= ise-psn-xxx; NAD Address=x.x.x.x; Error Message=Unknown user name.

 

Description :

SNMP request times out, or SNMP community/user auth data is incorrect.

 

Severity :

Warning

 

Suggested Actions :

Please ensure if SNMP is running on the NAD and verify that SNMP configuration on ISE matches on NAD

 

0 Helpful
1 Reply 1

Arne Bier
VIP
VIP

‎02-19-2024 12:35 PM

Hello @eglinsky2012 

ISE can have quite a steep learning curve, but luckily there is an excellent Community effort behind this and you can find most answers here. The index page https://cs.co/ise-guides is a great place to start.

SNMP and ISE. Why does ISE need to poll a NAD device using SNMP? Well, to be honest, I don't use this feature at all because in the world of Cisco network devices (switches and WLCs) there is no need to do that. As far as I know, it's used mainly for learning MAC addresses. At least on IOS and IOS-XE switches, ISE can learn about ALL the endpoints (MAC addresses) that are present in the switch AT THE TIME of polling it. Imaging you wanted to learn what MAC addresses have been learned (are in the address table) by a switch at any time in point, and simply add those into ISE database. For discovery purposes. You don't get a lot of data other than the MAC addresses. Then you can look through your ISE Context Visibility to see what you're dealing with (IOT, Windows, Linux, cameras, printers, etc.) - it's a method of discovery.

But it's not required IMHO because when an endpoint connects to the switch/WLC, the MAC address is learned by ISE because the NAD sends a RADIUS Access-Request to ISE. In that Access-Request is the MAC address, and loads of other data anyway. And with device-tracking and Device-Sensor, you'll enrich the IOS device with even more data (IP address, DHCP, CDP, LLDP) if this is obtainable.

Long story short: unless you know exactly WHY you ISE deployment is periodically polling those IOS devices with SNMP, I'd disable that feature for those NAD devices in ISE. 

In years gone by, it was also fashionable to also send IOS device SYSLOGS to the ISE MNT for processing (to inform ISE of certain events on that NAD). But that is also no longer the case - ISE does nothing with those SYSLOGS. ISE is not a management platform. 

Customers Also Viewed These Support Documents