Solved: SNMPv3 on ISE v3 can not work with Zabbix Monitoring

oumodom · ‎11-26-2024

Dear Cisco ISE lover,

I have one lab which issue with ISE v3 P8 to utilize visibility with Zabbix.

Along the ways, we test with SNMPwalk on Zabbix server as below:
=> snmpwalk -v3 -u name -l authPriv -A name -a SHA -x AES -X name 10.6.1X.X

And result is, SNMPwalk Authentication Failure (Incorrect password, community or key)

As validate on cisco ise CLI, we follow as above credential and from zabbix doesn't have Remote EngineID.
Please help or you have experienced to fix this.

Thanks

Arne Bier · ‎11-27-2024

Hi

Regarding the question "I meant how to know .1.3.6.1.2.1.1.1.0 or sysDescr in cisco ISE CLI ?" - you don't have any control over the OID structure in ISE, because Cisco has implemented the standard MIB-II snmp agent in Linux - you should run an snmpwalk against an ISE node and capture the results to a text file and analyse - the resulting dump will contain ALL the data that this SNMP agent provides, and I think most of it can be decoded by your snmpwalk application(s) using the standard MIBs that you can download from the internet, or that are already installed in Zabbix/Net-SNMP etc. - to my knowledge, Cisco has not made any vendor specific additions to the ISE SNMP agent - you will find nothing interesting there, apart from the usual MIB-II stuff like CPU stats, disks, network interfaces etc. - that's just Linux information.

"And Do you think sysDescr is the baseline for SNMP polling? " - no. Not at all. That was just an example. Run an snmpwalk against an ISE node to see the root OID, and then all the recursive entries thereafter. You can walk any part of that tree.

You don't specify the EngineID of Zabbix (or any SNMP trap receiver) in ISE. The word "remote EngineID" is a bit misleading - it actually refers to the EngineID of the sender - in this case, the ISE node!

What format should the EngineID take? It depends on the user - the most common is the MAC address of the sending interface, because that data is already in hex. Typically EngineIDs are represented as hex characters - ISE only accepts hex, with a leading 0x

There are RFC standards that govern how EngineIDs are encoded - if you want to encode an IP address (in hex), or a MAC address (in hex) or a user-defined string (as ASCII hex) then you can do so. The EngineID in ISE is the serial number (alphabetic characters) - you can get the serial number from the command

show udi

So now comes the fun part - how do you take the alphabetic characters, and encode them in RFC compliant format?

12 octets

First 4 octets are the IANA vendor assigned code, and the MSB (most significant bit) set to 1. Via web search, I found an Cisco IANA code of D1B3

Fifth byte, I chose '04' to represent text data, with up to 26 trailing characters allowed

EngineID of 'CF9IKLJO79H' in ASCII hex is 43 46 39 49 4B 4C 4A 4F 37 39 48

EngineID = 0x8000D1B304434639494B4C4A4F373948

Configure that in ISE

snmp-server host 172.22.128.120 version 3 BOBv3 0x8000D1B304434639494B4C4A4F373948 sha256 plain 634jghTyrcytrCJHRytetyteyevjhvTRVTTtryt 634jghTyrcytrCJHRytetyteyevjhvTRVTTtryt

Why did I choose 40 character length auth/priv password? Because with any other length, I was unable to decode the auth/priv data in Wireshark. Must be a bug in ISE.

Here is what Wireshark has decoded (you must add the SNMPv3 user data into Wireshark menu

Edit -> Preferences -> Protocols -> SNMP -> Users table

But I had to stop here because only the first trap was decoded - after that one, ISE sends others, but must have messed up the privacy encoding, because Wireshark cannot decrypt it. The Authentication is always correctly decoded for all SNMPv3 traps though.

I have to say that all this effort is a great waste of time - mostly because ISE only sends one useful trap (Disk threshold), and also because most vendors don't do a good job of this. If you have time to waste, open a TAC case on this and let us know how you get on.

The only vendor product I have experienced that does a 100% good job in this SNMPv3 stuff is Aruba Wireless Controllers - they implement SNMP Informs (which are acknowledged traps) and it works exactly as expected. I have tested Aruba, Cisco switches, ISE, HP switches, Clearpass .... and always use Wireshark to prove the results.

View solution in original post

Arne Bier · ‎11-26-2024

I am using ISE 3.4

conf t
snmp-server enable
snmp-server user BOBv3 v3 sha256 plain Bob123456 Bob123456

Then verify in ISE - the engineID is generated by ISE

rnolabise01/admin#show snmp-server user
User: BOBv3
  EngineID: CF9IKLJO79H
  Auth Protocol: sha256
  Priv Protocol: aes-128

On my Ubuntu server I run snmpwalk

abier@rnolabubu-01:~$ snmpwalk -v3 -u BOBv3 -l authPriv -A Bob123456 -a SHA-256 -x AES-128 -X Bob123456 rnolabise01 sysDescr
MIB search path: /var/lib/mibs/iana:/var/lib/mibs/ietf
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Identity Services Engine
abier@rnolabubu-01:~$

The username is case sensitive.

AES-128 is the only encryption algorithm available in ISE.

I arbitrarily chose SHA-256 when I created the SNMPv3 username

The engineID is not required when an SNMP server makes a request to an SNMP agent (e.g. ISE) - EngineID is usually required when SNMPv3 traps are sent to a server - if SNMPv2 or v3 Informs are sent to a server, then EngineID is not required either (the Inform Report will get the EngineID of the SNMP server during reporting phase)

oumodom · ‎11-26-2024

Hi @Arne Bier
I don't see the IP of agent and also what is rnolabise01 sysDescr in your ubuntu server?

Arne Bier · ‎11-26-2024

IP and DNS entries are supported in snmpwalk. I didn't use the IP address - I am using the DNS entry 'rnolabise01' for the ISE node.

sysDescr refers to one OID of the MIB agent - it's a standard OID that should contain the system description

oumodom · ‎11-26-2024

@Arne Bier sysDescr refers to one OID of the MIB agent

So All ISE node we can use sysDescr or how to check the OID in Cisco ISE?

Arne Bier · ‎11-26-2024

sysDescr is just short-hand for the OID .1.3.6.1.2.1.1.1.0

You can display the OID in numerical format using the -O n option - e.g.

snmpwalk -v3 -O n -u BOBv3 -l authPriv -A Bob123456 -a SHA-256 -x AES-128 -X Bob123456 rnolabise01 sysDescr

That will display

.1.3.6.1.2.1.1.1.0 = STRING: Cisco Identity Services Engine

If you want to walk the entire MIB tree, then remove the "sysDescr" from the snmpwalk command - I only did that to show you that I can read one of the OIDs - an entire MIB tree has thousands of lines of output

I should also mention that if you know the OID, then you can of course specify it directly - but I can't remember OIDs, and I don't memorise IP addresses either (that's why I use DNS and things like sysDescr)

snmpwalk -v3 -O n -u BOBv3 -l authPriv -A Bob123456 -a SHA-256 -x AES-128 -X Bob123456 rnolabise01 .1.3.6.1.2.1.1.1.0

oumodom · ‎11-26-2024

So good @Arne Bier

I meant how to know .1.3.6.1.2.1.1.1.0 or sysDescr in cisco ISE CLI ?

oumodom · ‎11-27-2024

And Do you think @Arne Bier, sysDescr is the baseline for SNMP polling?
Currently, we need both method and what we can't understand is, we need SNMP TRAP as our ISE don't know how to get the Remote EngineID from Zabbix ?

Arne Bier · ‎11-27-2024

Hi

Regarding the question "I meant how to know .1.3.6.1.2.1.1.1.0 or sysDescr in cisco ISE CLI ?" - you don't have any control over the OID structure in ISE, because Cisco has implemented the standard MIB-II snmp agent in Linux - you should run an snmpwalk against an ISE node and capture the results to a text file and analyse - the resulting dump will contain ALL the data that this SNMP agent provides, and I think most of it can be decoded by your snmpwalk application(s) using the standard MIBs that you can download from the internet, or that are already installed in Zabbix/Net-SNMP etc. - to my knowledge, Cisco has not made any vendor specific additions to the ISE SNMP agent - you will find nothing interesting there, apart from the usual MIB-II stuff like CPU stats, disks, network interfaces etc. - that's just Linux information.