Solved: What SHA ciphers are used for network device SNMP?

SMD28316 · ‎11-17-2021

I want to disabled SHA1 Ciphers on ISE, but I have configured SNMP for multiple switches for SNMP CoA, the SNMP authentication protocol is set to SHA, will SNMP CoA fail then? I am worried about the impact for this, I am not sure if SHA1 will be used or not,

Arne Bier · ‎11-23-2021

Hello @SMD28316

Using ISE 3.0 and snmpwalk, I tested and the SNMPv3 agent in ISE still responds even if you disabled SHA1 in the GUI. It seems that this SHA1 disabling has nothing to do with the SNMP agent in ISE.

The Net-SNMP command below allows you to test with SHA1 (which is what I am using) and also SHA-256 etc - I tested them all - only SHA1 works with ISE.

snmpwalk -v 3 -x AES -u arne -X cisco123123 -a SHA -A cisco123123 172.16.0.10 -l authPriv

CiscoISE/admin# show snmp-server user
User: arne
  EngineID: 9HMXXXXXXE7M
  Auth Protocol: sha
  Priv Protocol: aes-128

View solution in original post

Arne Bier · ‎11-23-2021

Hello @SMD28316

Using ISE 3.0 and snmpwalk, I tested and the SNMPv3 agent in ISE still responds even if you disabled SHA1 in the GUI. It seems that this SHA1 disabling has nothing to do with the SNMP agent in ISE.

The Net-SNMP command below allows you to test with SHA1 (which is what I am using) and also SHA-256 etc - I tested them all - only SHA1 works with ISE.

snmpwalk -v 3 -x AES -u arne -X cisco123123 -a SHA -A cisco123123 172.16.0.10 -l authPriv

CiscoISE/admin# show snmp-server user
User: arne
  EngineID: 9HMXXXXXXE7M
  Auth Protocol: sha
  Priv Protocol: aes-128

Mark Potter · ‎12-08-2022

Great answer!

Have been looking at updating our priv & auth options.