Scribd Logo
Upload

Welcome to Scribd!

  • 8 views

    ISE and SNMP v3

    Uploaded by

    Emmanuel

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    ISE and SNMP v3

    Uploaded by

    Emmanuel
    8 views8 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    8 views8 pages

    ISE and SNMP v3

    Uploaded by

    Emmanuel

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 8

    Author: Emmanuel Cano- Security Consulting Engineer

    SNMP Traps on Identity Services Engine

    Cisco ISE supports SNMPv1, SNMPv2c, and SNMPv3.

    Cisco ISE sends the following generic system traps if you configure the SNMP host from
    the CLI:

    • Cold start—When the device reboots

    • Linkup—When Ethernet interface is up

    • Linkdown—When Ethernet interface is down

    • Authentication failure—When the community strings do not match

    • The following generic SNMP traps are generated by default in Cisco ISE:
    Author: Emmanuel Cano- Security Consulting Engineer

    Configuration steps

    SNMP Configuration on ISE:

    Snmp-server enable

    #Snmp-server user username v3 plain authpassword privpassword


    Snmp-server user USER123 v3 plain authpassword superpassword

    #Snmp-server host x.x.x.x version 3 username engineID in hexadecimal*


    version 3
    plain authpassword superpassword USER123
    x446172742E506F776572534E4D50 plain authpassword
    Snmp-server host 10.207.195.178
    0 superpassword

    Note: EngineID can be verified on the SNMP server (PowerSNMP Free Manager in this
    example). To copy and paste the EngineID go to Tools->Configuration->Configure
    Authoritative Engine
    Author: Emmanuel Cano- Security Consulting Engineer

    General SNMP Configuration options:

    Validation Commands

    Show snmp-server user

    Enhancement Request CSCvr25325: ISE should allow to configure Custom Auth and
    Priv protocol for SNMPv3

    Show run I in snmp


    Author: Emmanuel Cano- Security Consulting Engineer

    SNMP Configuration on SNMP Server (PowerSNMP


    Free Manager)
    Go to Tools->Configuration->Configure Authoritative Engine, right click on the
    white field and click on Add.

    Userrname configured on ISE


    (USER123)

    Auth Password configured on ISE


    Author: Emmanuel Cano- Security Consulting Engineer

    Priv Passworrd configured on ISE

    Configure a new SNMP Client


    Click on SNMP Agents and click on Add Agent
    Author: Emmanuel Cano- Security Consulting Engineer

    Validation Options

    Once ISE is added into SNMP server you can use one of the default MIB to verify the
    snmp information is being polled from ISE.
    Author: Emmanuel Cano- Security Consulting Engineer

    NOTES:

    When an ISE process is manually stopped by an admin, Monit for the process is also
    stopped and no traps are sent to the SNMP manager. A process stop SNMP trap is sent
    to the SNMP manager only when a process accidentally shuts down and is not
    automatically revived.
    Author: Emmanuel Cano- Security Consulting Engineer

    ISE does not have any MIB for process status or disk utilization. Cisco ISE uses OID
    HOST-RESOURCES-MIB::hrSWRunName for sending SNMP trap. You cannot use
    snmp walk or snmp get command to query the process status or disk utilization.

    https://www.cisco.com/c/en/us/td/docs/security/ise/2-
    4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011001.h
    tml#id_17078

    You might also like