You are currently viewing Configuring Cisco ISE for SNMPv3

Configuring Cisco ISE for SNMPv3

  • Post author:
  • Post category:Cisco / ISE
  • Post comments:2 Comments
  • Post last modified:11/04/2019
  • Reading time:5 mins read

In this article I would like to cover how to configure SNMPv3 for Cisco Identity Services Engine (ISE).

In a few deployments I’ve done, I’ve come across the need to configure ISE to send SNMPv3 traps to a Network Management System (NMS). SNMPv3 is perfect for ensuring the authentication and encryption of SNMP traffic, something that can’t be done with inferior SNMP versions.

Now, one would assume that we could just go ahead and configure ISE for SNMP via the GUI however, unfortunately that’s not the case. To actually configure ISE to send traps to an NMS system we need to configure the settings via the CLI.

The demonstration in the article is performed using a standalone ISE. This demonstration also assumes that you have connectivity between your NMS platform and ISE.

To see a live demonstration with testing, refer to the video that accompanies this article.

Configuration Steps

Enable SNMP

So that we can configure the required SNMPv3 settings for ISE, SNMP needs to be enabled.

iselab/admin(config)# snmp-server enable 

Configure ISE SNMP User

With access to the ISE GUI, enter global configuration mode and configure an SNMP user. You cannot set the authentication/encryption protocol however they will be visible once the user has been configured. ISE uses SHA for authentication and AES-128 for encryption.

iselab/admin(config)# snmp-server user SNMPv3USER v3 plain authpassword privpassword 

Change any of the following fields to match the requirements of your deployment.

SNMPv3USER = Username

authpassword = Authentication Password

privpassword = Encryption Password

Configure SNMP Host

Configure the SNMP host, this is the NMS system and all configurations should match. The remote EngineID needs to match the NMS system and must be applied in HEX.

iselab/admin(config)# snmp-server host 192.168.50.5 version 3 SNMPv3USER 0x446172742E506F776572534E4D50 authpassword privpassword 

SNMPv3USER = Username


0x446172742E506F776572534E4D50 = Remote Engine ID

authpassword = Authentication Password

privpassword = Encryption Password

Verify SNMP Configuration

You can verify the auth and priv protocols used by ISE by issuing the following command.

iselab/admin# show snmp-server user 
User: SNMPv3USER
  EngineID: IMKKQSHIGMB
  Auth Protocol: sha
  Priv Protocol: aes-128

Issue a show run to view the SNMPv3 output in its full entirety.

iselab/admin# show run
Generating configuration...
!!!Output Omitted!!!
snmp-server enable
snmp-server host 192.168.50.5 version 3 SNMPv3USER 0x446172742E506F776572534E4D5
0 hash 0CA52B11FA1BFB8F2B163635CB401999429018B0 36160FE3BDA1C80CF74071F0107415A7
snmp-server engineID IMKKQSHIGMB
snmp-server user SNMPv3USER v3 hash 0x5eba2e35a45a9569b48316fcf2c2b14db041038a 0
x45947b10ef5ad484d77d2d322844c08a

That’s the configuration complete for ISE, you will now need to ensure that the configuration is applied on your NMS platform. The video below walks through the configuration and testing of the SNMPv3 configuration.

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

This Post Has 2 Comments

  1. Subrun

    Hi,

    For ISE2.6 Patch 3 should it support AES256 ?

    1. iwiizkiid

      I’ve not tested it but as far as I’m aware you cannot modify it.

Leave a Reply