Configuring Cisco ISE for SNMPv3

In this article I would like to cover how to configure SNMPv3 for Cisco Identity Services Engine (ISE).

In a few deployments I’ve done, I’ve come across the need to configure ISE to send SNMPv3 traps to a Network Management System (NMS). SNMPv3 is perfect for ensuring the authentication and encryption of SNMP traffic, something that can’t be done with inferior SNMP versions.

Now, one would assume that we could just go ahead and configure ISE for SNMP via the GUI however, unfortunately that’s not the case. To actually configure ISE to send traps to an NMS system we need to configure the settings via the CLI.

The demonstration in the article is performed using a standalone ISE. This demonstration also assumes that you have connectivity between your NMS platform and ISE.

To see a live demonstration with testing, refer to the video that accompanies this article.

Configuration Steps

Enable SNMP

So that we can configure the required SNMPv3 settings for ISE, SNMP needs to be enabled.

iselab/admin(config)# snmp-server enable 

Configure ISE SNMP User

With access to the ISE GUI, enter global configuration mode and configure an SNMP user. You cannot set the authentication/encryption protocol however they will be visible once the user has been configured. ISE uses SHA for authentication and AES-128 for encryption.

iselab/admin(config)# snmp-server user SNMPv3USER v3 plain authpassword privpassword 

Change any of the following fields to match the requirements of your deployment.

SNMPv3USER = Username

authpassword = Authentication Password

privpassword = Encryption Password

Configure SNMP Host

Configure the SNMP host, this is the NMS system and all configurations should match. The remote EngineID needs to match the NMS system and must be applied in HEX.

iselab/admin(config)# snmp-server host version 3 SNMPv3USER 0x446172742E506F776572534E4D50 authpassword privpassword 

SNMPv3USER = Username

0x446172742E506F776572534E4D50 = Remote Engine ID

authpassword = Authentication Password

privpassword = Encryption Password

Verify SNMP Configuration

You can verify the auth and priv protocols used by ISE by issuing the following command.

iselab/admin# show snmp-server user 
  Auth Protocol: sha
  Priv Protocol: aes-128

Issue a show run to view the SNMPv3 output in its full entirety.

iselab/admin# show run
Generating configuration...
!!!Output Omitted!!!
snmp-server enable
snmp-server host version 3 SNMPv3USER 0x446172742E506F776572534E4D5
0 hash 0CA52B11FA1BFB8F2B163635CB401999429018B0 36160FE3BDA1C80CF74071F0107415A7
snmp-server engineID IMKKQSHIGMB
snmp-server user SNMPv3USER v3 hash 0x5eba2e35a45a9569b48316fcf2c2b14db041038a 0

That’s the configuration complete for ISE, you will now need to ensure that the configuration is applied on your NMS platform. The video below walks through the configuration and testing of the SNMPv3 configuration.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.