UCF STIG Viewer Logo

The Cisco ISE must be configured to prohibit the use of all unnecessary and/or nonsecure functions, ports, protocols, and/or services.


Finding ID Version Rule ID IA Controls Severity
V-242640 CSCO-NM-000350 SV-242640r714230_rule High
Changes to any software components of the network device can have significant effects on the overall security of the network. Therefore, only qualified and authorized individuals should be allowed administrative access to the network device for implementing any changes or upgrades. If the network device were to enable non-authorized users to make changes to software libraries, those changes could be implemented without undergoing testing, validation, and approval.
Cisco ISE NDM Security Technical Implementation Guide 2021-09-27


Check Text ( C-45915r714228_chk )
If an SNMP stanza does not exist, this is not a finding.

1. Use the command line interface to view the current SNMP configuration.
show startup-config
2. Search for the keyword SNMP.

If versions earlier than SNMPv3 are enabled, this is a finding.

If SNMPv3 is not configured to meet DoD requirements, this is a finding.
Fix Text (F-45872r714229_fix)
If SNMP is used by the organization, then SNMP is configured at the command line interface.

To disable SNMPv1 and SNMPv2c if enabled type the remove the group with the following command.

no snmp-server group v1

To enable the SNMPv3 server on Cisco ISE, use the snmp-server enable command in global configuration mode.

1. snmp-server enable
2. snmp-server user v3 hash
3. snmp-server host {ip-address | hostname} trap version 3 username engine_ID hash