Prevent Read-only users from viewing Read-Write/Admin SNMP Credentials

  • 0
  • 1
  • Article
  • Updated 5 years ago
Article ID: 5898 

Protocols/Features
SNMP 

Goal
Prevent Read-only users from viewing Read-Write or Admin SNMP credentials 

Symptoms
RO users can see rw / admin snmp credentials in the MIBs 

Cause
When setting up SNMPv1/2/3 configurations, it is not unusual to allow each user an unrestricted view of the entire MIB Tree. 

Doing this for read-only groups (and thus, read-only users) unfortunately allows them the possibility of viewing the branch containing the SNMP configuration parameters, which could then be used to provide sufficient credentials to obtain read-write or admin level SNMP access. 

Solution
FAD (Functions as Designed) 

The following command sequence creates an SNMP view (5610) permitting full MIB access except for the 'snmpV2=1.3.6.1.6' branch:

set snmp view viewname RO subtree 1
set snmp view viewname RO subtree 0.0
set snmp view viewname RO subtree 1.3.6.1.6 excluded

For any SNMP version this (case-sensitive) 'RO' view may then be referenced instead of the default 'All' view, in the 'set snmp access' commands for read-only groups (5245).
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.