Article ID: 5898
Prevent Read-only users from viewing Read-Write or Admin SNMP credentials
RO users can see rw / admin snmp credentials in the MIBs
When setting up SNMPv1/2/3 configurations, it is not unusual to allow each user an unrestricted view of the entire MIB Tree.
Doing this for read-only groups (and thus, read-only users) unfortunately allows them the possibility of viewing the branch containing the SNMP configuration parameters, which could then be used to provide sufficient credentials to obtain read-write or admin level SNMP access.
FAD (Functions as Designed)
The following command sequence creates an SNMP view (5610
) permitting full MIB access except
for the 'snmpV2=18.104.22.168.6' branch:
set snmp view viewname RO subtree 1
set snmp view viewname RO subtree 0.0
set snmp view viewname RO subtree 22.214.171.124.6 excluded
[/code]For any SNMP version this (case-sensitive) 'RO' view may then be referenced instead of the default 'All' view, in the 'set snmp access' commands for read-only groups (5245