Header Only - DO NOT REMOVE - Extreme Networks

Prevent Read-only users from viewing Read-Write/Admin SNMP Credentials


Userlevel 3
Article ID: 5898

Protocols/Features
SNMP

Goal
Prevent Read-only users from viewing Read-Write or Admin SNMP credentials

Symptoms
RO users can see rw / admin snmp credentials in the MIBs

Cause
When setting up SNMPv1/2/3 configurations, it is not unusual to allow each user an unrestricted view of the entire MIB Tree.

Doing this for read-only groups (and thus, read-only users) unfortunately allows them the possibility of viewing the branch containing the SNMP configuration parameters, which could then be used to provide sufficient credentials to obtain read-write or admin level SNMP access.

Solution
FAD (Functions as Designed)

The following command sequence creates an SNMP view (5610) permitting full MIB access except for the 'snmpV2=1.3.6.1.6' branch:
set snmp view viewname RO subtree 1
set snmp view viewname RO subtree 0.0
set snmp view viewname RO subtree 1.3.6.1.6 excluded

[/code]For any SNMP version this (case-sensitive) 'RO' view may then be referenced instead of the default 'All' view, in the 'set snmp access' commands for read-only groups (5245).

0 replies

Be the first to reply!

Reply