Configuring System Settings : Configuring SNMP Authentication and Access Control
  
Configuring SNMP Authentication and Access Control
You configure SNMP authentication and access control on the SNMP ACLs page.
The features on this page apply to SNMPv1, v2c, and v3 unless noted otherwise:
•  Security Names - Specify an individual user (v1 or v2c only).
•  Groups - Specify a security name, security model by a group, and referred to by a group name.
•  Views - Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs: for example, some users have access to critical read-write control data, while other users have access only to read-only data.
•  Access Policies - Defines who gets access to which type of information. An access policy is composed of Group Name, Security Level, and Read View name.
To set secure usernames
1. Choose Settings > System Settings: SNMP ACLs to display the SNMP ACLs page.
2. Under Security Names, complete the configuration using the controls described in this table.
Control
Description
Add a New Security Name
Displays the controls to add a security name.
Security Name
(v1 and v2c only) Specify a name to identify a requestor allowed to issue gets and sets. The security name might make changes to the VACM security name configuration.
Note: This control does not apply to SNMPv3 queries. To restrict v3 USM users from polling from a particular subnet, use the ACL feature, located on the Settings > System Settings: SNMP ACLs page.
Note: Traps for v1 and v2c are independent of the security name.
Community String
Specify the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the Core.
Community strings do not allow printable 7-bit ASCII characters, except for white spaces. Also, the community strings cannot begin with '#' and '-'. If you specify a read-only community string (located in the SNMP Basic page under Settings > System Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string.
To create multiple SNMP community strings on a Core, leave the default public community string and then create a second read-only community string with a different security name. Or, you can delete the default public string and create two new SNMP ACLs with unique names.
Note: If you specify a read-only community string (located on the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and enables users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string.
Source IP Address and Mask Bits
Specify the host IP address and mask bits to which you permit access using the security name and community string.
Add
Adds the security name.
Remove Selected
Select the check box next to the name and click Remove Selected.
To set secure groups
1. Choose Settings > System Settings: SNMP ACLs to display the SNMP ACLs page.
2. Under Groups, complete the configuration using the controls described in this table.
Control
Description
Add a New Group
Displays the controls to add a new group.
Group Name
Specify a group name.
Security Model and Name Pairs
Click the + button and select a security model from the drop-down list:
•  v1 or v2c - Displays another drop-down menu; select a security name.
•  usm - Displays another drop-down menu; select a user.
To add another security model and name pair, click the + button. To remove a pair, click the — button.
Add
Adds the group name and security model and name pairs.
Remove Selected
Select the check box next to the name and click Remove Selected.
To set secure views
1. Choose Settings > System Settings: SNMP ACLs to display the SNMP ACLs page.
2. Under Views, complete the configuration using the controls described in this table.
Control
Description
Add a New View
Displays the controls to add a new view.
View Name
Specify a descriptive view name to facilitate administration.
Includes
Specify the object identifiers (OIDs) to include in the view, separated by commas: for example, .1.3.6.1.2.1.1. By default, the view excludes all OIDs.
You can specify .iso or any subtree or subtree branch.
You can specify an OID number or use its string form: for example, .iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model.
Excludes
Specify the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs.
Add
Adds the view.
Remove Selected
Select the check box next to the name and click Remove Selected.
To add an access policy
1. Choose Settings > System Settings: SNMP ACLs to display the SNMP ACLs page.
Note: To be able to add an access policy, first you must create a new group and a view. For details, see To set secure groups and To set secure views.
2. Under Access Policies, complete the configuration using the controls described in this table.
Control
Description
Add a New Access Policy
Displays the controls to add a new access policy.
Group Name
Select a group name from the drop-down list.
Security Level
Determines whether a single atomic message exchange is authenticated. Select one of the following options from the drop-down list:
•  No Auth - Does not authenticate packets and does not use privacy. This is the default setting.
•  Auth - Authenticates packets but does not use privacy.
Note: A security level applies to a group, not to an individual user.
Read View
Select a view from the drop-down list.
Add
Adds the policy to the policy list.
Remove Selected
Select the check box next to the name and click Remove Selected.