SNMP authentication and access control
You set SNMP authentication and access control features under Administration > System Settings: SNMP ACLs. The features in this page apply to SNMPv1, v2c, and v3 unless noted otherwise:
• Security Names—Identify an individual user (v1 or v2c only).
• Secure Groups—Identify a security name, security model by a group, and referred to by a group name.
• Secure Views—Create a custom view using the VACM that controls who can access which MIB objects under agent management by including or excluding specific OIDs. For example, some users have access to critical read-write control data, while some users have access only to read-only data.
• Security Models—A security model identifies the SNMP version associated with a user for the group in which the user resides.
• Secure Access Policies—Defines who gets access to which type of information. An access policy is composed of <group-name, security-model, security-level, read-view-name>.
– read-view-name is a preconfigured view that applies to read requests by this security-name.
– write-view-name is a preconfigured view that applies to write requests by this security-name.
– notify-view-name is a preconfigured view that applies to write requests to this security-name.
An access policy is the configurable set of rules, based on which the entity decides how to process a given request.
Setting secure usernames
Under Security Names, these configuration options are available:
Add a New Security Name
Displays the controls to add a security name.
Security Name
Specifies a name to identify a requestor allowed to issue gets and sets (v1 and v2c only). The specified requestor can make changes to the view-based access-control model (VACM) security name configuration.
This control doesn’t apply to SNMPv3 queries. To restrict v3 USM users from polling a particular subnet, use the RiOS Management ACL feature, located under Administration > Security: Management ACL.
Traps for v1 and v2c are independent of the security name.
Community String
Specifies the password-like community string to control access. Use a combination of uppercase, lowercase, and numerical characters to reduce the chance of unauthorized access to the SteelHead.
Community strings don’t allow printable 7-bit ASCII characters, except for white spaces. Also, the community strings can’t begin with a pound sign (#) or a hyphen (-).
If you specify a read-only community string (located in the SNMP Basic page under SNMP Server Settings), it takes precedence over this community name and allows users to access the entire MIB tree from any source host. If this is not desired, delete the read-only community string.
To create multiple SNMP community strings on a SteelHead, leave the default public community string and then create a second read-only community string with a different security name. Or, you can delete the default public string and create two new SNMP ACLs with unique names.
Source IP Address and Mask Bits
Specifies the host IPv4 or IPv6 address and mask bits to which you permit access using the security name and community string.
Setting secure groups
Under Groups, these configuration options are available:
Add a New Group
Displays the controls to add a new group.
Group Name
Specifies a group name.
Security Models and Name Pairs
Specifies a security model from the drop-down list. Click the + button.
• v1 or v2c displays another drop-down list. Select a security name.
• v3 (usm) displays another drop-down list. Select a user.
To add another Security Model and Name pair, click the plus sign (+).
Setting secure views
Under Views, these configuration options are available:
Add a New View
Displays the controls to add a new view.
View Name
Specifies a descriptive view name to facilitate administration.
Includes
Specifies the Object Identifiers (OIDs) to include in the view, separated by commas. For example, .1.3.6.1.4.1. By default, the view excludes all OIDs.
You can specify .iso or any subtree or subtree branch.
You can specify an OID number or use its string form. For example, .iso.org.dod.internet.private.enterprises.rbt.products.steelhead.system.model
Excludes
Specifies the OIDs to exclude in the view, separated by commas. By default, the view excludes all OIDs.
Adding an access policy
Under Access Policies, these configuration options are available:
Add a New Access Policy
Displays the controls to add a new access policy.
Group Name
Specifies a group name from the drop-down list.
Security Level
Determines whether a single atomic message exchange is authenticated. Select one of these from the drop-down list:
• No Auth doesn’t authenticate packets and doesn’t use privacy. This is the default setting.
• Auth authenticates packets but doesn’t use privacy.
• AuthPriv authenticates packets using AES or DES to encrypt messages for privacy.
A security level applies to a group, not to an individual user.
Read View
Specifies a view from the drop-down list.