Encrypted Snmp Community Strings; Lawful Intercept Restrictions; Li Server Addresses - Cisco ASR 5500 System Administration Manual

System Security
chassis key, the standby ICSR peer can recover services if the active peer goes out of service; the standby
peer will still have access to the passwords in their decrypted form.
ICSR peers use Service Redundancy Protocol (SRP) to periodically check to see if the redundancy configuration
matches with either decrypted passwords or DES-based two-way encryption strings. Since the configuration
is generated internally to the software, users are not able to access the configuration used to check ICSR
compatibility.

Encrypted SNMP Community Strings

Simple Network Management Protocol (SNMP) uses community strings as passwords for network elements.
Although these community strings are sent in clear-text in the SNMP PDUs, the values can be encrypted in
the configuration file.
The snmp community encrypted name command enables the encryption of SNMP community strings. For
additional information, see the Global Configuration Mode Commands chapter in the Command Line Interface
Reference.

Lawful Intercept Restrictions

This section describes some of the security features associated with the provisioning of Lawful Intercept (LI).

LI Server Addresses

An external authenticating agent (such as RADIUS or Diameter) sends a list of LI server addresses as part of
access-accept. For any intercept that was already installed or will be installed for that subscriber, a security
check is performed to match the LI server address with any of the LI-addresses that were received from the
authenticating agent. Only those addresses that pass this criteria will get the intercepted information for that
subscriber.
While configuring a campon trigger, the user will not be required to enter the destination LI server addresses.
When a matching call for that campon trigger is detected, a security check is done with the list received from
the authentication agent. The LI-related information is only forwarded if a matching address is found.
When an active-only intercept is configured, if a matching call is found, a security check is made for the LI
address received from the authentication agent and the intercept configuration will be rejected.
If no information related to LI server addresses is received for that subscriber, LI server addresses will not be
restricted.
Important
Important
A maximum of five LI server addresses are supported via an authenticating agent.
The ability to restrict destination addresses for LI content and event delivery using RADIUS attributes is
supported only for PDSN and HA gateways.
Encrypted SNMP Community Strings
ASR 5500 System Administration Guide, StarOS Release 21.5
77