HP ProCurve 9304M Security Manual page 157

NOTE: If you want the software to assume that the value you enter is the clear-text form, and to encrypt display
of that form, do not enter 0 or 1. Instead, omit the encryption option and allow the software to use the default
behavior.
If you specify encryption option 1, the software assumes that you are entering the encrypted form of the
community string. In this case, the software decrypts the community string you enter before using the value for
authentication. If you accidentally enter option 1 followed by the clear-text version of the community string,
authentication will fail because the value used by the software will not match the value you intended to use.
The command in the example above adds the read-write SNMP community string "private". When you save the
new community string to the startup-config file (using the write memory command), the software adds the
following command to the file:
snmp-server community 1 <encrypted-string> rw
To add an non-encrypted community string, you must explicitly specify that you do not want the software to
encrypt the string. Here is an example:
ProCurveRS(config)# snmp-server community 0 private rw
ProCurveRS(config)# write memory
The command in this example adds the string "private" in the clear, which means the string is displayed in the
clear. When you save the new community string to the startup-config file, the software adds the following
command to the file:
snmp-server community 0 private rw
The view <viewstring> parameter is optional. It allows you to associate a view to the members of this community
string. Enter up to 32 alphanumeric characters. If no view is specified, access to the full MIB is granted. The view
that you want must exist before you can associate it to a community string. Here is an example of how to use the
view parameter in the community string command:
ProCurveRS(config)# snmp-s community myread ro view sysview
The command in this example associates the view "sysview" to the community string named "myread". The
community string has read-only access to "sysview". For information on how create views, see the section
"Defining SNMP Views" on page 10-10.
The <standard-acl-name> | <standard-acl-id> parameter is optional. It allows you to specify which ACL group will
be used to filter incoming SNMP packets. You can enter either the ACL name or its ID. Here are some examples:
ProCurveRS(config) # snmp-s community myread ro view sysview 2
ProCurveRS(config) # snmp-s community myread ro view sysview myacl
The command in the first example indicates that ACL group 2 will filter incoming SNMP packets; whereas, the
command in the second example uses the ACL group called "myacl" to filter incoming packets. See "Using ACLs
to Restrict SNMP Access" on page 2-5 for more information.
USING THE WEB MANAGEMENT INTERFACE
NOTE: To make configuration changes, including changes involving SNMP community strings, you must first
configure a read-write community string using the CLI. Alternatively, you must configure another authentication
method and log on to the CLI using a valid password for that method.
To use the Web interface to add a community string, do the following:
1. Log on to the device using a valid user name and password for read-write access.
NOTE: If you have configured the device to secure Web management access using local user accounts, you
must instead enter the user name and password of one of the user accounts. See "Setting Up Local User
Accounts" on page 2-16.
2. Click the Management link on the System configuration panel to display the Management configuration
panel.
June 2005
Securing SNMP Access
10 - 3