Table of Contents
Advertisement
Chapter 27
Configuring SNMP
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
SNMPv3 CLI User Management and AAA Integration
The Cisco SAN-OS software implement RFC 3414 and RFC 3415, including user-based security model
(USM) and role-based access control. While SNMP and the CLI have common role management and
share the same credentials and access privileges, the local user database was not synchronized in earlier
releases.
SNMP v3 user management can be centralized at the AAA server level. This centralized user
management allows the SNMP agent running on the Cisco MDS switch to leverage the user
authentication service of AAA server. Once user authentication is verified, the SNMP PDUs are
processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the
group names to apply the access/role policy that is locally available in the switch.
Note
The SNMPv3 user management with AAA servers in Cisco SAN-OS operates only with Fabric Manager
and Device Manager, not with third party SNMP clients or applications. You cannot use one-time
password (OTP) tokens as SNMP passwords because OTP tokens are suitable only for end entity
authentication and not for the message authentication and integrity protection that SNMP provides. An
OTP token is never a substitute for a password, especially for message authentication for SNMP protocol
data units (PDUs). Once an OTP token is used for authentication, it is not usable for anything else and
is public information. So using it later for the message authentication and integrity protection of SNMP
PDU provides no security. Also, because Fabric Manager and Device Manager cannot distinguish a
typed-in password from an OTP, Fabric Manager and Device Manager cannot automatically block usage
of OTPs during login and for authenticating subsequent SNMP PDUs.
CLI and SNMP User Synchronization
Any configuration changes made to the user group, role, or password, results in the database
synchronization for both SNMP and AAA.
To create an SNMP or CLI user, use either the username or snmp-server user commands.
•
•
Users are synchronized as follows:
•
•
•
•
OL-6973-03, Cisco MDS SAN-OS Release 2.x
The
passphrase specified in the snmp-server user command is synchronized as the password
auth
for the CLI user.
The password specified in the username command is synchronized as the
passphrases for SNMP user.
Deleting a user using either command results in the user being deleted for both SNMP and CLI.
User-role mapping changes are synchronized in SNMP and CLI.
Note
When the passphrase/password is specified in localized key/encrypted format, the password
is not synchronized.
Existing SNMP users continue to retain the
If the management station creates a SNMP user in the usmUserTable, the corresponding CLI user is
created without any password (login is disabled) and will have the network-operator role.
SNMPv3 CLI User Management and AAA Integration
and
information without any changes.
auth
priv
Cisco MDS 9000 Family Configuration Guide
and
auth
priv
27-3
Advertisement
Table of Contents
