Traditional access control
Most simple access control requirements can be specified using the directives rouser
/rwuser
(for SNMPv3) or rocommunity
/rwcommunity
(for SNMPv1 or SNMPv2c).
rouser [-s usm] USERNAME [noauth | auth | priv [OID | -V VIEW [CONTEXT]]
rwuser [-s usm] USERNAME [noath | auth | priv [OID | -V VIEW [CONTEXT]]
These directives specify that an SNMPv3 user (USERNAME) will be allowed read-only or read-write access respectively.
The default (unspecified) security level is auth
, which is the recommended minimum security level (see above).
It is not recommended to use the usm security level noauth
, where all SNMP messages are unauthenticated and any tampering of the message cannot be detected.
Using noauth
will reduce the security of the SNMP messages to the level of SNMPv1 or SNMPv2c.
OID restricts access for that user to the subtree rooted at the given OID.
VIEW
restricts access for that user to the specified View-based Access Control Model (VACM) view name.
An optional context can also be specified, or context
to denote a context prefix.
If no context field is specified (or the token * is used), the directive will match all possible contexts.
(Contexts are a mechanism within SNMPv3 whereby an agent can support parallel versions of the same MIB objects, referring to different underlying data sets.)
A security model can be specified with -s SECMODEL
however the default security model usm
is the only security model which is supported in the nShield distribution of SNMP.
Example:
-
Read-only user with access to the full OID tree requiring authentication as a minimum:
rouser userl
Or
rouser -s usm user1 auth .1
-
Read-only user with access to the nShield MIB allowing unauthenticated requests:
rouser user2 noauth .1.3.6.1.4.1.7682
-
Read-write user with access to the full OID tree requiring authentication as a minimum:
rwuser user3
Or
rwuser user3 auth .iso
-
Read-write user with access to the snmpVacmMIB subtree requiring authentication and encryption:
rwuser user4 priv snmpVacmMIB
Or
rwuser user4 priv .1.3.6.1.6.3.16
rocommunity COMMUNITY [SOURCE [ OID | -V VIEW [CONTEXT]]
rwcommunity COMMUNITY [SOURCE [ OID | -V VIEW [CONTEXT]]
Specifies an SNMPv1 or SNMPv2c community that will be allowed read-only (GET
and GETNEXT
) or read-write (GET
, GETNEXT
and SET
) access respectively.
By default, this will provide access to the full OID tree for such requests, regardless of where they were sent from.
SOURCE
allows access either from a particular range of source addresses, or globally (default
).
A restricted source can either be a specific hostname or address (for example, localhost
or 127.0.0.1), or a subnet - represented as IP/MASK (for example, 10.10.10.0/255.255.255.0), or IP/BITS (for example, 10.10.10.0/24).
OID VIEW
and CONTEXT
are as defined for rouser
and rwuser
.
Example:
-
Setting up a read-only community named
public
that can be accessed by any user with the community name:rocommmunity public
-
Setting up a read/write community named
private
that can only be accessed from the machine on which the agent is running:rocommmunity private localhost
In each case, only one directive should be specified for a given SNMPv3 user, or community string.
It is not appropriate to specify both rouser
and rwuser
directives referring to the same SNMPv3 user (or equivalent community settings).
The rwuser
directive provides all the access of rouser
(as well as allowing SET
support).
The same applies to rwcommunity
and rocommunity
.
More complex access requirements (such as access to two or more distinct OID subtrees, or different views for GET
and SET
requests) should use VACM configuration directives.