Traditional access control

Most simple access control requirements can be specified using the directives rouser/rwuser (for SNMPv3) or rocommunity/rwcommunity (for SNMPv1 or SNMPv2c).

rouser [-s usm] USERNAME [noauth | auth | priv [OID | -V VIEW [CONTEXT]]
rwuser [-s usm] USERNAME [noath | auth | priv [OID | -V VIEW [CONTEXT]]

These directives specify that an SNMPv3 user (USERNAME) will be allowed read-only or read-write access respectively. The default (unspecified) security level is auth, which is the recommended minimum security level (see above). It is not recommended to use the usm security level noauth, where all SNMP messages are unauthenticated and any tampering of the message cannot be detected. Using noauth will reduce the security of the SNMP messages to the level of SNMPv1 or SNMPv2c.

OID restricts access for that user to the subtree rooted at the given OID.

VIEW restricts access for that user to the specified View-based Access Control Model (VACM) view name. An optional context can also be specified, or context to denote a context prefix. If no context field is specified (or the token * is used), the directive will match all possible contexts. (Contexts are a mechanism within SNMPv3 whereby an agent can support parallel versions of the same MIB objects, referring to different underlying data sets.)

A security model can be specified with -s SECMODEL however the default security model usm is the only security model which is supported in the nShield distribution of SNMP.

Example:

  • Read-only user with access to the full OID tree requiring authentication as a minimum:

    rouser userl

    Or

    rouser -s usm user1 auth .1

  • Read-only user with access to the nShield MIB allowing unauthenticated requests:

    rouser user2 noauth .1.3.6.1.4.1.7682

  • Read-write user with access to the full OID tree requiring authentication as a minimum:

    rwuser user3

    Or

    rwuser user3 auth .iso

  • Read-write user with access to the snmpVacmMIB subtree requiring authentication and encryption:

    rwuser user4 priv snmpVacmMIB

    Or

    rwuser user4 priv .1.3.6.1.6.3.16
rocommunity COMMUNITY [SOURCE [ OID | -V VIEW [CONTEXT]]
rwcommunity COMMUNITY [SOURCE [ OID | -V VIEW [CONTEXT]]

Specifies an SNMPv1 or SNMPv2c community that will be allowed read-only (GET and GETNEXT) or read-write (GET, GETNEXT and SET) access respectively. By default, this will provide access to the full OID tree for such requests, regardless of where they were sent from. SOURCE allows access either from a particular range of source addresses, or globally (default). A restricted source can either be a specific hostname or address (for example, localhost or 127.0.0.1), or a subnet - represented as IP/MASK (for example, 10.10.10.0/255.255.255.0), or IP/BITS (for example, 10.10.10.0/24).

OID VIEW and CONTEXT are as defined for rouser and rwuser.

Example:

  • Setting up a read-only community named public that can be accessed by any user with the community name:

    rocommmunity public

  • Setting up a read/write community named private that can only be accessed from the machine on which the agent is running:

    rocommmunity private localhost

In each case, only one directive should be specified for a given SNMPv3 user, or community string. It is not appropriate to specify both rouser and rwuser directives referring to the same SNMPv3 user (or equivalent community settings). The rwuser directive provides all the access of rouser (as well as allowing SET support). The same applies to rwcommunity and rocommunity.

More complex access requirements (such as access to two or more distinct OID subtrees, or different views for GET and SET requests) should use VACM configuration directives.