SNMP settings

SNMPv3 access settings for administrators

Administrators have SNMPv3 access according to their access rights
Enable this option if registered administrators should also have access via SNMPv3.

Password rules

Enforce password rules
This entry gives you the option to disable or enable the enforcement of password rules. The following rules then apply for SNMPv3 authentication and the password for SNMPv3 encryption:
  • The length of the password must be at least 16 characters.
  • The password must contain at least 3 of the 4 character classes, i.e. lowercase letters, uppercase letters, numbers, and special characters.
Important: Note that turning on this feature does not cause current passwords to be verified immediately. Only future password changes will be checked for compliance with the policy.

SNMP communities

Administrators of networks with SNMP management systems can precisely control the access rights to various access levels. SNMP of the versions v1 and v2 do this by encoding the access credentials as part of a "community". Authentication is optionally handled

.

A community collects certain SNMP hosts into groups, in part so that it is easier to manage them. On the other hand, SNMP communities offer a certain degree of security because an SNMP agent only accepts SNMP requests from participants in a community that it knows.

By default, your device answers all SNMP requests that it receives from LANmonitor or another SNMP management system with the community public. Because this represents a potential security risk, especially with external access, LANconfig gives you the option of defining your own communities.

Note: This configuration is relevant for the SNMP versions v1 and v2c only.




Entry active
Activates or deactivates this SNMP community.
Name
Enter a descriptive name for this SNMP community.
Security-Name
Here you enter the name for the access policy that specifies the access rights for all community members.
Note: The SNMP community public is set up by default, and this provides unrestricted SNMP read access.

For SNMPv1 or SNMPv2c, you force the entry of login data for SNMP read-only access by disabling the public community in the list of the SNMP communities. This setting only allows information about the state of the device, current connections, reports, etc., to be read out via SNMP after the user authenticates at the device. Authorization can be conducted either with the administrator-account access credentials or an access account created for the individual SNMP community.

Disabling the community public has no effect on accessing for other communities created here. An individual SNMP read-only community always provides an alternative access path that is not tied to an administrator account.

Note: SNMP write access is reserved exclusively for administrators with the appropriate permissions.

Users

Individual users can be granted access to the device in addition to the administrators registered on it. Here you configure the authentication and encryption settings for these users when operating SNMPv3.





Entry active
Activates or deactivates this user.
User name
Enter a descriptive name for this user.
Authentication
Specify the method that the user is required to use to authenticate at the SNMP agent. The following options are available:
None
Authentication of the user is not necessary.
HMAC-MD5
Authentication is performed using the hash algorithm HMAC-MD5-96 (hash length 128 bits).
HMAC-SHA (default)
Authentication is performed using the hash algorithm HMAC-SHA (hash length 160 bits).
HMAC-SHA224
Authentication is performed using the hash algorithm HMAC-SHA-224 (hash length 224 bits).
HMAC-SHA256
Authentication is performed using the hash algorithm HMAC-SHA-256 (hash length 256 bits).
HMAC-SHA384
Authentication is performed using the hash algorithm HMAC-SHA-384 (hash length 384 bits).
HMAC-SHA512
Authentication is performed using the hash algorithm HMAC-SHA-512 (hash length 512 bits).
Password for auth.
Enter the user password necessary for authentication here and repeat it in the box below.
Encryption
Specify which encryption method is used for encrypted communication with the user. The following options are available:
None
Communication is not encrypted.
DES
Encryption is performed with DES (key length 56 bits).
AES128
Encryption is performed with AES128 (key length 128 bits)
AES192
Encryption is performed with AES192 (key length 192 bits)
AES256 (default)
Encryption is performed with AES256 (key length 256 bits)
Password for priv.
Enter the user password required by the encryption here and repeat it in the box below.

Groups

By configuring SNMP groups, it is easy to manage and assign the authentication and access rights of multiple users. By default, the configuration is set up for SNMP access via LANmonitor.





Entry active
Activates or deactivates this group.
Group name
Enter a descriptive name for this group. You will use this name when you go on to configure the access rights.
User / security name
Here you select a security name you assigned to an SNMP community. It is also possible to specify the name of an existing configured user.
Security model
SNMPv3 introduced the principle of the "security model", so that the SNMP configuration in LCOS primarily uses the security model "SNMPv3". However, for compatibility reasons it may be necessary to also take the versions SNMPv2c or even SNMPv1 into account, and to select these as the "security model" accordingly. Select one of the following entries accordingly:
SNMPv1
Data is transmitted by SNMPv1. Users are authenticated by the community string in the SNMP message only. Communication is not encrypted. This corresponds to the security level "No authentication/No privacy".
SNMPv2
Data is transmitted by SNMPv2c. Users are authenticated by the community string in the SNMP message only. Communication is not encrypted. This corresponds to the security level "No authentication/No privacy".
SNMPv3 (USM)
Data is transmitted by SNMPv3. Security levels for the user’s authentication and communication are possible, and these levels are activated with the access rights.

Access rights

This table brings together the different configurations for access rights, security models, and views.





Entry active
Activates or deactivates this entry.
Group name
Here you select the name of a group that is to receive these assess rights.
Read-only view
Set the view of the MIB entries for which this group is to receive read rights.
Read-only view (traps)
Set the view of the MIB entries for which this group is to receive read rights for traps.
Write view
Set the view of the MIB entries for which this group is to receive write rights.
Security model
Activate the appropriate security model here.
Minimal security level
Specify the minimum security level for access and data transfer.
No authentication/No privacy
The authentication is performed by the specification and evaluation of the user name only. Data communication is not encrypted.
Authentication/No privacy
Authentication makes use of the hash algorithms set for the user. Data communication is not encrypted.
Authentication and privacy
Authentication makes use of the hash algorithms set for the user. Data communication is encrypted by DES or AES algorithms.

Views

Here you collect the different values or even entire branches of the device MIB, which each user is entitled to view or change in keeping with the corresponding access rights.





Entry active
Activates or deactivates this view.
Name
Give the view a descriptive name here.
Access to subtree
Here you decide whether the OID subtrees specified in the following are "added" or "removed" from the view.
OID subtree
Use a comma-separated list of the relevant OIDs to decide which values and actions from the MIB are included in or excluded from this view.
Note: The OIDs are taken from the device MIB, which you can download with WEBconfig under Extras > Get Device SNMP MIB.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo