topic Re: ISE SNMPv3 deleting username design flaw in Network Access Control

ISE SNMPv3 deleting username design flaw

Arne Bier — Thu, 08 Sep 2022 03:04:26 GMT

Hello,

All versions of ISE that support SNMPv3 (including ISE 3.1) have an annoying design flaw in the implementation. I can't find a way to delete an existing SNMPv3 username on the CLI. The CLI wants to know the original auth and priv password. I don't understand why that information is required - especially if the information is not available.

Anyone know if this is a "well known bug", and if it's likely to be resolved?

ise01/admin(config)# no snmp-server user MYSNMP v3 ^ % incomplete command detected at '^' marker. ise01/admin(config)# no snmp-server user MYSNMP v3 plain ? <WORD> Auth Password (Max Size - 40)

It appears to be working as documented because the recommendation in the Release Notes provides this syntax. But deleting such an innocuous thing as an SNMP username should not require prior knowledge of the priv/auth strings.

Another annoying bug is that if the username contains an underscore (_) then the resulting username is garbled into some hex string. And that username cannot be deleted for love nor money.

ise01/admin# conf t Enter configuration commands, one per line. End with CNTL/Z. ise01/admin(config)# snmp-server user ARNE_BIER v3 plain Encryption123 Encryption123 Warning! SNMPv1/v2c is currently enabled and has known Security vulnerabilities. To disable SNMPv1/v2c, please execute "no snmp-server community <community string> ro". ise01/admin(config)# end ise01/admin# show snmp-server user User: 0x6164616d2d7633 EngineID: BGGIG9C95OI Auth Protocol: sha Priv Protocol: aes-128

And deleting it becomes impossible

ise01/admin# conf t Enter configuration commands, one per line. End with CNTL/Z. ise01/admin(config)# no snmp-server user ARNE_BIER v3 plain Encryption123 Encryption123 ise01/admin(config)# end ise01/admin# show snmp-server user User: 0x6164616d2d7633 EngineID: BGGIG9C95OI Auth Protocol: sha Priv Protocol: aes-128

SNMP just doesn't seem to get the love it deserves 😞

Re: ISE SNMPv3 deleting username design flaw

poongarg — Tue, 18 Oct 2022 07:24:31 GMT

Hi Arne,

There is a disclaimer already there in ISE 2.4, not to use special characters - or _ in usernames. This is missing in ISE 3.1 documentation. I will file documentation defect for it.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/cli_guide/b_ise_CLIReferenceGuide_24/b_ise_CLIReferenceGuide_24_chapter_011.html#wp1067793462

Re: ISE SNMPv3 deleting username design flaw

Arne Bier — Tue, 18 Oct 2022 08:11:24 GMT

thanks @poongarg

The other annoyance I have is that it's impossible to delete any SNMP v3 username from the ISE CLI, if you do not know the priv & auth passwords. In general, IOS syntax allows us to negate a command with a 'no' and then most of the remaining command's (irrelevant) arguments are not required. This is surely a bug too.

regards

Re: ISE SNMPv3 deleting username design flaw

poongarg — Wed, 26 Oct 2022 06:20:24 GMT

Hello Arne,

I have filed below defects for SNMPV3 issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd38771

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd38766

Re: ISE SNMPv3 deleting username design flaw

Arne Bier — Wed, 26 Oct 2022 20:20:58 GMT

thanks @poongarg - much appreciated.

Re: ISE SNMPv3 deleting username design flaw

Andrii Oliinyk — Thu, 09 Feb 2023 11:20:22 GMT

Hi Arne

just for curiosity did u try to use any arbitrary auth/priv passwords in "no snmp-server user ..." ?

Re: ISE SNMPv3 deleting username design flaw

Arne Bier — Thu, 09 Feb 2023 20:44:06 GMT

Yes I did - it fails.

Re: ISE SNMPv3 deleting username design flaw

poongarg — Fri, 04 Aug 2023 06:13:43 GMT

Hi Arne,

I tested on 3.0 P7 and 3.1 as well and I am able to delete the user from command line but the "sh snmp-server user" keep it in the hex format username (CSCwd38766). This defect is suppose to get fixed in the upcoming ISE 3.2 patch

ise30-poongarg/admin(config)# snmp-server user SNMPv3-p2 v3 hash cadf4fd402ad6ad38321e05602be28b3 cadf4fd402ad6ad38321e05602be28b3

ise30-poongarg/admin(config)# no snmp-server user SNMPv3-p2 v3 hash cadf4fd402ad6ad38321e05602be28b3 cadf4fd402ad6ad38321e05602be28b3

ise30-poongarg/admin# sh snmp-server user

User: 0x534e4d5076332d7032
EngineID: RO3R8KQ9DD8
Auth Protocol: sha
Priv Protocol: aes-128

Re: ISE SNMPv3 deleting username design flaw

Arne Bier — Fri, 04 Aug 2023 06:24:03 GMT

Hi @poongarg

Thanks for the feedback on the CSCwd38766.

However the CLI still has a design flaw. Why is the auth/priv password required when deleting an SNMP v3 username? What if I don't know what those passwords are? In that case, ISE refuses to delete the username. That's inconsistent with how IOS-style commands work. It should be a simple case of "no snmp-server user <username>"

And I also don't know why there is an argument of "v3" included in snmp-server user syntax - v3 should be implied, since snmp v1 and v2 don't have a concept of usernames.

Re: ISE SNMPv3 deleting username design flaw

poongarg — Fri, 04 Aug 2023 06:37:40 GMT

Hi Arne,

We are able to delete the user with encrypted password as in my previous post. So no need to have plain text password to delete the user. Just run the "sh run" command and see the username with hash password and then negate the command with "no".

I will edit the previous defect CSCwd38771 to add the workaround.

Re: ISE SNMPv3 deleting username design flaw

Arne Bier — Fri, 04 Aug 2023 07:19:16 GMT

Still ... the point of specifying any passwords, whether hashed or not, during the deletion process makes no sense. Why bother asking for a password in the first place?

When I tried it on 3.0 patch 5, the hash in the show run was 97 characters long. I pasted exactly into the "no" command and not surprisingly, the error comes back

% param string too long detected at the '^' marker.

The CLI says the hash param can be up to 80 characters long. Mine is 97. I didn't make up that hash - comes from the show run. Another reason why this is a dumb way of deleting an account.

Re: ISE SNMPv3 deleting username design flaw

poongarg — Thu, 10 Aug 2023 01:16:47 GMT

Hi Arne,

As a workaround you can use partial hash. It will also work. I just tested as below:

Config on my ISE node:

snmp-server user SNMPv3USER v3 sha1 hash 3dc04af2e4d92a9f3612c4a34e1cbcd0 72ebe5f780e4017ec686de7015ccd55e

Used partial hash to delete the user:

ise-31-poongarg/admin(config)# no snmp-server user SNMPv3USER v3 sha1 hash 3dc04af2e4 72ebe5f780e4017ec
ise-31-poongarg/admin(config)#