cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2059
Views
16
Helpful
11
Replies

ISE SNMPv3 deleting username design flaw

Arne Bier
VIP
VIP

Hello,

All versions of ISE that support SNMPv3 (including ISE 3.1) have an annoying design flaw in the implementation. I can't find a way to delete an existing SNMPv3 username on the CLI.  The CLI wants to know the original auth and priv password. I don't understand why that information is required - especially if the information is not available.

Anyone know if this is a "well known bug", and if it's likely to be resolved?

 

 

ise01/admin(config)# no snmp-server user MYSNMP v3 
                                                         ^
% incomplete command detected at '^' marker.

ise01/admin(config)# no snmp-server user MYSNMP v3 plain ?
  <WORD>  Auth Password (Max Size - 40)

 

 

It appears to be working as documented because the recommendation in the Release Notes provides this syntax. But deleting such an innocuous thing as an SNMP username should not require prior knowledge of the priv/auth strings.

Another annoying bug is that if the username contains an underscore (_) then the resulting username is garbled into some hex string. And that username cannot be deleted for love nor money.

 

ise01/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ise01/admin(config)# snmp-server user ARNE_BIER v3 plain Encryption123 Encryption123
Warning! SNMPv1/v2c is currently enabled and has known Security vulnerabilities. To disable SNMPv1/v2c, please execute "no snmp-server  community <community string> ro".
ise01/admin(config)# end
ise01/admin# show snmp-server user
User: 0x6164616d2d7633
  EngineID: BGGIG9C95OI
  Auth Protocol: sha
  Priv Protocol: aes-128

 

 

And deleting it becomes impossible

 

ise01/admin# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
ise01/admin(config)# no snmp-server user ARNE_BIER v3 plain Encryption123 Encryption123
ise01/admin(config)# end
ise01/admin# show snmp-server user
User: 0x6164616d2d7633
  EngineID: BGGIG9C95OI
  Auth Protocol: sha
  Priv Protocol: aes-128

 

SNMP just doesn't seem to get the love it deserves

1 Accepted Solution
11 Replies 11

poongarg
Cisco Employee
Cisco Employee

Hi Arne,

There is a disclaimer already there in ISE 2.4, not to use special characters - or _ in usernames. This is missing in ISE 3.1 documentation. I will file documentation defect for it.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/cli_guide/b_ise_CLIReferenceGuide_24/b_ise_CLIReferenceGuide_24_chapter_011.html#wp1067793462

 

 

thanks @poongarg 

The other annoyance I have is that it's impossible to delete any SNMP v3 username from the ISE CLI, if you do not know the priv & auth passwords.  In general, IOS syntax allows us to negate a command with a 'no' and then most of the remaining command's (irrelevant) arguments are not required. This is surely a bug too.

regards

thanks @poongarg - much appreciated.

Hi Arne

just for curiosity did u try to use any arbitrary auth/priv passwords in "no snmp-server user ..." ?

Hi Arne,

I tested on 3.0 P7 and 3.1 as well and I am able to delete the user from command line but the "sh snmp-server user" keep it in the hex format username (CSCwd38766). This defect is suppose to get fixed in the upcoming ISE 3.2 patch

ise30-poongarg/admin(config)# snmp-server user SNMPv3-p2 v3 hash cadf4fd402ad6ad38321e05602be28b3 cadf4fd402ad6ad38321e05602be28b3

ise30-poongarg/admin(config)# no snmp-server user SNMPv3-p2 v3 hash cadf4fd402ad6ad38321e05602be28b3 cadf4fd402ad6ad38321e05602be28b3

ise30-poongarg/admin# sh snmp-server user

User: 0x534e4d5076332d7032
EngineID: RO3R8KQ9DD8
Auth Protocol: sha
Priv Protocol: aes-128

Arne Bier
VIP
VIP

Hi @poongarg 

Thanks for the feedback on the CSCwd38766.

However the CLI still has a design flaw. Why is the auth/priv password required when deleting an SNMP v3 username? What if I don't know what those passwords are?  In that case, ISE refuses to delete the username. That's inconsistent with how IOS-style commands work. It should be a simple case of "no snmp-server user <username>"

And I also don't know why there is an argument of "v3" included in snmp-server user syntax - v3 should be implied, since snmp v1 and v2 don't have a concept of usernames.

 

poongarg
Cisco Employee
Cisco Employee

Hi Arne,

We are able to delete the user with encrypted password as in my previous post. So no need to have plain text password to delete the user. Just run the "sh run" command and see the username with hash password and then negate the command with "no".

I will edit the previous defect CSCwd38771 to add the workaround.

Arne Bier
VIP
VIP

Still ... the point of specifying any passwords, whether hashed or not, during the deletion process makes no sense. Why bother asking for a password in the first place? 

When I tried it on 3.0 patch 5, the hash in the show run was 97 characters long.  I pasted exactly into the "no" command and not surprisingly, the error comes back   

% param string too long detected at the '^' marker.

The CLI says the hash param can be up to 80 characters long. Mine is 97.  I didn't make up that hash - comes from the show run. Another reason why this is a dumb way of deleting an account.

Hi Arne,

As a workaround you can use partial hash. It will also work. I just tested as below:

Config on my ISE node:

snmp-server user SNMPv3USER v3 sha1 hash 3dc04af2e4d92a9f3612c4a34e1cbcd0 72ebe5f780e4017ec686de7015ccd55e

Used partial hash to delete the user:

ise-31-poongarg/admin(config)# no snmp-server user SNMPv3USER v3 sha1 hash 3dc04af2e4 72ebe5f780e4017ec
ise-31-poongarg/admin(config)#

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: