Solved: Re: SNMP V3 read only setup

nijamudeen_aziz · ‎01-23-2023

how to configure SNMP v3 with read only access in switches ? while configurating cisco prime infrastructure with SNMP V3 there is no option for read-only (RO) like SNMP v2c .

Georg Pauwen · ‎01-25-2023

Hello,

I have been looking around quite a lot, and what I write below might be completely unrelated, but my guess is that Prime actually does not let you set read-only access, due to the way it handles permissions and user roles. I found the below in a previous post:

--> Unfortunately, there is no way to easily create a "read-only" account in Prime Infrastructure.

This is due to the way the permissions are built. The permissions a user gets depend on the Tasks it has been provided access to, and the Tasks refer almost consistently to the menu options of the application.

What you can do, is create a user role that contains only permissions for Tasks that do not involve allowing changes.

This can be done under Administration > User Roles and AAA > User Groups. Click a desired Role name and unselect the checkboxes of tasks that refer to the ability of deploying changes, like: Delete Device Access or Configure Access Points, etc.

It is not ideal, but is the closest we can do. It will be the same in case of Local or AAA users.

View solution in original post

marce1000 · ‎01-23-2023

- FYI : https://itadminguide.com/configure-snmpv3-on-cisco-switch/ , pay attention to the read only part of the particular document ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎01-23-2023

I use below on cat 9K switches :

snmp-server group xxxxxxxxxxxxxx_RO v3 priv access

what version of Prime ?

Enter appropriate values in the snmpv3_user_name, snmpv3_auth_type, snmpv3_auth_password, snmpv3_privacy_type, and snmpv3_privacy_password columns.

https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-8/admin/bk_CiscoPrimeInfrastructure_3_8_AdminGuide/bk_CiscoPrimeInfrastructure_3_8_AdminGuide_appendix_01110.html?bookSearch=true#task_1069928

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nijamudeen_aziz · ‎01-23-2023

prime version 3.4, switch c3650 version-16.12 . below config was done.

switchc3650:

snmp-server group myprofile v3 priv
snmp-server host 192.168.100.10 snmpadmin
snmp-server user snmpadmin prime-profile v3 auth md5 xxxxxxx priv des xxxxxxxx
snmp-server enable traps

Prime infra 3.4:

profile:myprofile

snmp:v3

username:myprofile

mode:authpriv

auth:hmac-md5

auth.pwd:xxxxx

note: now it is having read/write access and i want to only read-only. where exactly i have been change access level?

balaji.bandi · ‎01-24-2023

I see your group profile not matching with user added profile :

snmp-server view ViewDefault iso included
snmp-server group myprofile v3 priv read ViewDefault
snmp-server user snmpadmin myprofile v3 auth md5 xxxxxxx priv des xxxxxxxx

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

nijamudeen_aziz · ‎01-25-2023

i configured snmp v3 with default parameters , from cisco prime still i can able to change the switch configuration.

i didnt want cisco prime allow to change switch configuration.

User name: snmpadmin
Engine ID: 8000000903001CDEA7D8AB81
storage-type: nonvolatile active
Authentication Protocol: MD5
Privacy Protocol: DES
Group-name: prime-profile

groupname: snmpadmin security model:v1
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

groupname: snmpadmin security model:v2c
readview : <no readview specified> writeview: <no writeview specified>
notifyview: *tv.FFFFFFFF.FFFFFFFF.FFFFFFFF.F
row status: active

groupname: prime-profile security model:v3 priv
readview : v1default writeview: <no writeview specified>
notifyview: <no notifyview specified>
row status: active

Georg Pauwen · ‎01-25-2023