10-27-2017 04:49 PM - edited 03-01-2019 06:16 AM
I've been poking at this all week with little success, so it's time to ask a broader audience.
Background, I have 4 9513's, and 2 9710's. They are currently running 6.2(11e). (Awaiting FICON certification on newer major releases). They all behave swimmingly.
I have been attempting to solve the problem of how to give someone a (network-operator, plus a few extra commands) userid on the switch(s), and permit them to change their own password afterwards so that I don't know it. As far as I can tell, this is supported, but only half works:
If I create Bob:
# snmp-server user bob network-operator auth sha bobspassword priv aes-128 bobspassword
Bob woks. Bob can log in via CLI, or Device Manager, or through DCMN-SAN. In the SNMP cases he uses SHA-AES.
Bob can log in, and change his password via the CLI the old fashioned way:
#username bob password bobsnewpassword
That fails, as secure password mode is indeed enabled. So instead bob does:
# change-password Enter old password: bobspassword Enter new password: bobsnewpassword Confirm new password: bobsnewpassword
At this point his password has been changed, sortof. The new CLI password (stored in the user database) is changed. But his snmp password has only been half changed, the auth password has been changed, but not the priv password.
This is fine for CLI access. This breaks Device Manager access, as DM only asks once and assumes both are the same. (Note, DM does work if the user switches from SHA-AES to just SHA, essentially dropping out of priv mode - which won't work long term since I am planning on turning enforcePriv on). DCNM-SAN can cope, because the user can update both fields independently, but that's not an answer either.
We can see in the following output exactly what has happened:
(Before)
# show run | inc bob username bob password 5 $1$s6LTt30N$8YmKJBSCR2NklU/PiId.R. role network-operator snmp-server user bob network-operator auth sha 0xeb80329ffca758a2a2640ba2208f6413c314ba96 priv aes-128 0xeb80329ffca758a2a2640ba2208f6413c314ba96 localizedkey
(after)
# show run | inc bob username bob password 5 $1$zTnuJNZR$j0ASmbLrqrf.k7wblMKOv0 role network-operator snmp-server user bob network-operator auth sha 0x800ff4e1033416f90e07bf14be48a543aa57e285 priv aes-128 0xeb80329ffca758a2a2640ba2208f6413c314ba96 localizedkey
And we can see that the priv password has indeed not changed, but the other two have successfully.
We have in the past experimented with other ideas Both allowing the user to use the username password command with secure password mode turned off - and having the user change their password through DM, had the same effect. CLI and AUTH was updated, but PRIV was not.
What am I missing here? (am I missing something?). Short term, I can always do the "here, use my system, type your password while I look the other way" approach, but that shouldn't have to be the answer. And given six switches, more operators, and more switches to come, it doesn't scale well.
I can't help but think this should be a solvable problem, but I'm batting 0 so far...
* TACACS integration is being weighed. We already have Cisco Access Control Server running, and use it for our network switches and vpn services. But using it for the storage network is not currently on the schedule.
Any suggestions?
10-28-2017 09:41 AM
09-19-2018 08:32 PM
When you specify the "encrypted" keyword, you need to specify the password in an encrypted string. It doesn't look like you want this. Try:
snmp-server user myuser mygroup v3 auth sha myauthpass priv aes 128 myprivpass.
Looks like you need to specify a read or write view
Syntax for the group name :
snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}]
[read readview] [write writeview] [notify notifyview] [access
access-list]
snmp-server user username [groupname remote ip-address [udp-port port]
{v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56
priv password]] [access access-list]
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: