cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5851
Views
5
Helpful
2
Replies

SNMPv3 User Password Change issues

kdmorse
Level 1
Level 1

I've been poking at this all week with little success, so it's time to ask a broader audience.

 

Background, I have 4 9513's, and 2 9710's.  They are currently running 6.2(11e). (Awaiting FICON certification on newer major releases).  They all behave swimmingly.

 

I have been attempting to solve the problem of how to give someone a (network-operator, plus a few extra commands) userid on the switch(s), and permit them to change their own password afterwards so that I don't know it.  As far as I can tell, this is supported, but only half works:

 

If I create Bob:

# snmp-server user bob network-operator auth sha bobspassword priv aes-128 bobspassword

 

Bob woks.  Bob can log in via CLI, or Device Manager, or through DCMN-SAN.  In the SNMP cases he uses SHA-AES.

 

Bob can log in, and change his password via the CLI the old fashioned way:

#username bob password bobsnewpassword

 

That fails, as secure password mode is indeed enabled.  So instead bob does:

# change-password
Enter old password: bobspassword
Enter new password: bobsnewpassword
Confirm new password: bobsnewpassword

 

At this point his password has been changed, sortof.  The new CLI password (stored in the user database) is changed.  But his snmp password has only been half changed, the auth password has been changed, but not the priv password.

 

This is fine for CLI access.  This breaks Device Manager access, as DM only asks once and assumes both are the same.  (Note, DM does work if the user switches from SHA-AES to just SHA, essentially dropping out of priv mode - which won't work long term since I am planning on turning enforcePriv on).  DCNM-SAN can cope, because the user can update both fields independently, but that's not an answer either.

 

We can see in the following output exactly what has happened:

 

(Before)

# show run | inc bob
username bob password 5 $1$s6LTt30N$8YmKJBSCR2NklU/PiId.R.  role network-operator
snmp-server user bob network-operator auth sha 0xeb80329ffca758a2a2640ba2208f6413c314ba96 priv aes-128 0xeb80329ffca758a2a2640ba2208f6413c314ba96 localizedkey

 

 (after)

# show run | inc bob
username bob password 5 $1$zTnuJNZR$j0ASmbLrqrf.k7wblMKOv0  role network-operator
snmp-server user bob network-operator auth sha 0x800ff4e1033416f90e07bf14be48a543aa57e285 priv aes-128 0xeb80329ffca758a2a2640ba2208f6413c314ba96 localizedkey

 

And we can see that the priv password has indeed not changed, but the other two have successfully.

 

We have in the past experimented with other ideas Both allowing the user to use the username password command with secure password mode turned off - and having the user change their password through DM, had the same effect.  CLI and AUTH was updated, but PRIV was not.

 

What am I missing here? (am I missing something?).  Short term, I can always do the "here, use my system, type your password while I look the other way" approach, but that shouldn't have to be the answer.  And given six switches, more operators, and more switches to come, it doesn't scale well.

 

I can't help but think this should be a solvable problem, but I'm batting 0 so far...

 

* TACACS integration is being weighed.  We already have Cisco Access Control Server running, and use it for our network switches and vpn services.  But using it for the storage network is not currently on the schedule.

 

Any suggestions?

2 Replies 2

Rick1776
Level 5
Level 5
You are on the right track with TACACS+ server. TACACS+ server is the only way I know of to change the passwords/permissions per multiple devices via multiple management endpoints. When you change it locally on the MDS switch it doesn't flow though the DCNM server.

I would also migrate the ACS server to ISE (talk to your Cisco team)typically they have discounted bundles.

Please see the following:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Existing ACS customers who don’t have ISE can order discounted bundles which include 4 SNS-3515 or SNS- 3595, 100 Base licenses, 100 Plus licenses (1 year), 100 Apex licenses (1 year) and Device Admin licenses.
A customer that wishes to place the order should contact fulfillment (acs-ise.bundle@cisco.com) for getting approval to move forward with the order. This offer is valid through November 30th 2017.

When you specify the "encrypted" keyword, you need to specify the password in an encrypted string. It doesn't look like you want this. Try:

snmp-server user myuser mygroup v3 auth sha myauthpass priv aes 128 myprivpass.
Looks like you need to specify a read or write view

Syntax for the group name :

snmp-server group [groupname {v1 | v2c | v3{auth | noauth | priv}}]

[read readview] [write writeview] [notify notifyview] [access

access-list]

snmp-server user username [groupname remote ip-address [udp-port port]

{v1 | v2c | v3 [encrypted] [auth {md5 | sha} auth-password [priv des56

priv password]] [access access-list]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: