RADIUS Authentication, Authorization, and Accounting > Using SNMP to view and configure switch authentication features

  

 next

Using SNMP to view and configure switch authentication features

SNMP MIB object access is available for switch authentication configuration (hpSwitchAuth) features. This means that the switches covered by this guide allow, by default, manager-only SNMP read/write access to a subset of the authentication MIB objects for the following features:

  • number of primary and secondary login and enable attempts

  • TACACS+ server configuration and status

  • RADIUS server configuration

  • selected 802.1X settings

  • key management subsystem chain configuration

  • key management subsystem key configuration

  • local switch operator and manager usernames and passwords

With SNMP access to the hpSwitchAuth MIB enabled, a device with management access to the switch can view the configuration for the authentication features listed above (excluding usernames, passwords, and keys). Using SNMP sets, a management device can change the authentication configuration (including changes to usernames, passwords and keys). operator read/write access to the authentication MIB is always denied.
[NOTE: ]

NOTE: Regarding Security: All usernames, passwords, and keys configured in the hpSwitchAuth MIB are not returned via SNMP, and the response to SNMP queries for such information is a null string. However, SNMP sets can be used to configure username, password, and key MIB objects.

To help prevent unauthorized access to the switch authentication MIB, HP recommends following the reviewing Viewing and changing the SNMP access configuration.

If you do not want to use SNMP access to the switch authentication configuration MIB, then use the snmp-server mib hpswitchauthmib excluded command to disable this access, as described in the next section.

If you choose to leave SNMP access to the security MIB open (the default setting), HP recommends that you configure the switch with the SNMP version 3 management and access security feature, and disable SNMP version 2c access. See “SNMP access to the authentication configuration MIB.”

Viewing and changing the SNMP access configuration

Syntax:

snmp-server mib hpswitchauthmib <excluded|included>

included

Enables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB.

excluded

Disables manager-level SNMP read/write access to the switch authentication configuration (hpSwitchAuth) MIB.

Default: included

Syntax:

show snmp-server

The output for this command has been enhanced to display the current access status of the switch authentication configuration MIB in the Excluded MIBs field.

Example:

To disable SNMP access to the switch authentication MIB and then display the result in the Excluded MIB field, execute the following two commands.

Disabling SNMP access to the authentication MIB and displaying the result

Disabling SNMP access to the authentication MIB and displaying the result

An alternate method of determining the current Authentication MIB access state is to use the show run command.

Using the show run command to view the current authentication MIB access state

Using the show run command to view the current authentication MIB access state

prev

 

up

 next

Configuring the switch for RADIUS authentication 

home

 Local authentication process (RADIUS)

Copyright © 2015 Hewlett-Packard Development Company, L.P.