Telnet/CLI passwords and SNMP communities

[jfarinha]

A few questions about passwords and communities...

We have a team member (one of the most experienced ones) that is leaving the team.

He obviously knows all the passwords and SNMP communities, and as he will remain in the organization (although with a very different job description not related to IT) we will have to change all passwords and communities.

With the passwords I have taken the opportunity to implement a RADIUS server and we are now preparing to implement it on all equipments.

But as all of us know, we can do just about anything (including exporting the config of a switch to a tftp server) just using SNMP.

Is there any way to circumvent this limitation? Maybe SNMPv3 could give some help, but I don't think it is possible to link SNMPv3 user with RADIUS... or is it?

Any suggestions?
 

[Flintstone]

Hi jfarinha,

You could also limit the IP access to the Network devices just to the Network team?

CheerZ

[jfarinha]

That is already one of the measures we use to protect the access to the equipments.

However, as we are a spread out organization, we also allow access to a limited "test" ip subnet in every remote location, for when we need to perform on-site interventions. And of course any of our old team members know what that ip subrange is...

Of course you could call us all paranoid, but we are facing some close attention from our security department and wouldn't want to let any loose ends.

As we are now implementing COM, I think one of the ways could be to restrict snmp access to the COM server, and every team member has to access the equipments through COM/EDM. I am still testing how that works with older equipment.

[Michael McNamara]

Is there any way to circumvent this limitation? Maybe SNMPv3 could give some help, but I don't think it is possible to link SNMPv3 user with RADIUS... or is it?

What switch models and what software revisions are you working with?

This is not possible with any of the stackables or even with the ERS 8300. I believe it might be available on the ERS 8600 with 7.x software.

http://support.avaya.com/css/P8/documents/100099173

Cheers!

[jfarinha]

Thanks Michael,

We are using a dozen 8600's with 5.1.x and 100's of stackables, from 350's all the way to 55xx's.

Still investigating, maybe no other choice but to change the community string for write permission...

[Dominik]

Hi jfarinha,

I think COM is the best option for your task.
But you have to configure all your ipmgr accesslist on all your switches.
With SNMPv3 you can give every user his own SNMP user account and community on your switches, wich would help in the future. In COM it is a littlebit unconfortable to configure the credentials, in fact you have to add every user for a SNMPv3 credential. If you have a lot of different credentials and useres this can be a time intensiv work.

Good Luck