Hi Dave
We created the following configuration in snmpd.conf. The engine ID is
0x80001f8880606307655045efc8; however the below configuration is not working.
Please let us know if the engine ID used is correct? How do we verify the mask?
createUser deepti MD5 net-snmp
#VACM Configuration
# First, map the community name (COMMUNITY) into a security name
# (local and mynetwork, depending on where the request is coming
# from):
#com2sec custom_sec 192.168.10.0/24 public
view myVacm included .1.3.6.1.6.3.15.1.2.2
view myVacm excluded
.1.3.6.1.6.3.15.1.2.2.1.0.17.80001f8880606307655045efc8.0.100.101.102.97.117.108.116
0xff:e 0:00:01:fa
rouser deepti auth -V myVacm
Thanks
~Suresh
> Date: Tue, 4 Sep 2012 11:09:16 +0100
> Subject: Re: How to create a VACM view that blocks particular rows in a table
> From: d.t.shi...@liverpool.ac.uk
> To: skjaiswa...@hotmail.com
> CC: net-snmp-users@lists.sourceforge.net
>
> On 4 September 2012 09:37, Suresh kumar <skjaiswa...@hotmail.com> wrote:
> > But anyone who has
> > rw/ro access to the Snmpusm table will be able to view these internal users
> > starting with “defaultXXXX” as well. We want that when any operator accesses
> > SNMPUSM table, he should be able to view users that are created ( for
> > example deepti1 in the below case) but not the internal users/default users
> > ( starting with “defaultXXXXX”).
>
> OK - I see what you mean.
>
> > In VACM terms, this implies creating a view
> > where particular rows belonging to a table can be accessed while some can be
> > blocked.
>
> Exactly.
>
> > We want a sample VACM configuration for the same.
>
> Not tested, but try something like the following:
>
> view myVacm included .1.3.6.1.6.3.15.1.2.2
> view myVacm excluded
> .1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
> 0xff:ef:ff:fd:fa
> rouser {operator} auth -V myVacm
>
> or
>
> view myVacm included .1.3.6.1.6.3.15.1.2.2
> view myVacm excluded
> .1.3.6.1.6.3.15.1.2.2.1.0.17.{engineID}.0.100.101.102.97.117.108.116
> 0xff:e0:00:01:fa
> rouser {operator} auth -V myVacm
>
>
> You'll need to insert the (numeric) value of your SNMP Engine ID where
> indicated.
> Try running the same "snmpwalk" command as before but with the option '-On' to
> see the appropriate values.
>
> Note that the mask is crafted based on a 17-octet engineID (which seems to
> be what you're using). If that's not correct, then you'll need to
> tweak the OID
> and mask accordingly.
> The difference between the two sample above are whether the engine ID is
> explicitly matched, or ignored. It shouldn't make any real
> difference which you use.
> But the length of the engineID *is* significant, as this affects the
> masking bits
> that are applied to the username.
>
>
> Dave
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
