Configure IOS by SNMP - Password Recovery

This is useful if you ever end up without a password for a router but you do know the SNMP read-write community values or usernames. It can save you the need to reboot a device and do a full password recovery, useful if the device is a thousand miles away and running some vital service.

You can load a configuration snippet into IOS from a TFTP server, triggered over SNMP.

The steps are:

Warning:

This can seriously b0rk your equipment and I accept no responsibility if it doesn't work for you. If your device is thousands of miles away, running critical services and you cannot login then your network has bigger issues than bodging the username on this one device! Don't do this unless you understand the possible consequences of blindly applying raw config to a Cisco device.

1. Create a text file containing the config snippet.


2. Run a TFTP server, on machine with IP 10.0.0.10 in this example.


3. Set the value of iso.org.dod.internet.private.enterprises.cisco.lo cal.lsystem.hostConfigSet.10.0.0.10 to a string containing the filename from #2

The config snippet could be something like:

username cisco priv 15 password cisco

The command line for NET-SNMP tools snmpset is:

snmpset <router> <community> .iso.org.dod.internet.private.enterprises.cisco.local.lsystem.hostConfigSet.10.0.0.10 s <filename>

You can do a write mem via SNMP too if you want (but I wouldn't recommend it):

snmpset <router> <community> .iso.org.dod.internet.private.enterprises.cisco.local.lsystem.writeMem.0 i 1

If you can't login to a device and have absolutely no idea why not then it may not be as simple as adding a new local account. The specifics may be guessed at depending on how standardized your network is and you may be able to guess at the extra bits (heed the warning above), e.g.

no aaa new-model
username cisco priv 15 password cisco
line vty 0 15
login local
password cisco

Read more...

SNMPv3 in CiscoWorks

A brief article on how I've got SNMPv3 working in older versions of CiscoWorks. This follows on from the SNMPv3 intro.

Ciscoworks only allows you to associate a single SNMP user account with each device. The same SNMP user account is used to poll the device and receive traps.

The new version of Device Fault Manager apparently has full SNMPv3 support. The older ones don't seem to, but they support polling devices with AuthPriv and you can use AuthNoPriv to send SNMPv3 traps to CiscoWorks.

So to get CiscoWorks to talk with an IOS device using SNMPv3 you need:

• An AuthPriv account for SNMP polling.
• That account configured in CiscoWorks in the devices properties.
• Traps configured to use the same SNMP username, but with AuthNoPriv.

This may seem a bit unusual, defining an SNMPv3 user with a privacy key and then defining the same user without the key but it seems to work. The configuration I use is:

snmp-server group <group> v3 priv
snmp-server user <user> <group> v3 auth sha MYPASSWORD priv des PRIVPASS
snmp-server host <ip> traps version 3 auth <user>

With this configuration, you need to supply the encrypted password when polling the device, however when the device sends traps doesn't encrypt the packet contents (AuthNoPriv).


This article comes with a large dose of YMMV, it works on the version of CiscoWorks I've tested it with, it may not work on yours.
Read more...

SNMPv3

Quick article on SNMP version 3, focused on Cisco kit.

Previous versions of SNMP were configured using community strings and single-line commands in IOS.

SNMPv3 management is more like user/account management and the configuration does not appear in "show run" but is instead hidden in the private config. You access SNMPv3 configuration information via "show snmp x" commands.

SNMPv3 Communication.

There are three ways to configure SNMPv3 communication:
NoAuthNoPriv (called noauth in IOS) – username only authentication, packet sent cleartext.
AuthNoPriv (called auth in IOS) – HMAC authentication (SHA or MD5), packet sent cleartext.
AuthPriv (called priv in IOS) – HMAC authentication, encrypt entire packet.


SNMPv3 Groups.

Groups are configured as follows:

snmp-server group <groupname> v3 noauth|auth|priv [access X]

(access X is an ACL restricting hosts where accounts in the group can be accessed from).


SNMPv3 Users.

SNMP Users are configured as follows:

snmp-server user <user> <group> v3 auth <sha|md5> <pass> priv des <privpass> [access x]

Note: The password should be at least 8 letters long according to the RFC.



SNMPv3 Views.

These are used to control which MIBS the users can browse or which traps are allowed to be sent. There are three types:

Read views – Values you can look at by SNMP polling the device.
Write views – Values you can set via SNMP polling.
Notify views – Values that can be sent as SNMP traps.

I don't specifically use groups so the default settings are:

If you create a new group then it is given the read view "v1default".

If you create an SNMP trap configuration then the group associated with it has a notify view automatically generated by IOS. These views have names beginning with *tv.FFF


I've written a brief dit on getting older versions of CiscoWorks to support SNMPv3 here
Read more...