Configuring SNMP for Cisco NAC Appliance Out of Band Deployments

NetCraftsmen®

SNMP is one of the key technologies used in out-of-band Cisco NAC Appliance deployments.  The NAC Manager sends SNMP GET commands to the access switches to learn about the switch port configuration.  The NAC Manager also sends SNMP SET commands to the access switches to change individual switch ports from the authentication VLAN to the access VLAN and vice versa.  The access switches send SNMP traps to the NAC Manager to tell the NAC Manager about individual switch ports that go up or down and switch ports that have new MAC addresses connected to them.  With that information, the NAC Manager can decide whether the switch port should be moved back to the authentication VLAN.

Because SNMP is such a critical component to the functioning of NAC, it is important to secure it as much as possible.  The NAC Manager supports SNMP V1, V2c, and V3.  From a security perspective, SNMP V1 and SNMP V2c are the same.  They both use a community string that is sent in the clear.  There are two methods that can be used to increase the security of SNMP V1 and SNMP V2.  First, security can be added by limiting the IP addresses that are allowed to execute get and set SNMP commands on the switch.  On a Cisco switch, this is done by assigning a standard ACL to the snmp community string command.  The example below shows that only the IP address, 10.1.1.210, should receive SNMP responses if the community string “public” is used.  The “ro” signifies that the 10.1.1.210 can only  read the switch configuration.

Access-list 10 permit host 10.1.1.210

Snmp-server community public RO 10

Second, SNMP views can be used.  By using SNMP views, SNMP requests can be limited to certain OID subtrees.  This requires a short explanation.  SNMP uses a tree structure to break down the location of specific MIB objects.  The tree structure can be viewed through a named structure or a numbered structure.  I know that the interface VLAN is located in a MIB object with name vmVlan.  I can go to the Cisco SNMP object Navigator at, http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en, to look for the full OID tree for that object

At the bottom of the screen, it also shows the OID tree, from this we can see the names of the different subtrees that can be used to easily create the SNMP views

For example, we could create a view that allowed access to the full “iso” tree.  In the example below, the name of the view is “nacview”.

Snmp-server view nacview iso included

The status of this view can be checked with the “show snmp view” command.

Let’s now move onto the most secure version of SNMP, SNMP V3.  SNMP V3 can use a username and password authentication method.  This authentication is protect by using MD5 or SHA-1 hashes when sent across the network.  Additionally, the SNMP packets can be encrypted.  With this in mind, SNMP V3 should be used, where possible.

Now that SNMP security has been defined, let’s see how this security can be implemented with the Cisco NAC Appliance.  Let’s first look at the NAC read settings.  These are the settings used to allow the NAC Manager to read the configuration on the switch.  For this portion of the configuration, the NAC Manager only supports SNMP V1 and SNMP V2c.  On the switch, this configuration is the same with SNMP V1 or SNMP V2c.  On the NAC Manager, the choice of SNMP V1 or SNMP V2c can be chosen.  Below is an example using SNMP V2c

Switch configuration

access-list 10 permit host 10.1.1.210

snmp-server view nacview iso included

snmp-server community public RO 10

On the NAC Manager 4.7, the configuration can be accessed at “OOB Management > Profiles > Device”.  Edit a device profile and change the “SNMP Read Settings” as shown below.

The second portion to look at is the NAC write settings.  These are the settings used to allow the NAC Manager to change the switch port VLAN assignments.  For this portion of the configuration, the NAC Manager supports SNMP V3.  On the switch, the authentication (auth) and privacy (priv) can be defined with the associated hash and encryption schemes.  The example below shows an SNMP view of “iso” used, with SHA-1 used for the authentication hashing and 3DES used for the privacy encryption.  The view is named “nacview”, the SNMP group is named “nacgroup”, the username is “cisco”, and the password is “ciscopass”.  The same access list from the SNMP read setting is used.

Switch configuration

Snmp-server view nacview iso included

access-list 10 permit host 10.1.1.210

Snmp-server group nacgroup v3 auth read nacview write nacview

snmp-server user cisco nacgroup v3 auth sha ciscopass priv 3des ciscopass access 10

The last part of the configuration is the SNMP traps.  These are SNMP messages sent from the switch to the NAC Manager letting the NAC Manager know about link up/link down and MAC address changes on the individual switch ports.  On the switch, a choice must be made between authentication only and authentication and privacy.  The switch configuration is confusing because it only shows options for authentication or privacy.  This makes it appear that a choice between authentication only or privacy only must be made.  In looking at the context help, it is seen that priv option includes both privacy and authentication.  This is shown below.

3560(config)#snmp-server host 10.1.1.110 trap ver 3 ?
auth Use the SNMPv3 authNoPriv Security Level
noauth Use the SNMPv3 noAuthNoPriv Security Level
priv Use the SNMPv3 authPriv Security Level

The example below shows SNMP linkup, SNMP linkdown, and SNMP mac-notification traps defined.  It also defines the traps to the username “cisco”, with its associated parameters defined above.

Switch Configuration

Snmp-server enable traps mac-notification

snmp-server enable traps snmp linkup linkdown

Mac-addressstable aging-time 3600

Snmp-server host 10.1.1.210 traps version 3 priv cisco udp-port 162 mac-notification snmp

The NAC Manager configuration for SNMP traps is accessed at “OOB Management > Profiles > SNMP Receiver”

In summary, the settings below should be used when configuring SNMP for the NAC Appliance

  1. Read configuration:  SNMP V2c
  2. Write configuration:  SNMP V3 with authentication (sha-1) and privacy (3des)
  3. Trap configuration:  SNMP V2 with authentication (sha-1) and privacy (3des)

Below is the full switch configuration used in this example

Access-list 10 permit host 10.1.1.210

snmp-server view nacview iso included

snmp-server community public view nacview RO 10

snmp-server group nacgroup v3 auth read nacview write nacview

snmp-server user cisco nacgroup v3 auth sha ciscopass priv 3des ciscopass access 10

snmp-server enable traps mac-notification

snmp-server enable traps snmp linkup linkdown

mac-addressstable aging-time 3600

snmp-server host 10.1.1.210 traps version 3 priv cisco udp-port 162 mac-notification snmp

References

http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_oob.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/command/reference/3560cr.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swsnmp.html, http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en

One response to “Configuring SNMP for Cisco NAC Appliance Out of Band Deployments

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.