SNMP is one of the key technologies used in out-of-band Cisco NAC Appliance deployments. The NAC Manager sends SNMP GET commands to the access switches to learn about the switch port configuration. The NAC Manager also sends SNMP SET commands to the access switches to change individual switch ports from the authentication VLAN to the access VLAN and vice versa. The access switches send SNMP traps to the NAC Manager to tell the NAC Manager about individual switch ports that go up or down and switch ports that have new MAC addresses connected to them. With that information, the NAC Manager can decide whether the switch port should be moved back to the authentication VLAN.
Because SNMP is such a critical component to the functioning of NAC, it is important to secure it as much as possible. The NAC Manager supports SNMP V1, V2c, and V3. From a security perspective, SNMP V1 and SNMP V2c are the same. They both use a community string that is sent in the clear. There are two methods that can be used to increase the security of SNMP V1 and SNMP V2. First, security can be added by limiting the IP addresses that are allowed to execute get and set SNMP commands on the switch. On a Cisco switch, this is done by assigning a standard ACL to the snmp community string command. The example below shows that only the IP address, 10.1.1.210, should receive SNMP responses if the community string “public” is used. The “ro” signifies that the 10.1.1.210 can only read the switch configuration.
Access-list 10 permit host 10.1.1.210
Snmp-server community public RO 10
Second, SNMP views can be used. By using SNMP views, SNMP requests can be limited to certain OID subtrees. This requires a short explanation. SNMP uses a tree structure to break down the location of specific MIB objects. The tree structure can be viewed through a named structure or a numbered structure. I know that the interface VLAN is located in a MIB object with name vmVlan. I can go to the Cisco SNMP object Navigator at, http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en, to look for the full OID tree for that object
At the bottom of the screen, it also shows the OID tree, from this we can see the names of the different subtrees that can be used to easily create the SNMP views
For example, we could create a view that allowed access to the full “iso” tree. In the example below, the name of the view is “nacview”.
Snmp-server view nacview iso included
The status of this view can be checked with the “show snmp view” command.
Let’s now move onto the most secure version of SNMP, SNMP V3. SNMP V3 can use a username and password authentication method. This authentication is protect by using MD5 or SHA-1 hashes when sent across the network. Additionally, the SNMP packets can be encrypted. With this in mind, SNMP V3 should be used, where possible.
Now that SNMP security has been defined, let’s see how this security can be implemented with the Cisco NAC Appliance. Let’s first look at the NAC read settings. These are the settings used to allow the NAC Manager to read the configuration on the switch. For this portion of the configuration, the NAC Manager only supports SNMP V1 and SNMP V2c. On the switch, this configuration is the same with SNMP V1 or SNMP V2c. On the NAC Manager, the choice of SNMP V1 or SNMP V2c can be chosen. Below is an example using SNMP V2c
Switch configuration
access-list 10 permit host 10.1.1.210
snmp-server view nacview iso included
snmp-server community public RO 10
On the NAC Manager 4.7, the configuration can be accessed at “OOB Management > Profiles > Device”. Edit a device profile and change the “SNMP Read Settings” as shown below.
The second portion to look at is the NAC write settings. These are the settings used to allow the NAC Manager to change the switch port VLAN assignments. For this portion of the configuration, the NAC Manager supports SNMP V3. On the switch, the authentication (auth) and privacy (priv) can be defined with the associated hash and encryption schemes. The example below shows an SNMP view of “iso” used, with SHA-1 used for the authentication hashing and 3DES used for the privacy encryption. The view is named “nacview”, the SNMP group is named “nacgroup”, the username is “cisco”, and the password is “ciscopass”. The same access list from the SNMP read setting is used.
Switch configuration
Snmp-server view nacview iso included
access-list 10 permit host 10.1.1.210
Snmp-server group nacgroup v3 auth read nacview write nacview
snmp-server user cisco nacgroup v3 auth sha ciscopass priv 3des ciscopass access 10
The last part of the configuration is the SNMP traps. These are SNMP messages sent from the switch to the NAC Manager letting the NAC Manager know about link up/link down and MAC address changes on the individual switch ports. On the switch, a choice must be made between authentication only and authentication and privacy. The switch configuration is confusing because it only shows options for authentication or privacy. This makes it appear that a choice between authentication only or privacy only must be made. In looking at the context help, it is seen that priv option includes both privacy and authentication. This is shown below.
3560(config)#snmp-server host 10.1.1.110 trap ver 3 ?
auth Use the SNMPv3 authNoPriv Security Level
noauth Use the SNMPv3 noAuthNoPriv Security Level
priv Use the SNMPv3 authPriv Security Level
The example below shows SNMP linkup, SNMP linkdown, and SNMP mac-notification traps defined. It also defines the traps to the username “cisco”, with its associated parameters defined above.
Switch Configuration
Snmp-server enable traps mac-notification
snmp-server enable traps snmp linkup linkdown
Mac-addressstable aging-time 3600
Snmp-server host 10.1.1.210 traps version 3 priv cisco udp-port 162 mac-notification snmp
The NAC Manager configuration for SNMP traps is accessed at “OOB Management > Profiles > SNMP Receiver”
In summary, the settings below should be used when configuring SNMP for the NAC Appliance
- Read configuration: SNMP V2c
- Write configuration: SNMP V3 with authentication (sha-1) and privacy (3des)
- Trap configuration: SNMP V2 with authentication (sha-1) and privacy (3des)
Below is the full switch configuration used in this example
Access-list 10 permit host 10.1.1.210
snmp-server view nacview iso included
snmp-server community public view nacview RO 10
snmp-server group nacgroup v3 auth read nacview write nacview
snmp-server user cisco nacgroup v3 auth sha ciscopass priv 3des ciscopass access 10
snmp-server enable traps mac-notification
snmp-server enable traps snmp linkup linkdown
mac-addressstable aging-time 3600
snmp-server host 10.1.1.210 traps version 3 priv cisco udp-port 162 mac-notification snmp
References
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_oob.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/command/reference/3560cr.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swsnmp.html, http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
A SNMPv3 PSIRT came out on 1/29/10. Be sure to apply the appropriate updates before using SNMPv3
http://www.cisco.com/warp/public/707/cisco-sa-20080610-snmpv3.shtml