SNMP

In the FIPS mode of operation, the device uses the existing SNMP configuration. However, MIB objects related to keys and passwords output NULL or a 0 value.

Note

SNMPv1 and SNMPv2C versions are not allowed in FIPS mode. Access is allowed only for SNMPv3 configuration with authPriv mode. Other security modes such as noAuthNoPriv and authNoPriv are not allowed.

SNMP allows peer-to-peer authentication or client-to-server authentication. To authorize an authentication, use commands such as the following to configure shared secret keys for SNMP:

device(config)# snmp-server community extremeSNMP

SNMP notification

In the FIPS mode or CC mode of operation, the Extreme NetIron device generates only SNMPv3 notifications if it has to be configured for SNMPv3 host in authPriv security mode. As a result, both authentication and privacy are configured for a given SNMP target.

Note

The device does not validate any configuration of snmp-server host command to ensure SNMPv3 authPriv configuration. During the notification generation instance, the system goes through the configured SNMP host list and sends notification to only those hosts that have SNMPv3 with authPriv security mode.

SNMP CSP objects

The following SNMP MIB objects represent the critical security parameter (CSP) entities that are restricted in FIPS mode.

Enterprise MIB objects:

snRadiusKey
snRadiusServerRowKey
snTacacsKey
snTacacsServerRowKey
snVrrpIfAuthPassword
snAgGblPassword
snAgGblReadOnlyCommunity
snAgGblReadWriteCommunity
snAgGblTelnetPassword
snAgentUserAccntPassword

Standard MIB objects:

rip2IfConfAuthKey
vrrpOperAuthKey
dvmrpInterfaceKey
ospfIfAuthKey
ospfVirtIfAuthKey