On 26 January 2012 14:18, Frank Renwick <[email protected]> wrote: > Using the VACM model in snmpd.conf, it is possible to restrict access to v1 > and/or v2c community strings based on source IP address of the initiating > NMS host (the host issuing snmpwalk, snmpget, etc)
Strictly speaking - no, it's not. The Net-SNMP implementation of access control uses a proprietary mapping between community names and security names that takes note of the source IP address. I'm not 100% sure, but I seem to remember that this isn't actually part of the "offical" mechanism for mapping community-based requests into the SNMPv3-style "security name". In any case, this is handled as part of the security model processing, rather than the Access Control Model (i.e. VACM). By the time the request is passed on the VACM, there's no further use made of the source address. > Is it possible to use source IP filtering for groups of SNMPv3 users? No - not within the standard SNMP framework. You'd have to implement an extension to handle mapping a given username/source combination into a securityName (and reject others), rather than relying on the default identity mapping. But that's not something that's ever been tried, so there's no support for it in the Net-SNMP code. Dave ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Net-snmp-users mailing list [email protected] Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
