We’re currently trying to allow a client to perform an operation using SNMP set commands on a Cisco NX-OS switch (namely a 5548).
It’s possible using SNMPv2c and community strings, but this does not generate a log message, making it completely unaccountable. SNMPv3 seems to have the answer. According to the documentation, it provides:
I’ve tested using a set operation to change a MIB using the following command:
snmpset -v 3 -u test -l authpriv -a MD5 -A Testpass01 -x DES -X Testpass01 hostname system.sysLocation.0 s TESTLOCATION
Which works fine.
However, the problem arises when trying to back off the authentication of the SNMP operation to TACACS/RADIUS. My interpretation of the documentation suggests this is possible. My Cisco SE has not denied it either. However, I reckon some changes need to be made to the authentication server. According to what I’ve read:
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Nexus 5000 Series switch using this format:
shell:roles="roleA roleB ..."
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
You can also specify your SNMPv3 authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.
So, it looks like using an SNMPv3 set operation authenticated to TACACS/RADIUS will require additional specification of SNMPv3 authentication and privacy protocol parameters, and the corresponding role mapped to the user trying to perform the SNMPv3 operation.