Access lists

The access list is a collection of all user names, passwords, and Simple Network Management Protocol (SNMP) community strings that the server uses when accessing the configuration items in your infrastructure. You must set up this list for the Configuration Items that you want to discover. When using the Stack Scan sensor for credential-less discovery, an access list is not required.

User names, passwords, and community strings if needed, are categorized by each type of device or software application, and optionally restricted by scope. For example, all user names and passwords for all computer systems are stored as a group, and all user names and passwords for all databases are stored as another group.

When accessing a device, the server sequentially uses each user name and password (or community string) in the group across a particular scope (IP address per subnet) until the device allows the server permission to access it. For example, when accessing a computer system, the server uses the first user name and password specified in the access list for computer systems. If the user name and password are incorrect for a particular computer system, the server automatically uses the next user name and password that is specified in the access list for a computer system.

Because you enter a list of user names and passwords (or community strings) for each type of configuration item, you do not need to specify a user name and password for a particular configuration item. When you specify all user names and passwords for each type of device, define the scope for each user name and password pair. The server automatically tries each user name and password until the correct combination is found. The access list that you create is used by the Discovery Management Console and is encrypted and stored in the database.

If the device you are discovering is a network device capable of being managed through the SNMP protocol, enter an SNMP community string in the Community field. If you are using SNMP for a Cisco device, you must select the SNMP network element and enter an SNMP community string in the Community field for the Cisco device.

For each Computer System entry in the access list, you have the option to specify one of the following authentication types:

default
password
public key infrastructure (PKI)

If you select default authentication, SSH key-based authentication is attempted first, using the password for the key passphrase, if required. If key-based authentication does not succeed, then login name and password authentication is attempted. If password authentication type is selected, only password authentication is attempted. Similarly, if PKI is selected, only key-based authentication is attempted. It is recommended that you set the authentication type for the new access list entry being added if you know the type. If you do not know the authentication type, the default behavior can lead to a lot of invalid login attempts that can sometimes result in the user being locked out of the account.

In cases when your system administrator has set up SSH with the login and password authentication method, start the Discovery Management Console with the Establish a Secure (SSL) Session option enabled before you set up the access list. This option encrypts all data including access list user names and passwords before the data is transmitted between the Discovery Management Console and the server.