Configuring device access

Specify SNMP community strings and Telnet access information to enable helpers and Network Manager polling to access devices on your network.

Note the following information about the SNMP helper and Telnet helper:
SNMP helper
You must specify SNMP community strings for the SNMP helper and polling operations to access devices on your network. You might need to enter a community string more than once. For example, once for SNMP V1, once for SNMP V2, and once for SNMP V3.
Telnet helper
Enter the relevant device prompts, login ID, and password for the Telnet helper and the discovery agents that use Telnet. You can configure Telnet-privileged access properties. The privileged access mode allows commands to be run that might change the configuration of the device. By default, when the discovery accesses the device using Telnet, access is granted in user mode. This mode allows the running of basic commands only, such as those commands that show the status of the system. This default access mode is a safety feature to prevent the discovery making any device configuration modifications without an explicit change to privileged mode.
Community strings and Telnet access data can be global, which means that the discovery tries the community string for every device it encounters, or restricted to specific subnets (that is, used only on devices within a specific subnet), or even restricted to specific devices. Specifying community strings and Telnet access data by subnet results in a more efficient and faster discovery. In general, the more specific the credentials, the faster the discovery will determine the correct credentials.
Note: Speed of discovery related to community string settings in the GUI only affects the initial discoveries. Once Network Manager has identified the correct community strings, it stores this information in the NCMONITOR relational database. Subsequent discoveries access this database for SNMP cmmunity strings and other SNMP-related device access information.
For the discovery to run, at a minimum you must specify the following parameters:
  • One seed device
  • The correct SNMP community strings for the network to be discovered.

When discovering devices using SNMPv3, the Cisco switches must have the VLAN context added to the view group for each VLAN.

To configure device access:

  1. Click the Discovery icon and select Network Discovery Configuration.
  2. From the Domain list, select the required domain.
  3. Click Passwords.
  4. To add a new SNMP community string, click New New button.
    The SNMP Password Properties page is displayed.
  5. Complete the fields as follows and then click OK:
    Community String
    Type a name. When you save the community string, the name is encrypted, but on the GUI, the value is always displayed unencrypted. For speed of discovery, order the SNMP strings by frequency, with the most common strings first.
    Restriction: It is best practice not to use the at symbol (@) in community strings. Using this symbol in a community string can cause problems connecting to devices at discovery time.
    Apply to
    The discovery completes more quickly if you specify the correct scope of the community strings. Select one of the following options:
    All Devices
    Select this option if the community string is global.
    IP Address
    Select this option if the community string is specific to an IP address, and type the IP address.
    Subnet
    Select this option if the community string is specific to a subnet. Type the required subnet and specify the number of netmask bits. The Netmask field is automatically updated.
    SNMP Version
    Specify the version of SNMP for this SNMP community. If you specify SNMP V3, complete the following additional fields:
    Security Name
    Type a name.
    Level
    Specify the required level of authentication and privacy.
    NoAuthNoPriv,
    Select this option for SNMP communities that have no authentication or private key. In this case there is no need to specify any passwords.
    AuthNoPriv
    Select this option for SNMP communities that have an authentication key but no private key. Then specify a password in the Auth Password field.
    AuthPriv
    Select this option for SNMP communities that have both an authentication and a private key. Then specify passwords in the Auth Password and Private Password fields.
    Auth Type
    Select the type of encryption for the authentication password. The authentication types available are MD5, SHA1, SHA256, and SHA512.
    Restriction:

    The MD5 encryption option is not available if you are running a FIPS 140–2 installation of Network Manager.

    By default, the GUI does not use any cryptographic routines that are excluded from a FIPS140-2 installation, regardless of the installation status of the core server. If you want to configure SNMP discovery options to enable MD5 and DES, set tnm.fips.mode=false in the tnm.properties file.

    Priv Type
    Specify the type of encryption for the privacy password.
    Restriction: The DES encryption option is not available if you are running a FIPS 140–2 installation of Network Manager.
    SNMP Port
    Specify the required port.
    Timeout
    Specify the time in milliseconds to wait for a reply before timing out.
    Note: The administrator can control the maximum timeout that can be set using this field, by configuring the discoconfig.oobl.passwords.snmp.timeout.max property in the discoconfig.properties file.
    Retries
    Specify how many times you want the SNMP helper and polling operations to attempt to access a device.
    Note: The administrator can control the maximum number of retries that can be set using this field, by configuring the discoconfig.oobl.passwords.snmp.retries.max property in the discoconfig.properties file.
  6. Click Move Up Move up button and Move Down Move down button to arrange the SNMP community strings. Put the most frequently used strings at the top of the list.
  7. Click Save.
  8. To add Telnet access information, click New. New button
    The Telnet Password Properties page is displayed.
  9. Complete the fields as follows:
    Apply to
    Select one of the following options:
    All devices
    Select this option if the data applies globally.
    IP address
    Select this option if the string is specific to a device, and type the IP address of the device.
    Subnet
    Select this option if the string is specific to a subnet. Type the required subnet and specify the number of netmask bits. The Netmask field is automatically updated.
    Username prompt
    Type the prompt that you want to be displayed at login. If you do not know the exact format of the prompt. use a regular expression.
    Username
    Type the user name.
    Password prompt
    Type the prompt that you want to be displayed when the password is required at login. If you do not know the exact format of the prompt, use a regular expression.
    Password
    Type the password.
    Console prompt
    Type the prompt that is displayed when you log in. If you do not know the exact format of the prompt, use a regular expression.
    Access port
    Specify the port on which the Telnet helper and discovery agents attempt to access devices.
    Timeout
    Specify the time in milliseconds to wait for a reply before timing out.
    Note: The administrator can control the maximum timeout that can be set using this field, by configuring the discoconfig.oobl.passwords.telnet.timeout.max property in the discoconfig.properties file.
    Use SSH
    Select this option to configure the Telnet Helper to use the Secure Shell (SSH) program.
  10. Optional: To configure Telnet-privileged access mode properties:
    1. Click Advanced.
      The Telnet Privileged Access Mode Properties page is displayed.
    2. Complete the fields as follows and then click OK:
      Command
      Type the command required to enter Telnet-privileged access mode. This command is typically enable.
      Password Prompt
      Type the prompt that you want to be displayed when the password is required at login. If you do not know the exact format of the prompt, use a regular expression.
      Password
      Type the required password for privileged mode.
      Console Prompt
      Type the prompt that is displayed when you log in. If you do not know the exact format of the prompt, use a regular expression.
      Commands requiring mode:
      Specify the commands that you want to make accessible from privileged mode. To add new commands, click New... and type the command in the Priv command field. The following commands are required to run in enable mode:
      • show run
      • show mac-address-table
      • show ip nat translation
  11. Click OK. Click Save Save button.

When you save the Telnet password settings, the following passwords are automatically encrypted:

  • Telnet password
  • Telnet privileged mode password (if specified)

When you save the password settings, the following passwords are automatically encrypted:

  • SNMP community string
  • SNMP authentication password
  • SNMP private password