aaa authentication snmp-server

Configures the AAA authentication method for SNMP server access.

Syntax

aaa authentication snmp-server default method-list [ method-list ... ]
no aaa authentication snmp-server default method-list [ method-list ... ]

Command Default

The AAA authentication method list is not configured.

Parameters

default
Configures the default authentication method list.
method-list
Configures the following authentication methods.
enable
Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password command.
line
Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password command
local
Authenticate using a local username and password you configured on the device. Local usernames and passwords are configured using the username command.
none
Does not use any authentication method. The device automatically permits access.
radius
Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command.
tacacs
Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.
tacacs+
Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.

Modes

Global configuration mode

Usage Guidelines

You can specify a primary authentication method and up to six backup authentication methods. If the configured primary authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

When this command is enabled, community string validation is not performed for incoming SNMP v1and v2c packets. This command takes effect as long as the first varbind for SNMP packets is set to one of the following:
  • snAgGblPassword=" username password " (for AAA method local)
  • snAgGblPassword=" password " (for AAA method line, enable)
NOTE
Certain SNMP objects need additional validation. These objects include but are not limited to: snAgReload, snAgWriteNVRAM, snAgConfigFromNVRAM, snAgImgLoad, snAgCfgLoad, and snAgGblTelnetPassword.

If AAA is set up to check both the username and password, the string contains the username, followed by a space and then the password. If AAA is set up to authenticate with the current Enable or Line password, the string contains the password only. The configuration can be overridden by the no snmp-server pw-check command, which disables password checking for SNMP SET requests.

The no form of the command removes the authentication method.

Examples

The following example shows how to configure incoming SNMP SET operations to be authenticated using the locally configured usernames and passwords. 

device(config)# aaa authentication snmp-server default local