jnprsnmpd.conf File Overview

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

Steel Belted Radius Carrier 7.0 Reference Guide > SNMP Configuration Overview > jnprsnmpd.conf File Overview
jnprsnmpd.conf File Overview

The jnprsnmpd.conf configuration file stores settings for the SNMP agent. After you install the SNMP agent for Steel-Belted Radius Carrier on a server, you can modify the jnprsnmpd.conf configuration file to reflect your network environment.

NOTE: When you install Steel-Belted Radius Carrier, you are prompted to enter your SNMP settings by the installation script. The installation script updates the jnprsnmpd.conf file based on the values you enter.

If SNMP was not set up during installation, we recommend you run the configuration script again and enable SNMP. Take care not to make any changes to the existing configuration.

Access Control Overview and Syntax

jnprsnmpd supports the View-Based Access Control Model (VACM) described in RFC 2575. To configure access control, you must map community names to security names, map security names to groups, and specify access rights and views for groups.

Use the com2sec keyword to map each source/community pair to a security name. The com2sec entry is used to determine a security name from the traditional community string, taking into account where a request has come from.

The syntax for the com2sec keyword is:
com2sec security_name source community
where:

security_name identifies the security name you want to create.

source can be a hostname, a subnet, or the word default. You can specify a subnet as an IP address and mask (nnn.nnn.nnn.nnn/nnn.nnn.nnn.nnn) or as an IP address and Classless Inter-Domain Routing (CIDR) bits (nnn.nnn.nnn.nnn/nn).

community is an SNMP community string, which acts as a password to authenticate SNMP communications.

NOTE: If you use a CIDR address to identify a subnet, the host portion of the CIDR address must be 0. For example, if you are using the equivalent of a Class C subnet such as 192.168.1.x, you must enter the network address as 192.168.1.0/24 (which is the equivalent of 192.168.1.0/255.255.255.0).

The first source/community combination that matches an incoming packet is selected.

For example, the following creates two security names (local and mynetwork) and maps them to two different subnet/community name pairs.

sec.name

source

community

com2sec

local

localhost

local_community

com2sec

mynetwork

192.168.1.0/24

remote_community

Security Names Overview and Syntax

Use the group keyword to map security names into group names. The group keyword gives general control by mapping between a security name (for a particular protocol version), and the internal name used in the access line.

The syntax for the group keyword is:
group name model security
where:

name is the name of an access group

model identifies the security model you want to use: v1 or v2c.

security is a security name.

For example, these lines map the two security names to four group/model pairs.

#

sec.model

sec.name

group

LocalGroup

v1

local

group

LocalGroup

v2c

local

group

LANGroup

v1

mynetwork

group

LANGroup

v2c

mynetwork

Access View Overview and Syntax

Use the view keyword to specify what portions of the MIB tree a specified group can view or modify. The syntax for the view keyword is:
view name {include | excluded} subtree [mask] 
where:

name is the identifier used for the view.

included/excluded lets you include or exclude specific portions of the MIB tree from the view.

subtree identifies the portion of the MIB tree that this name refers to in numeric or named form.

mask specifies what elements of the MIB subtree are relevant. The mask argument allows you to control access to specific rows in a table. When the entire MIB can be viewed, you can omit the mask field or enter ff.

Group Access Overview and Syntax

Use the access keyword to specify who has access to part or all of the MIB tree. The syntax for the access keyword is:
access name context model level prefix read write notify
where:

name is the name of a group.

context specifies the context for the view. For SNMPv1 or SNMPv2c, context is empty.

model is the security model: any, v1, or v2c.

level can be used to ensure that the request is authenticated or encrypted. For SNMPv1 or SNMPv2c, level is noauth.

prefix specifies how the context setting is matched against the context of the incoming PDU. Enter exact or prefix.

read specifies the view to be used for READ access.

write specifies the view to be used for WRITE access.

notify specifies the view to be used for NOTIFY access.

For example, these settings specify that the LocalGroup uses the all view for READ, WRITE, and NOTIFY access:

#

sec

sec

#

context

model

level

prefix

read

write

notify

access

LocalGroup

""

any

noauth

exact

all

all

all

access

LANGroup

""

any

noauth

exact

all

none

none

System Contact Overview and Syntax

You can specify your system contact information in the jnprsnmpd.conf file or in the MIB. If you configure your system contact information in the jnprsnmpd.conf file, the objects are locked and cannot be modified by means of SNMP.

System contact information consists of the following:

syslocation—The physical location of the managed device.

syscontact—The person or department responsible for maintaining the managed device.

sysname—The name of the managed device.

This information is stored in the system group of the MIB-II tree.

The syntax for specifying system contact information is:
syslocation string
syscontact string
sysname string
Traps Overview and Syntax

Traps can be used by network entities to signal abnormal conditions to management stations. Identify the NMS that receives trap messages generated by Steel-Belted Radius Carrier.

NOTE: You can configure Steel-Belted Radius Carrier to use either SNMPv1 or SNMPv2c traps. You cannot configure Steel-Belted Radius Carrier to generate both types of traps simultaneously.

Use the trapcommunity keyword to specify the default community string to be used when sending traps.

Syntax for the trapcommunity keyword is:
trapcommunity string
The trapcommunity keyword must precede the trap2sink keyword in the jnprsnmpd.conf file.

Use the trapsink and trap2sink keywords to specify whether you want Steel-Belted Radius Carrier to use either SNMPv1 traps or SNMPv2c traps. Do not enable both types of traps at the same time.

The trapsink keyword specifies the host or hosts to which the Steel-Belted Radius Carrier server should send SNMPv1 trap messages. If you want to use SNMPv1 traps, uncomment the trapsink keyword and specify the host or hosts to which Steel-Belted Radius Carrier should send SNMPv1 trap messages.

Syntax for the trapsink keyword is:
trapsink host [community [port]]
where:

host specifies the host name or IP address of the NMS.

community specifies the community string the NMS expects.

port specifies the UDP port on which the NMS is listening for SNMPv1 trap messages. Default is UDP port 162.

For example:
# send v1 traps
trapsink nms.system.com secret
The trap2sink keyword specifies the host or hosts to which you want Steel-Belted Radius Carrier server to send SNMPv2c trap (notification) messages. If you want to use SNMPv2c traps, uncomment the trap2sink keyword to specify the host or hosts to which Steel-Belted Radius Carrier should send SNMPv2c trap (notification) messages.

Syntax for the trap2sink keyword is:
trap2sink host [community [port]]
where:

host specifies the host name or IP address of the NMS.

community specifies the community string the NMS expects.

port specifies the port on which the NMS is listening for SNMPv2c trap messages.

For example:
# send v2 traps
trap2sink nms.system.com secret 
SNMP Proxy Overview and Syntax

The optional proxy keyword configures the SNMP agent to forward incoming SNMP requests to another agent.

Syntax for the proxy keyword is:
proxy [SNMPCMD ARGS] HOST OID [REMOTEOID]
where: SNMPCMD keyword and arguments indicate how to authenticate the proxy SNMP.

Table 139: SNMPCMD Keywords

Command

Function

-c community

Set the community string for SNMP v1/v2c transactions.

-d

Dump the sent and received SNMP packets in hexadecimal format.

-r retries

Specifies the number of retries to be used in the request.

Default value is 5.

-t timeout

Specifies the number of seconds between retries.

Default value is 1.

-v {1|2c|3}

Specifies the SNMP protocol to use.

Default value is 1.

[snmp] Overview and Syntax

The SNMP agent uses the jnprsnmpd.conf file to store static agent configuration information, such as community strings. The SNMP agent uses the persist directory to store information set during the running of the agent, which needs to be persistent from one run to the next.

The persistentDir keyword in the [snmp] section of jnprsnmpd.conf specifies the location of the persist directory. By default, the persist directory is located in the /snmp directory within radiusdir on your server.

The syntax for specifying the location of the persist directory is:
[snmp]
persistentDir radiusdir/snmp/persist
[snmpd] Overview and Syntax

By default, jnprsnmpd listens for incoming SNMP requests on UDP port 161 on all IP interfaces. You can specify a different UDP port in the jnprsnmpd.conf file. The syntax for specifying a listening port is:
[snmpd]
agentaddress port_number
 NOTE: If you change the SNMP port number in jnprsnmpd.conf, you must also enter the same port number in testagent.sh.



 



 NOTE: If you run more than one SNMP agent on your server, each agent must use a unique UDP port number.



 
Subagent Overview and Syntax

By default, the SNMP subagent in Steel-Belted Radius Carrier communicates with the SNMP agent on TCP port 6669. If you change the port used for subagent-agent communication, you must modify jnprsnmpd.conf to uncomment the sbr_admin_parameters keyword and specify host, port, and interval values.

Syntax for the sbr_admin_parameters keyword is:
sbr_admin_parameters host=localhost port=port tryinterval=interval
where:

port identifies the TCP port the Steel-Belted Radius Carrier server uses for SNMP communication. The default value is 6669.

interval specifies the number of seconds information can remain in the SNMP subagent cache. If your SNMP management station issues queries intermittently, set the tryinterval value to a small number (1-5) to ensure timely information. If your SNMP management station polls the server periodically, set the tryinterval value to a larger number to avoid flooding the server with queries. The default is 10 seconds.

radiusdir Overview and Syntax

Use the sbr_private_directory keyword to specify the location where Steel-Belted Radius Carrier is stored on your server.

Syntax for the sbr_private_directory keyword is:
sbr_private_directory radiusdir
The Steel-Belted Radius Carrier installer overwrites radiusdir with the appropriate value for your system. We recommend that you not change this value.

	sec.name	source	community

com2sec	local	localhost	local_community
com2sec	mynetwork	192.168.1.0/24	remote_community

#	sec.model	sec.name
group	LocalGroup	v1	local
group	LocalGroup	v2c	local
group	LANGroup	v1	mynetwork
group	LANGroup	v2c	mynetwork

#			sec	sec
#		context	model	level	prefix	read	write	notify
access	LocalGroup	""	any	noauth	exact	all	all	all
access	LANGroup	""	any	noauth	exact	all	none	none

Command	Function
-c `community`	Set the community string for SNMP v1/v2c transactions.
-d	Dump the sent and received SNMP packets in hexadecimal format.
-r `retries`	Specifies the number of retries to be used in the request. Default value is 5.
-t `timeout`	Specifies the number of seconds between retries. Default value is 1.
-v {1\|2c\|3}	Specifies the SNMP protocol to use. Default value is 1.

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]