With SNMP authentication, the scanning engine is able to perform trusted scanning on hosts that support the SNMP protocol. The scanning engine is able to communicate with SNMP agents on target hosts at the time of the scan to confirm potential vulnerabilities, gather additional system information and perform more in-depth vulnerability analysis.
SNMP authentication is supported for SNMPv1, SNMPv2c and SNMPv3.
Prior to creating an SNMPv1 or SNMPv2c authentication record, determine which SNMP community strings should be used for authentication.
The service will always attempt to authenticate using several common default community strings, such as public, private, system, test, admin, access, and many more. Thus, you are not required to include any community strings in the SNMP authentication record. If you do provide community strings in the record, they will be used for authentication before default community strings. For help on configuring SNMP community strings on various devices, please refer to your vendor's documentation.
Prior to creating an SNMPv3 authentication record, determine if authentication is required for communicating with the target SNMPv3 service.
If authentication is required, then provide the following authentication credentials in the authentication record: the user account to be used for authentication, the password corresponding to the user account and the algorithm to be used for authentication (MD5 or SHA1). You also have the option to provide encryption credentials if privacy (data encryption) is to be used for SNMP communication. Encryption credentials include the password for data encryption and the algorithm to be used for data encryption (DES or AES).
If authentication is not required, then no authentication or encryption credentials need to be entered in the authentication record. This corresponds to the SNMP security level "noAuthNoPriv” (without authentication and without privacy).
When applicable, provide information for additional security settings that may be configured on target hosts.
Security Engine ID -- If a security engine ID is part of the target host configuration, then it must be provided in the authentication record. If the security engine ID is not provided (and is required by the target host for all SNMP requests), then the SNMP service may not be detected on the target host and authentication will fail.
Context Engine ID and Context Name -- If an SNMP context is configured on the target host, then you must provide the context engine ID and/or context name in order for the scanning engine to retrieve context-sensitive information from the target host.
Once you've determined which login credentials will be used for authentication, it's time to add an SNMP authentication record. See Creating SNMP Records for instructions.