SNMP Credentials - Unable to authenticate with provided Community Name
 

Not sure if this thread should be in here, or security or maybe even newbie.

I'm in charge of a network and we're using a program called Retina EEYE security - it's a scanning and vulnerability assessment tool that we're required to use.

When I attempt to scan my Linux machine running Cent OS 5 - I get the following error.

'SNMP Credentials - Unable to authenticate with provided community name'.

My server is running 2008 R2 and the devices are connected through a Cisco switch. I can ping to the device and I've been able to run this scan successfully before. I'm not sure what has changed.

Does anyone have any ideas what might be causing this SNMP issue?

Thanks in advance,
Ryan

First check if snmpd is running:
if it is not running start it using:
if it is running then next step would be to check conf file:
Check the community string and make sure it is correct. It should look something like this:
If that looks correct it might be a version discrepancy.

Using those commands - I've figured out that SNMP is running. I couldn't get the SNMP.config file to open in the terminal. It just give me blue ~ down the left side of the terminal when I try to open it.

I browsed to the config file in /etc/snmpd/snmpd.conf

This is what it has

com2sec notConfigUser default public

I'm not sure how this helps me though. Does the community name need to match the username I'm trying to do the scan with?

Once again I appreciate the help

Do you use SNMP for monitoring? If not you could try stopping the service so when Retina is ran it doesn't pick up on it. Instead of doing start you would do a stop.

The information for the config file should match whatever you use as community string with the Manager Utility. I know if you use snmpV3 it would require a password, which may be where the error is coming from. But from what you have said it doesn’t sound like you are using it at all. If you are using v3 then you’d see an rouser and rwuser with privileges for both and possibly trap2sink.

Also, might try looking at the audit.xml file and search for the audit id that is related to that finding and it should show you the command it is using with the regular expression. That might be a bit helpful in determining why it is flagging.

I turned SNMP off as you suggested - but I still get the error. I'm not sure what you mean when you say "The information for the config file should match whatever you use as community string with the Manager Utility". What is the manager utility? And do I need to match a SNMP password on the machine doing the scanning (Server 2008 R2) to the machine being scanned (CENT OS 5)?

Also, I've in my tinkering trying to get the scan working, I've made the problem worse. In addition to the SNMP credentials error, I now also get a 'NetBIOS Credentials Unable to authenticate with provided credentials error'. Turning SNMP back on doesn't get rid of the NetBIOS issue. Uuugh.

Retina can be really frustrating to work with. We use it here as well...We clone boxes in VMWare and you'd think Retina would scan the same on them but it does not.

The Manager Utility is usually some sort of reporting tool that utilizes snmp. For instance EM7 is one proprietary managment utility. It is what requests the snmp information.

I'll ask our security guy who frequently runs our retina scans to see if there is an authentication error he has ever run into. It might be retina is trying to get the information as a regular user but is locked out for one reason or another.

Thanks man, I really appreciate the help. I agree that Retina can be very inconsistent - we've made Ghosts of XP machines and still managed to get different scan results. It's be nice if their support forums were more helpful, but it's tough to get answers over there. I'm much more familiar with Windows machines and can usually figure out the Retina issues on that side - but I have very little experience with Linux - which combined with Retina makes for a frustrating day....haha

No kidding. My personal favorite are the hits that are false because they don't include vendor information in the findings. Or when it is an openssl hit that could be one of 10 applications and they don't specify which one it hit on.

If you can post the command used in audit.xml file for that id I might be able to figure out what it is hitting on. Also since it is an authentication issue -- try checking /var/log/secure after running the scan. It might show which account it cannot authenticate against.

Maybe a silly question - but where do I find the audit.xml file? I've exported my package support files before and in that package I see - queue.xml, appsettings.xml, retinajob.xml along with some bigger log files.

Alright - so we received word that the newer version of Retina 5.16 is buggy - and we rolled back to 5.14.

Going backwards gets rid of my SNMP hit - but I still get the 'NetBios Credentials Unable to authenticate with provided credentials'

Any ideas for that one?

Thanks
Ryan

Make sure the group policy for LAN Manager is using the same authentication type on both computers.