I am trying to add the voice gateways into VNQM and it says invalid cli credential. I cant see anywhere to set the cli credential
you should be able to do that via this page:
feel free to share a sreenshot where it fails.
Unfortunately that option is greyed out until I add a gateway, and I cant add a gateway without a CLI credential. A catch-22 situation
It should be able to add the gateway and you will get the message. After it is in the list click on the box next to it to select and then you should be able to edit the CLI Creds
I'm going through this step as well, but have some serious concerns.
When I add the credentials, there is a link that says "minimum level requirements" (which is broken in 4.1 BTW).
Doing a search for Voice Gateway CLI on the linked page I find this helpful information:
You are here: VNQM Administrator Guide > Configuring VoIP and Network Quality Manager > VoIP Management > Editing CLI Credentials for Gateway Nodes
For monitoring gateway nodes, VNQM uses CLI credentials.
To edit CLI credentials:
Select Credentials: Type the name of the new credential setUsername: Type the user name.Password: Type the password.Enable Level: Select the enable level to use when logging in. Note: The enable level must have privileges to execute configure terminal commands as well as be able to configure gateways. For information on configuring network devices, please see your manufacturer’s documentation.Enable Password: Type the password associated with the enable level to use when logging in.
If you find any errors or inaccuracies in this document, or if you find its contents difficult to understand, please contact SolarWinds Technical Support. Please state which Help system you are using, the name of the topic, and the problem.
The part that really concerns me is this:
Note: The enable level must have privileges to execute configure terminal commands as well as be able to configure gateways.
I thought this software was designed to monitor and not configure?
Why would I allow this to configure my gateways using a static Tacacs Account designed for monitoring only - using "show" commands?
We have strict change control policies and I cannot allow this software to login with configure privileges.
Also we must use unique IDs for tracking/logging changes, so cannot allow an account like this to make changes.
Please explain the configuration changes that are being made to the voice gateways?!?
OK, I finally got around to checking why enable and configure access is required to poll the Cisco VGs using the CLI.
This makes no sense whatsoever and is a huge security risk.
Checking on my Cisco Tacacs server I see the following commands being run when gathering stats from the VG's every 5 minutes:
terminal length 0
show call active video brief
show call active fax brief
show call active voice brief
show isdn service
I logged in this VG and ran the exact same commands in non-privileged mode.
Security Best Practices dictates that you not run commands with elevated privileges if not required.
There is certainly no "Configure Terminal" command required to run these show commands, so why force the Orion account to require enable & configure access to a Voice Gateway.
At the bare minimum the Documentation here should be updated to reflect that an account with configure access is NOT required:SolarWinds Online Help - Note: The enable level must have privileges to execute configure terminal commands as well as be able to configure gateways
Best would be to not require enable access at all when adding VG's to VNQM.
Leave it up to the end user if they want to provide an enable password or not, similar to adding nodes to NPM where SNMP read-only access can be configured, without read-write.
