SNMPv3 Basic Configuration
From Internetworkpro
SNMPv3 is often a confusing topic, so hopefully this clears up the basics, at least.
In this example, we will be using both SNMPv3 authNoPriv and SNMPv3 authPriv to obtain the system contact (sysContact.0) of an IOS device:
sw-kelce-cjones(config)#snmp-server contact Chris Jonex x 4158
Contents |
[edit] authNoPriv - Authentication with no Encryption
[edit] IOS Configuration
The syntax for user and group creation in IOS for authNoPriv is:
snmp-server group GROUPNAME v3 auth snmp-server user USERNAME GROUPNAME v3 auth {md5|sha} AUTHPASSWORD
For our example, we will use:
sw-kelce-cjones(config)#snmp-server group ADMINS-AUTH v3 auth sw-kelce-cjones(config)#snmp-server user CHRIS-AUTH ADMINS-AUTH v3 auth md5 AUTH-PASS
[edit] IOS Verification
The only way to see SNMPv3 users in IOS is with the show snmp user command. Therefore, it is critical that your SNMP users are securely backed up in some other fashion. At this time there is no way to use RADIUS, TACACS+ or LDAP to control SNMPv3 user accounts. There is also no SNMP MIB that contains an OID that will display SNMPv3 users on a device.
sw-kelce-cjones#show snmp user
User name: CHRIS-AUTH Engine ID: 800000090300000F8FF92B01 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: None Group-name: ADMINS-AUTH
Note the Engine ID and the Authentication Protocol are both listed as well. This Engine ID can be configured manually, but it is best to let IOS automatically generate it to ensure it is unique.
To display the group and contact information we can simply issue a show run in IOS:
sw-kelce-cjones#sh run | i snmp
snmp-server group ADMINS-AUTH v3 auth
snmp-server contact Chris Jones x 4158
[edit] Testing in *nix
Finally, to test the SNMPv3 authNoPriv configuration, use NET-SNMP's snmpget command:
ois-cjones-mac:~ cjones$ snmpget -v3 -u CHRIS-AUTH -l authNoPriv -a md5 -A AUTH-PASS sw-kelce-cjones.cisco sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Chris Jones x 4158
It works!
[edit] authPriv - Authentication and Encryption
[edit] IOS Configuration
The syntax for user and group creation in IOS for authPriv is:
snmp-server group GROUPNAME v3 priv snmp-server user USERNAME GROUPNAME v3 auth {md5|sha} AUTHPASSWORD priv {des|3des|aes128|aes192|aes256} PRIVPASSWORD
For our example, we will use:
sw-kelce-cjones(config)#snmp-server group ADMINS-PRIV v3 priv sw-kelce-cjones(config)#snmp-server user CHRIS-PRIV ADMINS-PRIV v3 auth md5 AUTH-PASS priv des PRIV-PASS
[edit] IOS Verification
Again, check your SNMPv3 users using the show snmp user IOS command:
sw-kelce-cjones#show snmp user
User name: CHRIS-AUTH Engine ID: 800000090300000F8FF92B01 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: None Group-name: ADMINS-AUTH
User name: CHRIS-PRIV Engine ID: 800000090300000F8FF92B01 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: DES Group-name: ADMINS-PRIV
Note that the CHRIS-PRIV user has "Privacy Protocol: DES" shown.
Again, display the group and contact information using show run in IOS:
sw-kelce-cjones#sh run | i snmp snmp-server group ADMINS-AUTH v3 auth snmp-server group ADMINS-PRIV v3 priv snmp-server contact Chris Jones x 4158
[edit] Testing in *nix
To test the SNMPv4 authPriv configuration, use NET-SNMP's snmpget command:
ois-cjones-mac:~ cjones$ snmpget -v3 -u CHRIS-PRIV -l authPriv -a md5 -A AUTH-PASS -x des -X PRIV-PASS sw-kelce-cjones.cisco sysContact.0 SNMPv2-MIB::sysContact.0 = STRING: Chris Jones x 4158
It works!
[edit] Relevant SNMPv3 CLI Options
-v 1|2c|3 specifies SNMP version to use -a PROTOCOL set authentication protocol (MD5|SHA) -A PASSPHRASE set authentication protocol pass phrase -l LEVEL set security level (noAuthNoPriv|authNoPriv|authPriv) -u USER-NAME set security name (e.g. bert) -x PROTOCOL set privacy protocol (DES|AES) -X PASSPHRASE set privacy protocol pass phrase
[edit] TODO
- Add more details about the EngineID
- Add details about how the hashing works
- Add details about REPORT packets & the usmStatsUnknownEngineIDs counter
- Add information about views
- Add information about contexts
--IPv6Freely 16:29, 18 September 2009 (UTC)
