Search This Blog

Friday, February 20, 2015

SNMP v3 Configuration



Security model for SNMP protocol

Three security models can be used in SNMPv3:

Model
Level
Authentication
Encryption
v3
NoAuthNoPriv
Username
None
v3
AuthNoPriv
MD5 or SHA
None
v3
AuthPriv
MD5 or SHA
DES, 3DES, AES

Note that noAuthNoPriv is essentially the same as a v2 community string.

Configuration

      1.       Define view
      2.       Setup group
      3.       Setup user account

Sample configuration:

snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.* included
snmp-server group ReadGrp v3 priv read VIEW3
snmp-server user User2 ReadGrp v3 auth sha cisco priv des cisco

Define View

snmp-server view <VIEW_NAME> <MIB> [include|exclude]

<VIEW_NAME> - the name for the view set
<MIB> - the MIB/OID which are include/exclude from this view set

In order to determine what the MIB/OID, for the specific device is, we can use these two freeware tools-

SNMP MIB browser from ManageEngine:

And SNMP Tester from Paessler:

The SNMP MIB browser allow us to browse specific MIB and see the specific OID for each entry, for example here is Cisco MIB:


The whole MIB is structured as a tree where you can select specific leaf, so if we want to allow specific group for reading only output bits value we will configure the following view:

snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.* included

Note that this tool doesn’t support SNMPv3 so in order to do walk we will need to configure SNMPv2.

Setup Group

Then we will setup a group which allow to use this view:

snmp-server group ReadGrp v3 priv read VIEW3

The group name is ReadGrp and it’s using authentication and encryption security level (priv) with read privilege for view set VIEW3.

Note that the asterisk wildcard in the OID.

Setup User Account

And last setup a user account:

R1(config)#snmp-server user User2 ReadGrp v3 auth sha cisco priv des cisco

The user User2 belongs to ReadGrp using SHA authentication and DES encryption.
Note that SNMPv3 user accounts are not stored in the running-config nor the flash, they are stored in the NVRAM. 

Use ‘show snmp users’ to see those user accounts:

R1#show snmp user

User name: User2
Engine ID: 800000090300CA012AD00008
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: ReadGrp

Cisco devices support most of the protocols (MD5, SHA, DES, 3DES and AES 128/192/256) while not all NMS programs supports these protocols so pay attention which  protocol you use for authentication and for encryption.

Verification

Now let’s test it using SNMP tester:


In the first part we configure the device IP (192.168.198.2) along with snmp version 3 account, in the second part we do SNMP walk for the specific OID (1.3.6.1.4.9.2.2.1.1.8) and we can see the results in the left pane.

Trying to do it on some other OID, which we didn’t include in the SNMP view set, will lead to no result:


One final note - SNMPv3 authentication and encryption keys are generated based on the associated passwords and the engine ID. If you configure or change the engine ID, you must commit the new engine ID before you configure SNMPv3 users. Otherwise the keys generated from the configured passwords are based on the previous engine ID.

1 comment:

  1. מאמר מועיל ונפלא בהזדמנות זאת אני רוצה להמליץ על { קבלן בניין } שבנה לי את הבית ועשה עבודה נפלאה ומדוייקת. קבלן ברמה גבוהה

    ReplyDelete