Security model for SNMP protocol
Three security models can be used in SNMPv3:
|
Model
|
Level
|
Authentication
|
Encryption
|
|
v3
|
NoAuthNoPriv
|
Username
|
None
|
|
v3
|
AuthNoPriv
|
MD5 or SHA
|
None
|
|
v3
|
AuthPriv
|
MD5 or SHA
|
DES, 3DES, AES
|
Note that noAuthNoPriv is essentially the same as a v2
community string.
Configuration
1.
Define view
2.
Setup group
3.
Setup user account
Sample configuration:
|
snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.*
included
snmp-server group ReadGrp v3
priv read VIEW3
snmp-server user User2
ReadGrp v3 auth sha cisco priv des cisco
|
Define
View
|
snmp-server view <VIEW_NAME>
<MIB> [include|exclude]
|
<VIEW_NAME> - the name for the view set
<MIB> - the MIB/OID which are include/exclude from
this view set
In order to determine what the MIB/OID, for the specific
device is, we can use these two freeware tools-
SNMP MIB browser from ManageEngine:
And SNMP Tester from Paessler:
The SNMP MIB browser allow us to browse specific MIB and see
the specific OID for each entry, for example here is Cisco MIB:
The whole MIB is structured as a tree where you can select
specific leaf, so if we want to allow specific group for reading only output
bits value we will configure the following view:
|
snmp-server view VIEW3 1.3.6.1.4.1.9.2.2.1.1.8.*
included
|
Note that this tool doesn’t support SNMPv3 so in order to do
walk we will need to configure SNMPv2.
Setup
Group
Then we will setup a group which allow to use this view:
|
snmp-server group ReadGrp v3
priv read VIEW3
|
The group name is ReadGrp and it’s using authentication and
encryption security level (priv) with read privilege for view set VIEW3.
Note that the asterisk wildcard in the OID.
Setup
User Account
And last setup a user account:
|
R1(config)#snmp-server user
User2 ReadGrp v3 auth sha cisco priv des cisco
|
The user User2 belongs to ReadGrp using SHA authentication
and DES encryption.
Note that SNMPv3 user accounts are not stored in the
running-config nor the flash, they are stored in the NVRAM.
Use ‘show snmp users’ to see those user accounts:
|
R1#show snmp user
User name: User2
Engine ID:
800000090300CA012AD00008
storage-type:
nonvolatile active
Authentication Protocol: SHA
Privacy Protocol: DES
Group-name: ReadGrp
|
Cisco devices support most of the protocols (MD5, SHA, DES,
3DES and AES 128/192/256) while not all NMS programs supports these protocols
so pay attention which protocol you use
for authentication and for encryption.
Verification
Now let’s test it using SNMP tester:
In the first part we configure the device IP (192.168.198.2)
along with snmp version 3 account, in the second part we do SNMP walk for the
specific OID (1.3.6.1.4.9.2.2.1.1.8) and we can see the results in the left
pane.
Trying to do it on some other OID, which we didn’t include
in the SNMP view set, will lead to no result:
One final note - SNMPv3 authentication and encryption keys
are generated based on the associated passwords and the engine ID. If you
configure or change the engine ID, you must commit the new engine ID before you
configure SNMPv3 users. Otherwise the keys generated from the configured
passwords are based on the previous engine ID.
מאמר מועיל ונפלא בהזדמנות זאת אני רוצה להמליץ על { קבלן בניין } שבנה לי את הבית ועשה עבודה נפלאה ומדוייקת. קבלן ברמה גבוהה
ReplyDelete