Transcription
SNMP Version 3The SNMP Version 3 feature provides secure access to devices by authenticating and encrypting data packetsover the network. Simple Network Management Protocol version 3 (SNMPv3) is an interoperable,standards-based protocol that is defined in RFCs 3413 to 3415. This module discusses the security featuresprovided in SNMPv3 and describes how to configure the security mechanism to handle SNMP packets. Finding Feature Information, page 1 Information About SNMP Version 3, page 1 How to Configure SNMP Version 3, page 4 Configuration Examples for SNMP Version 3, page 7 Additional References for SNMP Version 3, page 8 Feature Information for SNMP Version 3, page 9Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Information About SNMP Version 3Security Features in SNMP Version 3The security features provided in SNMPv3 are as follows: Message integrity—Ensures that a packet has not been tampered with during transit. Authentication—Determines that the message is from a valid source.SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)1
SNMP Version 3Cisco-Specific Error Messages for SNMP Version 3 Encryption—Scrambles the content of a packet to prevent it from being learned by an unauthorizedsource.SNMPv3 is a security model in which an authentication strategy is set up for a user and the group in whichthe user resides. Security level is the permitted level of security within a security model. A combination of asecurity model and a security level determines which security mechanism is used when handling an SNMPpacket.The table below describes the combinations of SNMPv3 security models and levels.Table 1: SNMP Version 3 Security LevelsLevelAuthenticationEncryptionWhat HappensnoAuthNoPrivUsernameNoUses a username match forauthentication.authNoPrivMessage DigestAlgorithm 5 (MD5) orSecure Hash Algorithm(SHA)NoProvides authentication basedon the Hashed MessageAuthentication Code(HMAC)-MD5 orHMAC-SHA algorithms.authPrivMD5 or SHAData EncryptionStandard (DES)Provides authentication basedon the HMAC-MD5 orHMAC-SHA algorithms. Inaddition to authentication,provides DES 56-bitencryption based on theCipher Block Chaining(CBC)-DES (DES-56)standard.SNMPv3 supports RFCs 1901 to 1908, 2104, 2206, 2213, 2214, and 2271 to 2275. For more informationabout SNMPv3, see RFC 2570, Introduction to Version 3 of the Internet-standard Network ManagementFramework (this document is not a standard).Cisco-Specific Error Messages for SNMP Version 3Simple Network Management Protocol Version 3 (SNMPv3) provides different levels of security. If anauthentication or an authorization request fails, a descriptive error message appears to indicate what wentwrong. These error messages comply with RFC 3414, User-based Security Model (USM) for version 3 of theSimple Network Management Protocol (SNMPv3).You can use the snmp-server usm cisco command to disable the descriptive messages, thus preventingmalicious users from misusing the information shown in the error messages. The table below describes theCisco-specific error messages shown when the snmp-server usm cisco command is used, and the tablecompares these messages with the corresponding RFC 3414-compliant error messages.SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)2
SNMP Version 3Cisco-Specific Error Messages for SNMP Version 3Table 2: Cisco-Specific Error Messages for SNMPv3ConfiguredSecurity LevelSecurity Level of Incoming RFC 3414-Compliant ErrorSNMP MessageIndicationCisco-Specific ErrorMessagesnoAuthNoPrivnoAuthNoPrivNo errorNo enoAuthNoPrivAUTHORIZATION ERRORunknownUserNameauthNoPriv with correctauthentication passwordNo errorNo errorauthNoPrivauthPrivauthNoPriv with incorrect wrongDigestsauthentication LevelunknownUserNamenoAuthNoPrivAUTHORIZATION ERRORunknownUserNameauthNoPriv with correctauthentication passwordAUTHORIZATION ERRORunknownUserNameauthNoPriv with incorrect AUTHORIZATION ERRORauthentication passwordunknownUserNameauthPriv with correctauthentication passwordand correct privacypasswordNo errorNo errorauthPriv with correctauthentication passwordand incorrect privacypasswordNo responseNo responseauthPriv with incorrectauthentication passwordand correct privacypasswordwrongDigestsunknownUserNameauthPriv with incorrectauthentication passwordand incorrect privacypasswordwrongDigestsunknownUserNameSNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)3
SNMP Version 3How to Configure SNMP Version 3NoteIf an SNMP user belonging to an SNMP group is not configured with the password or if the group securitylevel is not the same as the user security level, the error shown is “AUTHORIZATION ERROR”. TheCisco-specific error message for this scenario is “unknownUserName”.How to Configure SNMP Version 3To configure the Simple Network Management Protocol Version 3 (SNMPv3) security mechanism and touse it to handle SNMP packets, you must configure SNMP groups and users with passwords.Configuring the SNMP ServerTo configure an SNMP server user, specify an SNMP group or a table that maps SNMP users to SNMP views.Then, specify the IP address or port number for the remote SNMP agent of the device where the user resides.Also, before you configure remote users for a particular agent, configure the SNMP engine ID by using thesnmp-server engineID command for the remote agent. The SNMP engine ID of the remote agent is requiredto compute the authentication or privacy digests for the SNMP password. If the remote engine ID is notconfigured first, the configuration command will fail.SNMP passwords are localized using the SNMP engine ID of the authoritative SNMP engine. For SNMPnotifications such as inform requests, the authoritative SNMP agent is the remote agent. You must configurethe SNMP engine ID of the remote agent in the SNMP database before you can send proxy requests or informrequests to it.NoteThe SNMP user cannot be removed if the engine ID is changed after configuring the SNMP user. Toremove the user, you must first reconfigure all the SNMP configurations.NoteDefault values do not exist for authentication or privacy algorithms when you configure the SNMPcommands. Also, no default passwords exist. The minimum length for a password is one character, althoughit is recommended to use at least eight characters for security. If you forget a password, you cannot recoverit and must reconfigure the user. You can specify either a plain text password or a localized MD5 digest.Perform this task to specify an SNMP server group name and to add a new user to an SNMP group.SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)4
SNMP Version 3Configuring the SNMP ServerSUMMARY STEPS1. enable2. configure terminal3. snmp-server group [group-name {v1 v2c v3 [auth noauth priv]}] [read read-view] [writewrite-view] [notify notify-view] [access access-list]4. snmp-server engineID {local engine-id remote ip-address [udp-port udp-port-number] [vrf vrf-name]engine-id-string}5. snmp-server user user-name group-name [remote ip-address [udp-port port]] {v1 v2c v3[encrypted] [auth {md5 sha} auth-password]} [access access-list]6. endDETAILED STEPSStep 1Command or ActionPurposeenableEnables privileged EXEC mode. Enter your password if prompted.Example:Device enableStep 2Enters global configuration mode.configure terminalExample:Device# configure terminalStep 3snmp-server group [group-name {v1 v2c v3 [auth Configures the SNMP server group to enable authentication for noauth priv]}] [read read-view] [write write-view] members of a specified named access list.[notify notify-view] [access access-list] In this example, the SNMP server group group1 isconfigured to enable user authentication for members ofExample:the named access list lmnop.Device(config)# snmp-server group group1 v3auth access lmnopStep 4Configures the SNMP engine ID.snmp-server engineID {local engine-id remoteip-address [udp-port udp-port-number] [vrf vrf-name] In this example, the SNMP engine ID is configured for aengine-id-string}remote user.Example:Device(config)# snmp-server engineID remote172.16.15.4 udp-port 120 1a2833c0129aStep 5snmp-server user user-name group-name [remote Adds a new user to an SNMPv3 group and configures a plainip-address [udp-port port]] {v1 v2c v3 [encrypted] text password for the user.[auth {md5 sha} auth-password]} [access access-list] NoteFor the auth-password argument, the minimum lengthis one character; the recommended length is at leasteight characters, and the password should include bothletters and numbers.SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)5
SNMP Version 3Verifying SNMP Version 3Command or ActionPurposeNoteExample:Device(config)# snmp-server user user1 group1v3 auth md5 password123Step 6If you have the localized MD5 or SHA digest, you canspecify the digest instead of the plain text password.The digest should be formatted as aa:bb:cc:dd, whereaa, bb, cc, and dd are hexadecimal values. Also, thedigest should be exactly 16 octets in length.Exits global configuration mode.endExample:Device(config)# endVerifying SNMP Version 3Perform this task to verify the Simple Network Management Protocol Version 3 (SNMPv3) configuration.The show commands can be entered in any order.SUMMARY STEPS1. enable2. show snmp group3. show snmp user [username]4. show snmp engineIDDETAILED STEPSStep 1Command or ActionPurposeenableEnables privileged EXEC mode. Enter your password if prompted.Example:Device enableStep 2show snmp groupDisplays information about each SNMPgroup in the network.Example:Displays information about each SNMPgroup in the network.Device# show snmp groupgroupname: V1readview : v1defaultwriteview specified notifyview: no notifyview specified row status: activegroupname: ILMIreadview : *ilmisecurity model:v1writeview: nosecurity model:v1writeview: *ilminotifyview: no notifyview specified row status: activeSNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)6
SNMP Version 3Configuration Examples for SNMP Version 3Command or ActionPurposegroupname: ILMIreadview : *ilmisecurity model:v2cwriteview: *ilminotifyview: no notifyview specified row status: activegroupname: group1readview : v1defaultwriteview specified notifyview: no notifyview specified row status: activeStep 3security model:v1writeview: noDisplays information about configuredcharacteristics of an SNMP user.show snmp user [username]Example:Device# show snmp user user1User name: user1Engine ID: 00000009020000000C025808storage-type: nonvolatile active access-list: 10Rowstatus: activeAuthentication Protocol: MD5Privacy protocol: DESGroup name: group1Step 4Displays information about the SNMPengine ID that is configured for an SNMPuser.show snmp engineIDExample:Device# show snmp engineIDLocal SNMP engineID: 1A2836C0129ARemote Engine IDIP-addr1A2833C0129AremotePort10.2.28.1 120Configuration Examples for SNMP Version 3Example: Configuring SNMP Version 3The following example shows how to enable Simple Network Management Protocol Version 3 (SNMPv3).The configuration permits any SNMP manager to access all objects with read-only permissions using thecommunity string named “public”. This configuration does not cause the device to send traps.Device(config)# snmp-server community publicThe following example shows how to configure a remote user to receive traps at the “noAuthNoPriv” securitylevel when the SNMPv3 security model is enabled:Device(config)# snmp-server group group1 v3 noauthDevice(config)# snmp-server user remoteuser1 group1 remote 10.12.8.4Device(config)# snmp-server host 10.12.8.4 informs version 3 noauth remoteuser configSNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)7
SNMP Version 3Additional References for SNMP Version 3The following example shows how to configure a remote user to receive traps at the “authNoPriv” securitylevel when the SNMPv3 security model is enabled:Device(config)# snmp-server group group2 v3 authDevice(config)# snmp-server user AuthUser group2 remote 10.12.8.4 v3 auth md5 password1The following example shows how to configure a remote user to receive traps at the “priv” security level whenthe SNMPv3 security model is enabled:Device(config)# snmp-server group group3 v3 privDevice(config)# snmp-server user PrivateUser group3 remote 10.12.8.4 v3 auth md5 password1priv access des56Additional References for SNMP Version 3Related DocumentsRelated TopicDocument TitleCisco IOS commandsCisco IOS Master Command List, All ReleasesSNMP commands: complete command syntax, Cisco IOS SNMP Support Command Referencecommand mode, command history, defaults, usageguidelines, and examplesStandards and RFCsStandard/RFCTitleRFC 2104HMAC: Keyed-Hashing for Message AuthenticationRFC 2570Introduction to Version 3 of the Internet-standardNetwork Management FrameworkRFC 2576Coexistence between Version 1, Version 2, and Version3 of the Internet-standard Network ManagementFrameworkRFC 3413SNMPv3 ApplicationsRFC 3414User-based Security Model (USM) for version 3 of theSimple Network Management Protocol (SNMPv3)RFC 3415View-based Access Control Model (VACM) for theSimple Network Management Protocol (SNMP)SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)8
SNMP Version 3Feature Information for SNMP Version 3MIBsMIBMIBs LinkSNMP-COMMUNITY-MIBTo locate and download MIBs for selected platforms,Cisco software releases, and feature sets, use CiscoMIB Locator found at the following URL:http://www.cisco.com/go/mibsTechnical AssistanceDescriptionLinkThe Cisco Support and Documentation x.htmlprovides online resources to download documentation,software, and tools. Use these resources to install andconfigure the software and to troubleshoot and resolvetechnical issues with Cisco products and technologies.Access to most tools on the Cisco Support andDocumentation website requires a Cisco.com user IDand password.Feature Information for SNMP Version 3The following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.Table 3: Feature Information for SNMP Version 3Feature NameSNMP Version 3ReleasesFeature InformationThe SNMP Version 3 feature isused to provide secure access todevices by authenticating andencrypting data packets over thenetwork.SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)9
SNMP Version 3Feature Information for SNMP Version 3SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)10
SNMP Version 3 Feature Information for SNMP Version 3. SNMP Configuration Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series) 10 SNMP Version 3 Feature Information for SNMP Version 3. Title:
