Difference between revisions of "SNMP v.3"
From Zenitel Wiki
Line 94: | Line 94: | ||
To list data: | To list data: | ||
snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID> | snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID> | ||
+ | |||
+ | |||
+ | [[Category:Logging]] |
Revision as of 12:40, 8 January 2020
This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.
SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.
To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, Advanced Network > SNMP.
For SNMPv3 one can use this file as a template to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from Advanced Network > SNMP and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.
Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options
It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.
Example snmpd.conf for v3:
master agentx # # SNMPv3 specific config # # Minimum generic setup for authentication only # createUser descriptiveUserName [MD5 or SHA] "your Auth Password" # rouser descriptiveUserName # # Minimum generic setup for authentication and privacy/encryption # createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" DES "your Priv Password" # rouser anotherDescriptiveUserName
# # If only authentication using MD5 is wanted # createUser userAuthMD5NoPriv MD5 "authPasswordMD5" rouser userAuthMD5NoPriv
# # If only authentication using SHA is wanted # createUser userAuthSHANoPriv SHA "authPasswordSHA" rouser userAuthSHANoPriv
# # If authentication using MD5 and privacy/encryption using DES is wanted # createUser userAuthMD5PrivDE MD5 "authPasswordMD5" DES "privPasswordDES" rouser userAuthMD5PrivDES
# # If authentication using SHA and privacy/encryption using DES is wanted # createUser userAuthSHAPrivDES SHA "authPasswordSHA" DES "privPasswordDES" rouser userAuthSHAPrivDES
For a request using both authentication and encryption, the snmpwalk sequence might look like this:
snmpwalk -v 3 -u userAuthMD5PrivDES -l authPriv -a MD5 -A "authPasswordMD5" -x DES -X "privPasswordDES" 192.168.50.21 1.3.6.1.4.1.26122.3.1 iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)" iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2" iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330 iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200" iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020" iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07" iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2
When using authentication only it might look like this:
snmpwalk -v 3 -u userAuthSHANoPriv -a SHA -A "authPasswordSHA" -l authNoPriv 192.168.50.21 1.3.6.1.4.1.26122.3.1 iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)" iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2" iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330 iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200" iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020" iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07" iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2
-v : snmp protocol version, param: 3 -u : securityName, param: free text -l : securityLevel, param: noAuthNoPriv | authNoPriv | authPriv -a: authentcation protocol, param: MD5 | SHA -A : authentication password, param: free text -x : privacy/encryption protocol, param: DES -X : privacy/encryption password, param: free text
If the only option for SNMPv3 should be to use authentication and privacy/encryption, the snmpd.conf might look like this:
master agentx createUser theAuthSHAPrivDES SHA "the SHA Password" DES "the DES Password" rouser theAuthSHAPrivDES
To list data:
snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>