Actions

Difference between revisions of "SNMP v.3"

From Zenitel Wiki

(Example snmpd.conf for v3)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.
 
This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.
  
 +
== Software requirement==
 +
* Turbine software 5.1.3.0 or later
 +
 +
== Description ==
 
SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.  
 
SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.  
  
 
To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, [[SNMP_in_IP_Stations|Advanced Network > SNMP]].  
 
To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, [[SNMP_in_IP_Stations|Advanced Network > SNMP]].  
  
For SNMPv3 one can use this file as a template to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from [[SNMP_in_IP_Stations|Advanced Network > SNMP]] and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.
+
For SNMPv3 one can [[Downloads#SNMP_files|download a template snmpd.conf file]] and use to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from [[SNMP_in_IP_Stations|Advanced Network > SNMP]] and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.
  
 
Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options
 
Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options
Line 11: Line 15:
 
It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.
 
It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.
  
 +
==Example snmpd.conf ==
  
 
Example snmpd.conf for v3:
 
Example snmpd.conf for v3:
  
----
 
 
  master agentx
 
  master agentx
 
  #
 
  #
Line 24: Line 28:
 
  #
 
  #
 
  # Minimum generic setup for authentication and privacy/encryption
 
  # Minimum generic setup for authentication and privacy/encryption
  # createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" DES "your Priv Password"   
+
  # createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" [DES or AES] "your Priv Password"   
 
  # rouser anotherDescriptiveUserName
 
  # rouser anotherDescriptiveUserName
  
Line 50: Line 54:
 
  createUser        userAuthSHAPrivDES    SHA      "authPasswordSHA"      DES        "privPasswordDES"
 
  createUser        userAuthSHAPrivDES    SHA      "authPasswordSHA"      DES        "privPasswordDES"
 
  rouser                  userAuthSHAPrivDES
 
  rouser                  userAuthSHAPrivDES
 +
 +
#
 +
# If authentication using SHA and privacy/encryption using AES is wanted       
 +
#
 +
createUser        userAuthSHAPrivAES SHA "authPasswordSHA" AES "privPasswordAES"
 +
rouser                  userAuthSHAPrivAES
 +
 
----
 
----
  
Line 94: Line 105:
 
To list data:
 
To list data:
 
  snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>
 
  snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>
 +
 +
 +
[[Category:Logging]]

Latest revision as of 15:25, 4 February 2020

This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.

Software requirement

  • Turbine software 5.1.3.0 or later

Description

SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.

To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, Advanced Network > SNMP.

For SNMPv3 one can download a template snmpd.conf file and use to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from Advanced Network > SNMP and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.

Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options

It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.

Example snmpd.conf

Example snmpd.conf for v3:

master agentx
#
# SNMPv3 specific config
#
# Minimum generic setup for authentication only
# createUser descriptiveUserName [MD5 or SHA] "your Auth Password"  
# rouser descriptiveUserName
#
# Minimum generic setup for authentication and privacy/encryption
# createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" [DES or AES] "your Priv Password"  
# rouser anotherDescriptiveUserName
#
# If only authentication using MD5 is wanted         
#
createUser         userAuthMD5NoPriv     MD5      "authPasswordMD5"
rouser                  userAuthMD5NoPriv
#
# If only authentication using SHA is wanted         
#
createUser         userAuthSHANoPriv       SHA       "authPasswordSHA"
rouser                  userAuthSHANoPriv
#
# If authentication using MD5 and privacy/encryption using DES is wanted         
#
createUser         userAuthMD5PrivDE      MD5      "authPasswordMD5"     DES        "privPasswordDES"
rouser                  userAuthMD5PrivDES
#
# If authentication using SHA and privacy/encryption using DES is wanted         
#
createUser         userAuthSHAPrivDES     SHA       "authPasswordSHA"      DES        "privPasswordDES"
rouser                  userAuthSHAPrivDES
#
# If authentication using SHA and privacy/encryption using AES is wanted         
#
createUser         userAuthSHAPrivAES SHA "authPasswordSHA" AES "privPasswordAES"
rouser                  userAuthSHAPrivAES

For a request using both authentication and encryption, the snmpwalk sequence might look like this:

snmpwalk -v 3 -u userAuthMD5PrivDES -l authPriv -a MD5 -A "authPasswordMD5" -x DES -X "privPasswordDES" 192.168.50.21 1.3.6.1.4.1.26122.3.1
iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)"
iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2"
iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330
iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200"
iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020"
iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07"
iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2


When using authentication only it might look like this:

snmpwalk -v 3 -u userAuthSHANoPriv -a SHA -A "authPasswordSHA" -l authNoPriv 192.168.50.21 1.3.6.1.4.1.26122.3.1
iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)"
iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2"
iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330
iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200"
iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020"
iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07"
iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2


-v : snmp protocol version, param:  3
-u : securityName, param: free text
-l : securityLevel, param: noAuthNoPriv | authNoPriv | authPriv
-a: authentcation protocol, param: MD5 | SHA
-A : authentication password, param: free text
-x : privacy/encryption protocol, param: DES
-X : privacy/encryption password, param: free text


If the only option for SNMPv3 should be to use authentication and privacy/encryption, the snmpd.conf might look like this:

master agentx
createUser         theAuthSHAPrivDES       SHA       "the SHA Password"       DES        "the DES Password"
rouser                  theAuthSHAPrivDES


To list data:

snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>