Difference between revisions of "SNMP v.3"
From Zenitel Wiki
(→Description) |
(→Example snmpd.conf for v3) |
||
Line 19: | Line 19: | ||
Example snmpd.conf for v3: | Example snmpd.conf for v3: | ||
− | |||
master agentx | master agentx | ||
# | # |
Revision as of 15:25, 4 February 2020
This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.
Software requirement
- Turbine software 5.1.3.0 or later
Description
SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.
To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, Advanced Network > SNMP.
For SNMPv3 one can download a template snmpd.conf file and use to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from Advanced Network > SNMP and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.
Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options
It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.
Example snmpd.conf for v3
Example snmpd.conf for v3:
master agentx # # SNMPv3 specific config # # Minimum generic setup for authentication only # createUser descriptiveUserName [MD5 or SHA] "your Auth Password" # rouser descriptiveUserName # # Minimum generic setup for authentication and privacy/encryption # createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" [DES or AES] "your Priv Password" # rouser anotherDescriptiveUserName
# # If only authentication using MD5 is wanted # createUser userAuthMD5NoPriv MD5 "authPasswordMD5" rouser userAuthMD5NoPriv
# # If only authentication using SHA is wanted # createUser userAuthSHANoPriv SHA "authPasswordSHA" rouser userAuthSHANoPriv
# # If authentication using MD5 and privacy/encryption using DES is wanted # createUser userAuthMD5PrivDE MD5 "authPasswordMD5" DES "privPasswordDES" rouser userAuthMD5PrivDES
# # If authentication using SHA and privacy/encryption using DES is wanted # createUser userAuthSHAPrivDES SHA "authPasswordSHA" DES "privPasswordDES" rouser userAuthSHAPrivDES
# # If authentication using SHA and privacy/encryption using AES is wanted # createUser userAuthSHAPrivAES SHA "authPasswordSHA" AES "privPasswordAES" rouser userAuthSHAPrivAES
For a request using both authentication and encryption, the snmpwalk sequence might look like this:
snmpwalk -v 3 -u userAuthMD5PrivDES -l authPriv -a MD5 -A "authPasswordMD5" -x DES -X "privPasswordDES" 192.168.50.21 1.3.6.1.4.1.26122.3.1 iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)" iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2" iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330 iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200" iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020" iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07" iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2
When using authentication only it might look like this:
snmpwalk -v 3 -u userAuthSHANoPriv -a SHA -A "authPasswordSHA" -l authNoPriv 192.168.50.21 1.3.6.1.4.1.26122.3.1 iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)" iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2" iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330 iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200" iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020" iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07" iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2
-v : snmp protocol version, param: 3 -u : securityName, param: free text -l : securityLevel, param: noAuthNoPriv | authNoPriv | authPriv -a: authentcation protocol, param: MD5 | SHA -A : authentication password, param: free text -x : privacy/encryption protocol, param: DES -X : privacy/encryption password, param: free text
If the only option for SNMPv3 should be to use authentication and privacy/encryption, the snmpd.conf might look like this:
master agentx createUser theAuthSHAPrivDES SHA "the SHA Password" DES "the DES Password" rouser theAuthSHAPrivDES
To list data:
snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>