Actions

SNMP v.3

From Zenitel Wiki

Revision as of 15:25, 4 February 2020 by Asle (talk | contribs) (Example snmpd.conf for v3)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This article describes how to open for SNMPv3 on Turbine and Exigo devices. SNMPv3 Traps are not implemented.

Software requirement

  • Turbine software 5.1.3.0 or later

Description

SNMPv3 supports authentication of user/requester based on the protocols MD5 or SHA, and encryption of data (payload) based on the protocol DES.

To open for SNMPv3, the snmpd.conf file already existing on the device can be modified. If only SNMP v1/v2c are to be used, this can be changed from the web interface of the device, Advanced Network > SNMP.

For SNMPv3 one can download a template snmpd.conf file and use to start with. If v1/v2c is to be available in parallel to v3, one can look at the snmpd.conf from Advanced Network > SNMP and select "View custom snmpd.conf" and copy/change/add what is is v1/v2c specific to the new snmpd.conf file, or select "Download custom snmpd.conf" file and add v3 specific congiguration to the file.

Link to Net-SNMPv3: http://www.net-snmp.org/wiki/index.php/TUT:SNMPv3_Options

It is possible to define multiple "usm" (User-based Security Model) parameters, below is what is considered to be a minimum. "usm" parameters are used with SNMPv3 only.

Example snmpd.conf

Example snmpd.conf for v3:

master agentx
#
# SNMPv3 specific config
#
# Minimum generic setup for authentication only
# createUser descriptiveUserName [MD5 or SHA] "your Auth Password"  
# rouser descriptiveUserName
#
# Minimum generic setup for authentication and privacy/encryption
# createUser anotherDescriptiveUserName [MD5 or SHA] "your Auth Password" [DES or AES] "your Priv Password"  
# rouser anotherDescriptiveUserName
#
# If only authentication using MD5 is wanted         
#
createUser         userAuthMD5NoPriv     MD5      "authPasswordMD5"
rouser                  userAuthMD5NoPriv
#
# If only authentication using SHA is wanted         
#
createUser         userAuthSHANoPriv       SHA       "authPasswordSHA"
rouser                  userAuthSHANoPriv
#
# If authentication using MD5 and privacy/encryption using DES is wanted         
#
createUser         userAuthMD5PrivDE      MD5      "authPasswordMD5"     DES        "privPasswordDES"
rouser                  userAuthMD5PrivDES
#
# If authentication using SHA and privacy/encryption using DES is wanted         
#
createUser         userAuthSHAPrivDES     SHA       "authPasswordSHA"      DES        "privPasswordDES"
rouser                  userAuthSHAPrivDES
#
# If authentication using SHA and privacy/encryption using AES is wanted         
#
createUser         userAuthSHAPrivAES SHA "authPasswordSHA" AES "privPasswordAES"
rouser                  userAuthSHAPrivAES

For a request using both authentication and encryption, the snmpwalk sequence might look like this:

snmpwalk -v 3 -u userAuthMD5PrivDES -l authPriv -a MD5 -A "authPasswordMD5" -x DES -X "privPasswordDES" 192.168.50.21 1.3.6.1.4.1.26122.3.1
iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)"
iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2"
iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330
iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200"
iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020"
iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07"
iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2


When using authentication only it might look like this:

snmpwalk -v 3 -u userAuthSHANoPriv -a SHA -A "authPasswordSHA" -l authNoPriv 192.168.50.21 1.3.6.1.4.1.26122.3.1
iso.3.6.1.4.1.26122.3.1.1.0 = STRING: "5.1.2.5 (vsft)"
iso.3.6.1.4.1.26122.3.1.2.0 = STRING: "Stentofon Exigo Amplifier ENA2"
iso.3.6.1.4.1.26122.3.1.3.0 = INTEGER: 8330
iso.3.6.1.4.1.26122.3.1.4.0 = STRING: "ENA2200"
iso.3.6.1.4.1.26122.3.1.5.0 = STRING: "3.10.0[st_dev]+ #1 PREEMPT Fri Jan 3 12:48:10 CET 2020"
iso.3.6.1.4.1.26122.3.1.6.0 = STRING: "07"
iso.3.6.1.4.1.26122.3.1.7.0 = INTEGER: 2


-v : snmp protocol version, param:  3
-u : securityName, param: free text
-l : securityLevel, param: noAuthNoPriv | authNoPriv | authPriv
-a: authentcation protocol, param: MD5 | SHA
-A : authentication password, param: free text
-x : privacy/encryption protocol, param: DES
-X : privacy/encryption password, param: free text


If the only option for SNMPv3 should be to use authentication and privacy/encryption, the snmpd.conf might look like this:

master agentx
createUser         theAuthSHAPrivDES       SHA       "the SHA Password"       DES        "the DES Password"
rouser                  theAuthSHAPrivDES


To list data:

snmpwalk -v 3 -u theAuthSHAPrivDES -l authPriv -a SHA -A "the SHA Password" -x DES -X "the DES Password" <ip-address> <OID>