Simple SNMP 3 question

Unanswered Question
Aug 29th, 2007
User Badges:

Hello,


We would like to enable SNMP 3 on our switches.


Are SNMP 3 user passwords encrypted by default in transit?


If yes, what is the encryption method?


Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
eastcoast5 Wed, 08/29/2007 - 20:58
User Badges:

Thanks,


Does this encryption work if users are authenticated with Radius?


We have MDS switches and Cisco's doc says it is possible:


QUOTE:

*******************

As of Cisco MDS SAN-OS Release 2.0, the VSA format is enhanced to optionally specify your SNMPv3 authentication and privacy protocol attributes as follows:


shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default

*******************


But what I do not undestand is how to configure privacy passwords for Radius users.


Do you have any ideas?

David Stanford Wed, 08/29/2007 - 19:47
User Badges:
  • Cisco Employee,

If you set up priv when you configure snmp v3 it will encrypt the snmp packet

eastcoast5 Wed, 08/29/2007 - 20:55
User Badges:

Thanks davistan,


The priv option is what we are looking for.

That seems to require a "privacy password" to encrypt the communications.

However, we have a good number of switches.

So all our users authenticate with RADIUS.


In their doc, Cisco says:


SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.


So, I am trying to figure out how to authenticate SNMP users with RADIUS.


How can we specify privacy passwords for RADIUS users?


Any ideas?

eastcoast5 Fri, 08/31/2007 - 10:47
User Badges:

Still unable to get them work together.


I have found also in Cisco's documents that AES and SHA are required options when SNMPv3 users are authenticated thru RADIUS.


But there is no mention as for where we need to configure privacy passwords for SNMP encryption.


Has anyone done that (SNMP+Radius) before?







Actions

This Discussion