cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1215
Views
0
Helpful
5
Replies

Simple SNMP 3 question

eastcoast5
Level 1
Level 1

Hello,

We would like to enable SNMP 3 on our switches.

Are SNMP 3 user passwords encrypted by default in transit?

If yes, what is the encryption method?

Thank you

5 Replies 5

jreekers
Level 4
Level 4

Yes, and I think you can find the best answer to this question here:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804a8801.html

HTH,

-J

Thanks,

Does this encryption work if users are authenticated with Radius?

We have MDS switches and Cisco's doc says it is possible:

QUOTE:

*******************

As of Cisco MDS SAN-OS Release 2.0, the VSA format is enhanced to optionally specify your SNMPv3 authentication and privacy protocol attributes as follows:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default

*******************

But what I do not undestand is how to configure privacy passwords for Radius users.

Do you have any ideas?

David Stanford
Cisco Employee
Cisco Employee

If you set up priv when you configure snmp v3 it will encrypt the snmp packet

Thanks davistan,

The priv option is what we are looking for.

That seems to require a "privacy password" to encrypt the communications.

However, we have a good number of switches.

So all our users authenticate with RADIUS.

In their doc, Cisco says:

SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.

So, I am trying to figure out how to authenticate SNMP users with RADIUS.

How can we specify privacy passwords for RADIUS users?

Any ideas?

Still unable to get them work together.

I have found also in Cisco's documents that AES and SHA are required options when SNMPv3 users are authenticated thru RADIUS.

But there is no mention as for where we need to configure privacy passwords for SNMP encryption.

Has anyone done that (SNMP+Radius) before?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: