08-29-2007 04:27 PM - edited 03-09-2019 06:42 PM
Hello,
We would like to enable SNMP 3 on our switches.
Are SNMP 3 user passwords encrypted by default in transit?
If yes, what is the encryption method?
Thank you
08-29-2007 05:59 PM
Yes, and I think you can find the best answer to this question here:
http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804a8801.html
HTH,
-J
08-29-2007 08:58 PM
Thanks,
Does this encryption work if users are authenticated with Radius?
We have MDS switches and Cisco's doc says it is possible:
QUOTE:
*******************
As of Cisco MDS SAN-OS Release 2.0, the VSA format is enhanced to optionally specify your SNMPv3 authentication and privacy protocol attributes as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default
*******************
But what I do not undestand is how to configure privacy passwords for Radius users.
Do you have any ideas?
08-29-2007 07:47 PM
If you set up priv when you configure snmp v3 it will encrypt the snmp packet
08-29-2007 08:55 PM
Thanks davistan,
The priv option is what we are looking for.
That seems to require a "privacy password" to encrypt the communications.
However, we have a good number of switches.
So all our users authenticate with RADIUS.
In their doc, Cisco says:
SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.
So, I am trying to figure out how to authenticate SNMP users with RADIUS.
How can we specify privacy passwords for RADIUS users?
Any ideas?
08-31-2007 10:47 AM
Still unable to get them work together.
I have found also in Cisco's documents that AES and SHA are required options when SNMPv3 users are authenticated thru RADIUS.
But there is no mention as for where we need to configure privacy passwords for SNMP encryption.
Has anyone done that (SNMP+Radius) before?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: