Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SNMPv3 user and group dependency?

HI,

if i create group with authpriv and user with no authnopriv, and if we add user to this group. what will be result? this user will be authenticated or not? what is the dependency between users and groups ? Which has high priority?

thanks guys

CCNP, CCNA Security
Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

SNMPv3 user and group dependency?

Group has the higher priority. If an SNMP user belonging to an SNMP group is not configured with the password or if the group security level is not the same as the user security level, the error shown is "AUTHORIZATION_ERROR". The Cisco-specific error message for this scenario is "unknownUserName".

Check this:

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/nm-snmp-snmpv3.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **
New Member

Re: SNMPv3 user and group dependency?

Hi. Before I found this answer and the link Vinod Arya provided, I had the same question, so I did some tests in GNS3 configuring different snmpv3 groups within a router cisco 2800 (i.e. a no-auth group, an auth group and a priv group); creating different users with different security levels  and making all the possible combinations between users and groups. After capturing with Wireshark those results (i'll put them at the end of the question) I write a "rule", the "general conclusion" of that dependency between the security level of groups and users, as follows:

- " Within the agent, the group's security level has precedence over the user's security level member of that group, if the group's security level is greater than the user's security level. This is explained with the following two scenarios. First scenario, If inside the agent, the group which the user belongs, does not have any securities (a noauth group) and the user inside of it has a security level greater, for example, authPriv; an external incoming request to the user of this agent, with authNoPriv security level, will be able to gather the information that was looking for, despite the user inside router's agent has configured both authentication and privacy protocols and keys. Second scenario, the opposite situation. When the group's security level is higher, for example authPriv and the user within the group has a lower security level (for example, a noAuthNoPriv user or a authNoPriv user)  an external incoming request to the user of this agent, with noAuthNoPriv or authNoPriv security level, will get a NULL response to the request.

That's why concordance must exist between the security level of both the group and the users members of that group.

Another important consideration is consider the interaction between user's security levels (admin and agents). The security level of the user has precedence over the request's security level of the admin console, because if the security level of the incoming request is higher than the configured for the user who it is asking to, the request won't be successfull and an error message "unsupported security level" will be sent to the admin console."  -


Please I want to know if the conclusion I reached after the analisis of the results of tests is correct, or if it's imprecise, you can help me to improve it.

In the link it doesn't say literally that the group has precedence, it mentions about the errors in the case of a missing password or inconsistence between group and user's security level. Also saying that the group's security level has precedence over the user's security level is not always true wich I think was demonstrated with the first scenario example, that's why I need to know if the explanation I wrote is good or is missing something.  Thanks in advance

Results of the tests: the image provided


5 REPLIES
Cisco Employee

SNMPv3 user and group dependency?

Group has the higher priority. If an SNMP user belonging to an SNMP group is not configured with the password or if the group security level is not the same as the user security level, the error shown is "AUTHORIZATION_ERROR". The Cisco-specific error message for this scenario is "unknownUserName".

Check this:

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/nm-snmp-snmpv3.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F

-Thanks

-Thanks Vinod **Rating Encourages contributors, and its really free. **
New Member

Re: SNMPv3 user and group dependency?

Hi. Before I found this answer and the link Vinod Arya provided, I had the same question, so I did some tests in GNS3 configuring different snmpv3 groups within a router cisco 2800 (i.e. a no-auth group, an auth group and a priv group); creating different users with different security levels  and making all the possible combinations between users and groups. After capturing with Wireshark those results (i'll put them at the end of the question) I write a "rule", the "general conclusion" of that dependency between the security level of groups and users, as follows:

- " Within the agent, the group's security level has precedence over the user's security level member of that group, if the group's security level is greater than the user's security level. This is explained with the following two scenarios. First scenario, If inside the agent, the group which the user belongs, does not have any securities (a noauth group) and the user inside of it has a security level greater, for example, authPriv; an external incoming request to the user of this agent, with authNoPriv security level, will be able to gather the information that was looking for, despite the user inside router's agent has configured both authentication and privacy protocols and keys. Second scenario, the opposite situation. When the group's security level is higher, for example authPriv and the user within the group has a lower security level (for example, a noAuthNoPriv user or a authNoPriv user)  an external incoming request to the user of this agent, with noAuthNoPriv or authNoPriv security level, will get a NULL response to the request.

That's why concordance must exist between the security level of both the group and the users members of that group.

Another important consideration is consider the interaction between user's security levels (admin and agents). The security level of the user has precedence over the request's security level of the admin console, because if the security level of the incoming request is higher than the configured for the user who it is asking to, the request won't be successfull and an error message "unsupported security level" will be sent to the admin console."  -


Please I want to know if the conclusion I reached after the analisis of the results of tests is correct, or if it's imprecise, you can help me to improve it.

In the link it doesn't say literally that the group has precedence, it mentions about the errors in the case of a missing password or inconsistence between group and user's security level. Also saying that the group's security level has precedence over the user's security level is not always true wich I think was demonstrated with the first scenario example, that's why I need to know if the explanation I wrote is good or is missing something.  Thanks in advance

Results of the tests: the image provided


New Member

SNMPv3 user and group dependency?

Marceloz you did a good job, for being very busy i can not verify your result. after i check again i write my result here

thanks for detailed information

CCNP, CCNA Security
New Member

Re: SNMPv3 user and group dependency?

Hi Marceloz, I have tested, result is same as yours

Picture is attached

CCNP, CCNA Security
New Member

Re: SNMPv3 user and group dependency?

So Vusal, the "general rule" that I wrote is ok? Does it have something missing?

Considering that in the link:

http://www.cisco.com/en/US/docs/ios-xml/ios/snmp/configuration/xe-3se/3850/nm-snmp-snmpv3.html#GUID-DCB20ADF-1F8E-434B-AE97-54802879F34F,   it doesn't say literally that the group has precedence, it only mentions about the errors in the case of a missing password or inconsistence between group and user's security level.

The results we obtained seems to prove my theory, but in the router, when the group is priv, the user noAuthNoPriv; and the client is autnNoPriv, According to my theory should be NULL, not unsupported security level, but at the same time, that result is concordant with the definition I wrote about interaction between user's security levels.

1287
Views
0
Helpful
5
Replies
CreatePlease to create content