Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Simple SNMP 3 question

Hello,

We would like to enable SNMP 3 on our switches.

Are SNMP 3 user passwords encrypted by default in transit?

If yes, what is the encryption method?

Thank you

5 REPLIES
Cisco Employee

Re: Simple SNMP 3 question

Yes, and I think you can find the best answer to this question here:

http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00804a8801.html

HTH,

-J

New Member

Re: Simple SNMP 3 question

Thanks,

Does this encryption work if users are authenticated with Radius?

We have MDS switches and Cisco's doc says it is possible:

QUOTE:

*******************

As of Cisco MDS SAN-OS Release 2.0, the VSA format is enhanced to optionally specify your SNMPv3 authentication and privacy protocol attributes as follows:

shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default

*******************

But what I do not undestand is how to configure privacy passwords for Radius users.

Do you have any ideas?

Cisco Employee

Re: Simple SNMP 3 question

If you set up priv when you configure snmp v3 it will encrypt the snmp packet

New Member

Re: Simple SNMP 3 question

Thanks davistan,

The priv option is what we are looking for.

That seems to require a "privacy password" to encrypt the communications.

However, we have a good number of switches.

So all our users authenticate with RADIUS.

In their doc, Cisco says:

SNMPv3 user management can be centralized at the AAA server level. This centralized user management allows the SNMP agent running on the Cisco MDS switch to leverage the user authentication service of the AAA server. Once user authentication is verified, the SNMP PDUs are processed further. Additionally, the AAA server is also used to store user group names. SNMP uses the group names to apply the access/role policy that is locally available in the switch.

So, I am trying to figure out how to authenticate SNMP users with RADIUS.

How can we specify privacy passwords for RADIUS users?

Any ideas?

New Member

Re: Simple SNMP 3 question

Still unable to get them work together.

I have found also in Cisco's documents that AES and SHA are required options when SNMPv3 users are authenticated thru RADIUS.

But there is no mention as for where we need to configure privacy passwords for SNMP encryption.

Has anyone done that (SNMP+Radius) before?

229
Views
0
Helpful
5
Replies
CreatePlease to create content