Creating SNMP Users on SNMPv3
SNMPv3 protocol supports the creation of users and optionally allows the usage of authentication and encryption. Netvisor ONE supports SHA or MD5 as authentication protocols and DES as the encryption algorithm. The default authentication protocol is SHA, however, Netvisor allows you to change the authentication protocol to MD5 by using the CLI.
You can also create a user without providing the authentication and privilege password options. For example,
CLI (network-admin@switch) > snmp-user-create user-name name-string auth priv
To create a user by providing the authentication and privilege passwords for encryption, use the following command. You must provide a password for authentication (auth-password) and encryption (priv-password):
CLI (network-admin@switch) > snmp-user-create user-name user-name-string auth-password auth-password-string [auth|no-auth] [auth-hash md5|sha] priv-password priv-password-string [priv|no-priv]
To create the user, pluribus, with authentication password m0nk3ys$, and authentication hash as SHA1, use the following command:
CLI (network-admin@switch) > snmp-user-create user-name pluribus auth auth-hash sha
auth password: ********
confirm password: ********
The password should have at least eight (8) characters and can be a combination of letters, numbers, and special characters. To modify the SNMP user and add privilege with the password, b33h!v3#, use the following command:
CLI (network-admin@switch) > snmp-user-modify user-name pluribus auth-password auth priv-password priv
priv-password priv
auth password: ********
confirm password: ********
priv password: ********
confirm password: ********
To display information about the SNMP user created earlier, use the following command:
CLI (network-admin@switch) > snmp-user-show user-name pluribus
user-name auth auth-hash priv
--------- ---- -------- ----
pluribus yes sha yes
Create another user with user name, pluribus2 and authentication hash as MD5:
CLI (network-admin@switch) > snmp-user-create user-name pluribus2 auth auth-password priv priv-password auth-hash md5
auth password:********
confirm auth password:********
priv password:********
confirm priv password:********
To display the details, use the following command:
CLI (network-admin@switch) > snmp-user-show
switch user-name auth auth-hash priv
------- ----------- ---- --------- ----
switch pluribus1 yes sha yes
switch pluribus2 yes md5 yes
To delete the SNMP user, use the snmp-user-delete command:
CLI (network-admin@switch) > snmp-user-delete user-name
After you create the SNMP user, you must grant permission to view the SNMP objects by using the View Access Control Model (VACM). To grant permission, use the command:
CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-name user-type [rouser|rwuser] oid-restrict oid-restrict-string [auth|no-auth] [priv|no-priv]
The parameter, oid-restrict, is an optional argument and specifies a MIB sub-tree with a restricted view. In other words, if you specify an OID, you can only see that OID and the descendants in the tree.
For example, using the snmp-vacm-create command can restrict a particular user, snmp-user in accessing a specified OID. For example, to restrict access to sysContact OID, use the command:
CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type rouser oid-restrict sysContact no-auth no-priv
To modify the VACM configuration of the user and to change no authentication to authentication, use the following command:
CLI (network-admin@switch) > snmp-vacm-modify user-name snmp-user user-type rouser auth
To display information about the VACM configuration, use the snmp-vacm-show command:
CLI (network-admin@switch) > snmp-vacm-show
user-type user-name oid-restrict view auth priv
--------- --------- ------------ ---- ---- ----
rouser snmp-user sysContact no no
To delete the VACM of the user from the SNMP configuration, use the snmp-vacm-delete command:
CLI (network-admin@switch) > snmp-vacm-delete user-name snmp-user