Creating SNMP Users on SNMPv3


SNMPv3 protocol supports the creation of users and optionally allows the usage of authentication and encryption. Netvisor ONE supports SHA or MD5 as authentication protocols and DES as the encryption algorithm. The default authentication protocol is SHA, however, Netvisor allows you to change the authentication protocol to MD5 by using the CLI.

You can also create a user without providing the authentication and privilege password options. For example,

CLI (network-admin@switch) > snmp-user-create user-name name-string auth priv

To create a user by providing the authentication and privilege passwords for encryption, use the following command. You must provide a password for authentication (auth-password) and encryption (priv-password):


CLI (network-admin@switch) > snmp-user-create user-name user-name-string auth-password auth-password-string [auth|no-auth] [auth-hash md5|sha] priv-password priv-password-string [priv|no-priv]


To create the user, pluribus, with authentication password m0nk3ys$, and authentication hash as SHA1, use the following command:


CLI (network-admin@switch) > snmp-user-create user-name pluribus auth auth-hash sha


auth password: ********

confirm password: ********


The password should have at least eight (8) characters and can be a combination of letters, numbers, and special characters. To modify the SNMP user and add privilege with the password, b33h!v3#, use the following command:


CLI (network-admin@switch) > snmp-user-modify user-name pluribus auth-password auth priv-password priv

priv-password priv

auth password: ********

confirm password: ********

priv password: ********

confirm password: ********


To display information about the SNMP user created earlier, use the following command:


CLI (network-admin@switch) > snmp-user-show user-name pluribus


user-name         auth   auth-hash  priv

---------         ----   --------         ----

pluribus         yes           sha         yes


Create another user with user name, pluribus2 and authentication hash as MD5:


CLI (network-admin@switch) > snmp-user-create user-name pluribus2 auth auth-password priv priv-password auth-hash md5


auth password:********

confirm auth password:********

priv password:********

confirm priv password:********


To display the details, use the following command:

CLI (network-admin@switch) > snmp-user-show


switch     user-name        auth        auth-hash        priv

-------   -----------        ----        ---------        ----

switch         pluribus1        yes     sha       yes

switch         pluribus2        yes     md5       yes


To delete the SNMP user, use the snmp-user-delete command:

CLI (network-admin@switch) > snmp-user-delete user-name


After you create the SNMP user, you must grant permission to view the SNMP objects by using the View Access Control Model (VACM).  To grant permission, use the command:

CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-name user-type [rouser|rwuser] oid-restrict oid-restrict-string [auth|no-auth] [priv|no-priv]


The parameter, oid-restrict, is an optional argument and specifies a MIB sub-tree with a restricted view. In other words, if you specify an OID, you can only see that OID and the descendants in the tree.


For example,  using the snmp-vacm-create command can restrict a particular user, snmp-user in accessing a specified OID. For example,  to restrict access to sysContact OID, use the command:


CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type rouser oid-restrict sysContact no-auth no-priv


To modify the VACM configuration of the user and to change no authentication to authentication, use the following command:


CLI (network-admin@switch) > snmp-vacm-modify user-name snmp-user user-type rouser auth


To display information about the VACM configuration, use the snmp-vacm-show command:


CLI (network-admin@switch) > snmp-vacm-show


user-type  user-name  oid-restrict  view  auth  priv

---------  ---------  ------------  ----  ----  ----

rouser     snmp-user  sysContact                no   no


To delete the VACM of the user from the SNMP configuration, use the snmp-vacm-delete command:


CLI (network-admin@switch) > snmp-vacm-delete user-name snmp-user