Creating SNMP Users on SNMPv3
The SNMPv3 protocol supports the creation of users and optionally allows the usage of authentication and encryption. Netvisor ONE supports SHA or MD5 as authentication protocols and DES as the encryption algorithm. The default authentication protocol is SHA, however, Netvisor allows you to change the authentication protocol to MD5 by using the CLI.
- You can also create a user without providing the authentication and privilege password options. For example:
CLI (network-admin@switch) > snmp-user-create user-name name-string auth priv
- To create a user by providing the authentication and privilege passwords for encryption, use the following command. You must provide a password for authentication (auth-password) and encryption (priv-password):
CLI (network-admin@switch) > snmp-user-create user-name user-name-string auth-password auth-password-string [auth|no-auth] [auth-hash md5|sha] priv-password priv-password-string [priv|no-priv]
- To create the user, pluribus, with an authentication password and authentication hash as SHA1, use the following command:
CLI (network-admin@switch) > snmp-user-create user-name pluribus auth auth-hash sha
auth password: ********
confirm password: ********
The password should have at least eight (8) characters and can be a combination of letters, numbers, and special characters.
- To modify the SNMP user and add privilege with a password, use the following command:
CLI (network-admin@switch) > snmp-user-modify user-name pluribus auth-password auth priv-password priv
priv-password priv
auth password: ********
confirm password: ********
priv password: ********
confirm password: ********
To display information about the SNMP user created earlier, use the following command:
CLI (network-admin@switch) > snmp-user-show user-name pluribus
user-name auth auth-hash priv
--------- ---- --------- ----
pluribus yes sha yes
- Create another user with user name, pluribus2 and authentication hash as MD5:
CLI (network-admin@switch) > snmp-user-create user-name pluribus2 auth auth-password priv priv-password auth-hash md5
auth password:********
confirm auth password:********
priv password:********
confirm priv password:********
To display the details, use the following command:
CLI (network-admin@switch) > snmp-user-show
switch user-name auth auth-hash priv
------- ----------- ---- --------- ----
switch pluribus1 yes sha yes
switch pluribus2 yes md5 yes
- To delete the SNMP user, use the snmp-user-delete command:
CLI (network-admin@switch) > snmp-user-delete user-name
- After you create the SNMP user, you must grant permission to view the SNMP objects by using the View Access Control Model (VACM). To grant permission, use the command:
CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type [rouser|rwuser] oid-restrict oid-restrict-string [auth|no-auth] [priv|no-priv]
The parameter, oid-restrict, is an optional argument and specifies a MIB sub-tree with a restricted view. In other words, if you specify an OID, you can only see that OID and the descendants in the tree.
- Using the snmp-vacm-create command can restrict a particular user, snmp-user from accessing a specified OID. For example, to restrict access to sysContact OID, use the command:
CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type rouser oid-restrict sysContact no-auth no-priv
- To modify the VACM configuration of the user and to change from no authentication to authentication, use the following command:
CLI (network-admin@switch) > snmp-vacm-modify user-name snmp-user user-type rouser auth
To display information about the VACM configuration, use the snmp-vacm-show command:
CLI (network-admin@switch) > snmp-vacm-show
user-type user-name oid-restrict view auth priv
--------- --------- ------------ ---- ---- ----
rouser snmp-user sysContact no no
- To delete the VACM of the user from the SNMP configuration, use the snmp-vacm-delete command:
CLI (network-admin@switch) > snmp-vacm-delete user-name snmp-user