Creating SNMP Users on SNMPv3

The SNMPv3 protocol supports the creation of users and optionally allows the usage of authentication and encryption. NetVisor OS supports SHA or MD5 as authentication protocols and DES as the encryption algorithm. The default authentication protocol is SHA, however, NetVisor allows you to change the authentication protocol to MD5 by using the CLI. 

  • You can also create a user without providing the authentication and privilege password options. For example:

CLI (network-admin@switch) > snmp-user-create user-name name-string auth priv

  • To create a user by providing the authentication and privilege passwords for encryption, use the following command. You must provide a password for authentication (auth-password) and encryption (priv-password):

CLI (network-admin@switch) > snmp-user-create user-name user-name-string auth-password auth-password-string [auth|no-auth] [auth-hash md5|sha] priv-password priv-password-string [priv|no-priv]

  • To create the user, pluribus, with an authentication password and authentication hash as SHA1, use the following command:

CLI (network-admin@switch) > snmp-user-create user-name pluribus auth auth-hash sha

auth password: ********

confirm password: ********

The password should have at least eight (8) characters and can be a combination of letters, numbers, and special characters. 

  • To modify the SNMP user and add privilege with a password, use the following command:

CLI (network-admin@switch) > snmp-user-modify user-name pluribus auth-password auth priv-password priv

priv-password priv

auth password: ********

confirm password: ********

priv password: ********

confirm password: ********

To display information about the SNMP user created earlier, use the following command:

CLI (network-admin@switch) > snmp-user-show user-name pluribus

user-name auth auth-hash priv

--------- ---- --------- ----

pluribus         yes          sha          yes

  • Create another user with user name, pluribus2 and authentication hash as MD5:

CLI (network-admin@switch) > snmp-user-create user-name pluribus2 auth auth-password priv priv-password auth-hash md5

auth password:********

confirm auth password:********

priv password:********

confirm priv password:********

To display the details, use the following command:

CLI (network-admin@switch) > snmp-user-show

switch  user-name          auth auth-hash priv

------- ----------- ---- --------- ----

switch  pluribus1          yes  sha       yes

switch  pluribus2          yes  md5       yes

  • To delete the SNMP user, use the snmp-user-delete command:

CLI (network-admin@switch) > snmp-user-delete user-name

  • After you create the SNMP user, you must grant permission to view the SNMP objects by using the View Access Control Model (VACM).  To grant permission, use the command:

CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type [rouser|rwuser] oid-restrict oid-restrict-string [auth|no-auth] [priv|no-priv]

The parameter, oid-restrict, is an optional argument and specifies a MIB sub-tree with a restricted view. In other words, if you specify an OID, you can only see that OID and the descendants in the tree.

  • Using the snmp-vacm-create command can restrict a particular user, snmp-user from accessing a specified OID. For example,  to restrict access to sysContact OID, use the command:

CLI (network-admin@switch) > snmp-vacm-create user-name snmp-user user-type rouser oid-restrict sysContact no-auth no-priv

Note: Ensure to create the SNMP users before enabling the SNMP traps.  In cases where the SNMP traps were already enabled before user creation, then disable the SNMP traps, create users, and re-enable the traps. 

  • To modify the VACM configuration of the user and to change from no authentication to authentication, use the following command:

CLI (network-admin@switch) > snmp-vacm-modify user-name snmp-user user-type rouser auth

To display information about the VACM configuration, use the snmp-vacm-show command:

CLI (network-admin@switch) > snmp-vacm-show

user-type user-name oid-restrict view auth priv

--------- --------- ------------ ---- ---- ----

rouser    snmp-user sysContact        no   no

  • To delete the VACM of the user from the SNMP configuration, use the snmp-vacm-delete command:

CLI (network-admin@switch) > snmp-vacm-delete user-name snmp-user