How to Configure SNMPv3 on HP/Aruba Switches – HP Networking Series Part 6

© Mishoo | Dreamstime.com - Network Hub Photo

© Mishoo | Dreamstime.com – Network Hub Photo

Configuring SNMPv3 can be a daunting task compared to earlier questions, just from the copious amount of authentication parameters compared to earlier SNMP versions. In this short primer I’ll walk you through the steps necessary to set it up to get the same functionality as earlier SNMP versions, but with real (at least compared to SNMPv2c) security.

First, we’ll need to enable SNMPv3 from the configuration context of the switch

Switch1# config
Switch1(config)# snmpv3 enable

After this the initialisation process starts. First we need to create a dummy user called “initial” for some reason unknown to me, so don’t worry about what password you set at this point.

SNMPv3 Initialization process.

Creating user 'initial'
Authentication Protocol: MD5
Enter authentication password: 12345678
Privacy protocol is DES
Enter privacy password: 12345678

'initial' has been created

After this it’ll ask you to create a second user, but I prefer to do it manually, so we’ll answer no. Then it asks you if you want to limit earlier versions of SNMP to read only access, which is kind of the whole point of this exercise so we’ll answer yes.

Would you like to create a user that uses SHA? [y/n] n
User creation is done. 
SNMPv3 is now functional.

Would you like to restrict SNMPv1 and SNMPv2c messages to have read only access (you can set this later by the command 'snmp restrict-access'): y

By typing the following command you can see that the initial user has been created.

Switch1(config)# show snmpv3 user

Status and Counters - SNMP v3 Global Configuration Information
User Name                        Auth. Protocol   Privacy Protocol
-------------------------------- ---------------- ----------------
initial                          MD5              CBC DES

Now we can create our ‘real’ user by issuing the following command. I’ve chosen to use SHA for authentication and AES-128 for encryption, but you can use MD5 and DES respectively if you like, but do keep in mind that these are inferior encryption suites.

Switch1(config)# snmpv3 user [username] auth sha [auth password] priv aes [priv password]

By typing the following command we can see that another user has been created, in my demo a user with the name snmpv3user. Note the improved cipher suites.

Switch1(config)# show snmpv3 user

Status and Counters - SNMP v3 Global Configuration Information
User Name                        Auth. Protocol   Privacy Protocol
-------------------------------- ---------------- ----------------
initial                          MD5              CBC DES
snmpv3user                       SHA              CFB AES-128

This is where most people run into problems. One could rightfully assume that the right user has been created with the right privileges, but so far we’ve only created two users without even the most basic privilege of logging in. Finish with the following commands to add the SNMPv3 user to a privileged group and remove the unnecessary ‘initial’ user.

Switch1(config)# snmpv3 group managerpriv user [username] sec-model ver3
Switch1(config)# no snmpv3 user initial

To take the last and final step towards better security, type the following commands to disable SNMPv1/v2:

Switch1(config)# snmpv3 only
Switch1(config)# snmpv3 restricted-access

After you’re finished, remember to save your configuration if it works.

Switch1(config)# write memory

Advertisements


Categories: Networks, Tech

Tags: , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: