https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732534#M1095633 <P>You can always choose both the hash and encryption algorithms with snmpv3.</P> <P>The "encrypted" keyword means you are providing the snmp password already encrypted (an uncommon use case). As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1342399">@tvotna</a> noted, the snmpv3 password will be saved in secure form automatically (no matter how you provide it initially).</P> Mon, 05 Dec 2022 12:41:22 GMT Marvin Rhoads 2022-12-05T12:41:22Z https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732446#M1095627 <P>Hi all,</P><P>I'm trying to understand the configurations of SNMP v3. From Cisco's "Software Configuration Guide" &gt; Configuring Simple Network Management Protocol &gt; Configuring SNMP Groups and Users, Step 5, in Purpose column:</P><P class="">"<EM>Enter the SNMP version number (<SPAN class=""><SPAN class="">v1</SPAN> </SPAN>, <SPAN class=""><SPAN class="">v2c</SPAN> </SPAN>, or <SPAN class=""><SPAN class="">v3</SPAN> </SPAN>). If you enter <SPAN class=""><SPAN class="">v3</SPAN> </SPAN>, you have these additional options:</EM></P><UL><LI><P class=""><EM><STRONG><SPAN class=""><SPAN class="">encrypted</SPAN> </SPAN></STRONG>specifies that the password appears in encrypted format. This keyword is available only when the <SPAN class=""><SPAN class="">v3</SPAN> </SPAN>keyword is specified.</EM></P></LI><LI><P class=""><EM><STRONG><SPAN class=""><SPAN class="">auth</SPAN> </SPAN></STRONG>is an authentication level setting session that can be either the HMAC-MD5-96 (<SPAN class=""><SPAN class="">md5</SPAN> </SPAN>) or the HMAC-SHA-96 (<SPAN class=""><SPAN class="">sha</SPAN> </SPAN>) authentication level and requires a password string <SPAN class="">auth-password </SPAN>(not to exceed 64 characters).</EM>"</P></LI></UL><P>First observation is that the <STRONG>encrypted</STRONG> parameter will encrypt the password, while the <STRONG>auth</STRONG> parameter will hash the password.</P><P>If i write <STRONG>encrypted</STRONG> i cannot choose which encryption algorithm is used. The only two choices i have is <STRONG>access</STRONG> to specify an access list and <STRONG>auth</STRONG>.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tranem_1-1670236476533.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169889i75706CD8D6CD56A3/image-size/medium?v=v2&amp;px=400" role="button" title="tranem_1-1670236476533.png" alt="tranem_1-1670236476533.png" /></span></P><P>&nbsp;</P><P>On the other hand, if i write <STRONG>auth </STRONG>as my first parameter, i can choose the authentication (hashing) algorithm as <STRONG>md5</STRONG> or <STRONG>sha</STRONG>. My next two parameters are <STRONG>access</STRONG> again, and <STRONG>priv</STRONG> which lets me choose my encryption algorithm.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tranem_0-1670236446486.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/169888iCF525689FD5F4F76/image-size/medium?v=v2&amp;px=400" role="button" title="tranem_0-1670236446486.png" alt="tranem_0-1670236446486.png" /></span></P><P>&nbsp;Am i totally misunderstanding something or does this mean that you can only specify which encryption algorithm you want to use, if you also choose to hash it? And if you choose to hash it, you can always choose the authentication algorithm?</P><P>&nbsp;</P> Mon, 05 Dec 2022 10:36:55 GMT https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732446#M1095627 trane.m 2022-12-05T10:36:55Z https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732457#M1095628 <P>Don't put "encrypted" into the command line. The system will add it automatically into the running-config to hash auth and priv passwords you entered. So, just do snmp-server user &lt;user&gt; &lt;group&gt; v3 auth sha &lt;auth-password&gt; priv aes 128 &lt;encr-password&gt;</P> Mon, 05 Dec 2022 11:00:02 GMT https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732457#M1095628 tvotna 2022-12-05T11:00:02Z https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732534#M1095633 <P>You can always choose both the hash and encryption algorithms with snmpv3.</P> <P>The "encrypted" keyword means you are providing the snmp password already encrypted (an uncommon use case). As <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1342399">@tvotna</a> noted, the snmpv3 password will be saved in secure form automatically (no matter how you provide it initially).</P> Mon, 05 Dec 2022 12:41:22 GMT https://community.cisco.com/t5/network-security/snmp-v3-encryption-and-authentication/m-p/4732534#M1095633 Marvin Rhoads 2022-12-05T12:41:22Z