Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
1
Helpful
5
Replies

Trouble understanding NXOS SNMP User localizedv2key parameter

Go to solution
vv0bbLeS
Level 1
Level 1

‎02-26-2025 10:12 AM

Hello all,

I'm trying to understand the localizedv2key option when configuring the snmp-server user command, i.e. "when" should I use it, or "how" to even use it?

From my research, a "localized key" refers to a user's password being combined with the SNMP engineID of the switch, resulting in an aptly named "local key" for each switch while still allowing the user to use a single password for every switch.

What I'm struggling with is understanding how that concept is used in the snmp-server user command with the parameter localizedv2key . When using this parameter, is one supposed to enter a password in hex format (preceded with 0x, e.g. 0xabc123)? If so, how does one generate this hex representation of your password?

My initial attempt was to create an SNMP user TEST with password testing1 using localizedv2key (also, there is no existing local TEST user on the box, so show run | i TEST returns nothing).

To create this new SNMP user TEST with the localizedv2key parameter , I converted the user's password testing1 to hex (74657374696e6731), and then very crudely tried to enter it (preceded with 0x) in my snmp-server user command for both auth and priv but with no luck:

 

labnexus9ksw1(config)# snmp-server user TEST network-operator auth md5 0x74657374696e6731 priv 0x74657374696e6731 localizedv2key
decryptSalt for auth failed
warning: password for user:TEST not set. S/he may not be able to login

labnexus9ksw1(config)#

 

I feel like I'm missing something on what this localizedv2key parameter means, or when/how to use it? For example, how would I setup a user TEST with password testing1 using the localizedv2key parameter?

0xD2A6762E
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AshSe
VIP
VIP

‎03-05-2025 01:51 AM

Hello @vv0bbLeS 

The localizedv2key option in the snmp-server user command is indeed a bit tricky to understand and use. Let me break it down for you and clarify how it works, when to use it, and how to properly configure it.

What is localizedv2key?

The localizedv2key option is used when you want to directly specify the localized key (in hexadecimal format) for the SNMPv3 user instead of providing a plaintext password. Normally, when you configure an SNMPv3 user with a password, the device takes that password and combines it with the SNMP engine ID to generate a localized key. This localized key is what is actually used for authentication and encryption.

The localizedv2key option allows you to bypass the password-to-localized-key conversion process and directly provide the localized key in hexadecimal format. This is useful in scenarios where you already have the localized key (e.g., from another device or system) and want to use it directly.

When to use localizedv2key?

You would use the localizedv2key option in the following scenarios:

  1. Consistency across devices: If you are managing multiple devices and want to ensure that the same localized key is used for a user across all devices, you can calculate the localized key once and configure it manually using localizedv2key.
  2. Pre-calculated keys: If you have pre-calculated the localized key (e.g., using a script or tool) and want to use it directly without relying on the device to calculate it from the password.
  3. Restoring configurations: If you are restoring an SNMP configuration from a backup that includes localized keys, you can use localizedv2key to reapply the exact same keys.

How to use localizedv2key?

To use the localizedv2key option, you need to:

  1. Calculate the localized key: This involves taking the plaintext password and combining it with the SNMP engine ID of the device. The result is a hexadecimal string that represents the localized key.
  2. Enter the localized key in the command: Use the snmp-server user command with the localizedv2key option and provide the localized key in hexadecimal format (prefixed with 0x).

Why your attempt failed

Your attempt failed because you provided the plaintext password (testing1) in hexadecimal format (74657374696e6731) instead of the localized key. The localized key is not the same as the password in hexadecimal format—it is derived from the password and the SNMP engine ID.

HTH

AshSE

View solution in original post

5 Replies 5

Go to solution
AshSe
VIP
VIP

‎03-05-2025 01:51 AM

Hello @vv0bbLeS 

The localizedv2key option in the snmp-server user command is indeed a bit tricky to understand and use. Let me break it down for you and clarify how it works, when to use it, and how to properly configure it.

What is localizedv2key?

The localizedv2key option is used when you want to directly specify the localized key (in hexadecimal format) for the SNMPv3 user instead of providing a plaintext password. Normally, when you configure an SNMPv3 user with a password, the device takes that password and combines it with the SNMP engine ID to generate a localized key. This localized key is what is actually used for authentication and encryption.

The localizedv2key option allows you to bypass the password-to-localized-key conversion process and directly provide the localized key in hexadecimal format. This is useful in scenarios where you already have the localized key (e.g., from another device or system) and want to use it directly.

When to use localizedv2key?

You would use the localizedv2key option in the following scenarios:

  1. Consistency across devices: If you are managing multiple devices and want to ensure that the same localized key is used for a user across all devices, you can calculate the localized key once and configure it manually using localizedv2key.
  2. Pre-calculated keys: If you have pre-calculated the localized key (e.g., using a script or tool) and want to use it directly without relying on the device to calculate it from the password.
  3. Restoring configurations: If you are restoring an SNMP configuration from a backup that includes localized keys, you can use localizedv2key to reapply the exact same keys.

How to use localizedv2key?

To use the localizedv2key option, you need to:

  1. Calculate the localized key: This involves taking the plaintext password and combining it with the SNMP engine ID of the device. The result is a hexadecimal string that represents the localized key.
  2. Enter the localized key in the command: Use the snmp-server user command with the localizedv2key option and provide the localized key in hexadecimal format (prefixed with 0x).

Why your attempt failed

Your attempt failed because you provided the plaintext password (testing1) in hexadecimal format (74657374696e6731) instead of the localized key. The localized key is not the same as the password in hexadecimal format—it is derived from the password and the SNMP engine ID.

HTH

AshSE

Go to solution
j.a.m.e.s
Level 4
Level 4
In response to AshSe

‎06-04-2025 10:19 AM

A wonderful answer, thank you. As a follow-up question, if changes are made to the "auth md5 xxxx" and "priv xxxx" does this have any bearing on the corresponding password for an equivalent local user (and vice-versa)?

The reason I'm unsure about this is that I see mention of it in the NX-OS System Management Guide v10.4:

The authentication passphrase specified in the snmp-server user command becomes the password for the CLI user

0 Helpful

Go to solution
vv0bbLeS
Level 1
Level 1

‎06-04-2025 11:38 AM - edited ‎06-04-2025 11:43 AM

@j.a.m.e.s  from what I understand, by default, NXOS will sync AAA users (local users on the switch) and SNMPv3 users on the switch. So, if you create a local AAA user, NXOS by default will create an SNMPv3 user for you (with the same password as the local user). And vice versa, if you create an SNMPv3 user, NXOS by default will create a local user for you (with the same password as the SNMPv3 user).

As far as updates to the users go, per the below link, any configuration changes made to the user group, role, or password results in database synchronization for both SNMP and AAA.

However, the below link also states that when you configure a passphrase/password in localized key/encrypted formatCisco NX-OS does not synchronize the user information (passwords, roles, and so on).

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/102x/configuration/system-management/cisco-nexus-9000-series-nx-os-system-management-configuration-guide-102x/m-configuring-snmp-10x.html#con_1073680 

 

For me, this AAA-SNMPv3 user synchronization is not desirable, as we run commands to separately create our local users and snmpv3 users (which are not the same, i.e. we have users for AAA (local login) and we have separate users for doing SNMPv3). So, on my NXOS switches, I run the snmp-server disable snmp-aaa sync command to turn this AAA-SNMPv3 user synchronization off.

0xD2A6762E
0 Helpful

Go to solution
j.a.m.e.s
Level 4
Level 4
In response to vv0bbLeS

‎06-05-2025 01:45 AM - edited ‎06-05-2025 03:36 AM

Thank you, I had missed that nuance around the localizedkey/localizedV2key allowing separate passwords for SNMPv3 and the local AAA userDB.

Just a follow-on query about snmp-server disable snmp-aaa sync. We generally cycle local AAA passwords on a regular basis automatically, so would this command mean that we would need the password-rotation tool to be implementing an update to the  snmp-server user command at the same time? Presumably this would also be the case if we use localizedkey/localizedV2key?

0 Helpful

Go to solution
vv0bbLeS
Level 1
Level 1

‎06-05-2025 06:22 AM

@j.a.m.e.s yes if you disable the snmp-aaa sync, you would need to update the aaa user and snmp user passwords separately.

Also, to be clear, the snmp-aaa sync happens by default, regardless of whether you use the localizedkey/localizedV2key or not.

0xD2A6762E
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card