Solved: Re: Facing issue in using SNMPV3 on Cisco Routers

ayazali_ned · ‎01-26-2010

Hi,

Actually, i am trying to implement SNMPV3 on Cisco Routers & Switches to manage & monitor these devices in a more secure manner using NMS called Orion (NPM) Network Performance Monitor.

When i am going to add the node on Orion (NPM), it is showing me an error that the device does not support the interfaces MIB.

The Routers IOS Version and its feature set is as under:

Cisco 3800 & 2800 (IOS version 12.4(20)T2 Advance IP Services).

Configuration as under:

snmp-server DEPT_GRP V3 auth context DEPT_CTX read DEPT_VIEW

snmp-server view DEPT_VIEW iso included

snmp-server view DEPT_VIEW internet included

snmp-server view DEPT_VIEW interfaces included

snmp-server view DEPT_VIEW system included

snmp-server view DEPT_VIEW chassis included

snmp-server context DEPT_CTX

snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123

snmp-server host 213.42.48.158 version 3 auth SNMPADMIN

At Orion parameters are given as under:

username :- SNMPADMIN

SNMPV3 context :- DEPT_CTX

SNMPV3 Authentication :- SHA1

SNMPV3 Privacy/Encryption :- DES56

Password Key :- cisco123 (All the places)

Kindly help me out and advise me where i am going wrong. Kindly check the configuration above is anything missing in it regarding the SNMPV3 configuration.

Rgds,

Ayaz Ali

Joe Clarke · ‎01-26-2010

First, get rid of the context. It's not needed. Leave that field blank in Orion. Second, I'd get rid of this view, as it is insecure. Instead, use the built-in "v1default" view:

snmp-server group DEPT_GRP v3 auth read v1default

snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123

That config alone should allow you to poll the device.

View solution in original post

Joe Clarke · ‎01-26-2010

First, get rid of the context. It's not needed. Leave that field blank in Orion. Second, I'd get rid of this view, as it is insecure. Instead, use the built-in "v1default" view:

snmp-server group DEPT_GRP v3 auth read v1default

snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123

That config alone should allow you to poll the device.

ayazali_ned · ‎01-26-2010

Hi Joe,

Thanks for your response. As per your reply, i had removed the context and views which were configured earlier on the router and followed the same instructions as you mentioned in your reply, but i would like to tell you one thing about the configuration that i had done for snmp v3.

Your configuration is :-

snmp-server group DEPT_GRP v3 auth read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123

My Configuration is :-

snmp-server group DEPT_GRP v3 priv read v1default
snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123

In your configuration, you are using Authentication (Auth) for the SNMP v3 group and if u select auth (Keyword) then you have to only provide authentication method (SHA,MD5) no privacy keys for encryption (DES,AES) in snmp user configuration, otherwise it will give you an error that credential not matched on the host when you try to poll the device.

In my configuration, I am using privacy (priv) for the SNMP v3 group, thats why i had given both authentication and encryption keys under SNMP user configuration.

In short, user settings are dependent on the group settings if you are using auth then it only support authentication but no privacy and if you are using priv then it allow both authentication and encryption (privacy).

Thanks for your support, it really helped me out in solving the issue. Now, i am able to poll my all routers using snmp v3.

Rgds,

Ayaz Ali

Joe Clarke · ‎01-26-2010

Yes, that was a typo. I mean to use the priv keyword for the group. Without it, the user configuration is invalid.