Solved: How does SNMPv3 authentication work

Paheeradan Nagulan · ‎02-20-2025

In Auth mode, I understand the user's password won't be shared as a plain text between the NMS and Client for authentication. The password will be used to create a hash value which will then be shared to the other device for authentication. I couldn't find any good articles on how it actually perform that hashing authentication. I was curious to know more about that hashing mechanism when authenticating. Could you guide me in the right path?

Thanks

M02@rt37 · ‎02-20-2025

Hello @Paheeradan Nagulan

In SNMPv3 authentication mode (AuthPriv or AuthNoPriv), the authentication process ensures that the user's password is never transmitted in plaintext. Instead, a hashing mechanism is used to verify credentials securely.

This process starts with the user's password being combined with the SNMP Engine ID of the device performing authentication, ensuring uniqueness and preventing replay attacks. This combination is then hashed using HMAC-MD5 or HMAC-SHA to derive an authentication key. When an SNMP request is sent, a cryptographic hash known as the Message Authentication Code or "MAC" is generated using this authentication key, ensuring message integrity. The receiving SNMP device then derives the same key and recalculates the MAC for the received message. If the computed MAC matches the received one, authentication succeeds.

Refer here for more details: RFC 3414

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎02-20-2025

Hello @Paheeradan Nagulan

In SNMPv3 authentication mode (AuthPriv or AuthNoPriv), the authentication process ensures that the user's password is never transmitted in plaintext. Instead, a hashing mechanism is used to verify credentials securely.

This process starts with the user's password being combined with the SNMP Engine ID of the device performing authentication, ensuring uniqueness and preventing replay attacks. This combination is then hashed using HMAC-MD5 or HMAC-SHA to derive an authentication key. When an SNMP request is sent, a cryptographic hash known as the Message Authentication Code or "MAC" is generated using this authentication key, ensuring message integrity. The receiving SNMP device then derives the same key and recalculates the MAC for the received message. If the computed MAC matches the received one, authentication succeeds.

Refer here for more details: RFC 3414

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Paheeradan Nagulan · ‎02-21-2025

Hi M02@rt37 ,

Is that correct, the auth key is going to be unique since the SNMP Engine ID is different between devices(auth key is generated by using the user's password and engine id)? If so, since the auth key is different on the receiver's end, how could that create a DIGEST that will match the sender's Digest?

Paheeradan Nagulan · ‎02-21-2025

Hi M02@rt37 , I missed the part that a request is sent from the client to the agent to get the Engine ID of the authenticator(in this case, the agent) before the client generates the auth key. It makes sense now. Cisco doesn't let me delete my own comment. Thank you so much for answering my question.

M02@rt37 · ‎02-21-2025

You're so welcome @Paheeradan Nagulan

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

balaji.bandi · ‎02-21-2025

Sure i agree there is no correct flow i can see from cisco point of view (nor i have come across personally)

But when i was looking same question i found from other vendor give some information which can give idea how that works.

https://arista.my.site.com/AristaCommunity/s/article/SNMPV3-OVERVIEW-CONFIGURATION-TROUBLESHOOTING-GUIDE

(Apologies cross positing from other vendor docs here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Paheeradan Nagulan · ‎02-21-2025

Hi @balaji.bandi ,

That packet capture and the flow diagram on the link definitely gives me a better understanding about snmpv3. Thank you so much for sharing that link.