cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3897
Views
15
Helpful
2
Replies

SNMP v3 encryption and authentication

trane.m
Level 1
Level 1

Hi all,

I'm trying to understand the configurations of SNMP v3. From Cisco's "Software Configuration Guide" > Configuring Simple Network Management Protocol > Configuring SNMP Groups and Users, Step 5, in Purpose column:

"Enter the SNMP version number (v1 , v2c , or v3 ). If you enter v3 , you have these additional options:

  • encrypted specifies that the password appears in encrypted format. This keyword is available only when the v3 keyword is specified.

  • auth is an authentication level setting session that can be either the HMAC-MD5-96 (md5 ) or the HMAC-SHA-96 (sha ) authentication level and requires a password string auth-password (not to exceed 64 characters)."

First observation is that the encrypted parameter will encrypt the password, while the auth parameter will hash the password.

If i write encrypted i cannot choose which encryption algorithm is used. The only two choices i have is access to specify an access list and auth.

tranem_1-1670236476533.png

 

On the other hand, if i write auth as my first parameter, i can choose the authentication (hashing) algorithm as md5 or sha. My next two parameters are access again, and priv which lets me choose my encryption algorithm.

tranem_0-1670236446486.png

 Am i totally misunderstanding something or does this mean that you can only specify which encryption algorithm you want to use, if you also choose to hash it? And if you choose to hash it, you can always choose the authentication algorithm?

 

2 Accepted Solutions

Accepted Solutions

tvotna
Spotlight
Spotlight

Don't put "encrypted" into the command line. The system will add it automatically into the running-config to hash auth and priv passwords you entered. So, just do snmp-server user <user> <group> v3 auth sha <auth-password> priv aes 128 <encr-password>

View solution in original post

Marvin Rhoads
Hall of Fame
Hall of Fame

You can always choose both the hash and encryption algorithms with snmpv3.

The "encrypted" keyword means you are providing the snmp password already encrypted (an uncommon use case). As @tvotna noted, the snmpv3 password will be saved in secure form automatically (no matter how you provide it initially).

View solution in original post

2 Replies 2

tvotna
Spotlight
Spotlight

Don't put "encrypted" into the command line. The system will add it automatically into the running-config to hash auth and priv passwords you entered. So, just do snmp-server user <user> <group> v3 auth sha <auth-password> priv aes 128 <encr-password>

Marvin Rhoads
Hall of Fame
Hall of Fame

You can always choose both the hash and encryption algorithms with snmpv3.

The "encrypted" keyword means you are providing the snmp password already encrypted (an uncommon use case). As @tvotna noted, the snmpv3 password will be saved in secure form automatically (no matter how you provide it initially).

Review Cisco Networking for a $25 gift card