Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3469
Views
0
Helpful
4
Replies

SNMP User can't be deployed. Error: AES is not enabled

itguy1024
Level 1
Level 1

‎09-11-2018 10:20 AM

I am getting this fault in UCSM.

 

SNMP User can't be deployed. Error: AES is not enabled

0 Helpful
4 Replies 4

Kirk J
Cisco Employee
Cisco Employee

‎09-11-2018 10:32 AM

Greetings.

Suspect you may have FIPS and MD5 auth at play.

-Cisco UCS Manager Release 3.2(3) and later releases do not support MD5 authentication if SNMPv3 is in Federal Information Processing Standards (FIPS) mode. As a result, any existing or new SNMPv3 users with MD5 authentication will not be deployed with these releases and the following fault message will be generated: "SNMP User testuser can't be deployed. Error: MD5 auth is not supported" on UCS manager.

To deploy such a user, change the authentication type to SHA.

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/CiscoUCSManager-RN-3-2.html

 

Thanks,

Kirk...

 

0 Helpful

itguy1024
Level 1
Level 1
In response to Kirk J

‎09-13-2018 04:39 AM

@Kirk J wrote:

To deploy such a user, change the authentication type to SHA.

 

I'm not seeing that option, where is it?

0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to itguy1024

‎09-13-2018 01:43 PM

snmp-sha.JPG

 

0 Helpful

sbhadrav@cisco.com
Level 5
Level 5

‎12-13-2018 06:50 PM

SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The security model combines with the selected security level to determine the security mechanism applied when the SNMP message is processed.

The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message requires protection from disclosure or whether the message is authenticated. The supported security level depends on which security model is implemented. SNMP security levels support one or more of the following privileges:

noAuthNoPriv—No authentication or encryption

authNoPriv—Authentication but no encryption

authPriv—Authentication and encryption

SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.
Cisco UCS uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826.

The privacy password, or priv option, offers a choice of DES or 128-bit AES encryption for SNMP security encryption. If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Manager uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.

Cisco UCS Manager Release 3.2(3) and later releases do not support SNMPv3 users without AES encryption. Hence, any existing or newly created SNMPv3 users without AES encryption will not be deployed with these releases, and the following fault message will appear:


Major     F1036    2018-02-01T14:36:32.995     99095 SNMP User testuser can't be
deployed. Error: AES is not enabled
To deploy such a user, enable AES-128 encryption.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card