SNMP - Version 3 security levels

SNMP - Simple Network Management Protocol is used primarily to monitor and manage devices on computer networks. There are several versions, with version 3 being the most recent iteration.

SNMPv3 supports both authentication and encryption and has a new security model that works with users, groups, and three different security levels. Users will be applied to a group and access policies will be applied to a group so that you can determine what groups have read or read-write access and which MIBs (Management Information Bases) they should be able to access.

The three security levels that SNMPv3 offers are:

NoAuthNoPriv - NoAuth means no cryptographic authentication. Credentials (username and password) are still used, but there is no cryptographic mechanism to verify the authenticity of the message. NoPriv means no privacy of the contents of the SNMP messages, meaning there is no encryption of the payload.

AuthNoPriv - Auth means there is cryptographic authentication. It uses MD5 or SHA for this purpose. The authentication mechanism is actually applied to the associated user using the snmp-server user command. The NoPriv remains in this security model as described above.

AuthPriv - As in the previous model, Auth means cryptographic authentication is employed.
Priv indicates that the whole SNMP packet is encrypted, which means if the packet is intercepted, it cannot be deciphered.

The security level is specified on a Cisco IOS device using the following command:

R1(config)#snmp-server group MYGROUP v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level

Once the v3 keyword is used, it specifies SNMPv3, so you are then given the three options of the security level to use.

Once the security level is specified, the actual authentication and/or encryption is enabled and configured on the user. For example:

R1(config)#snmp-server user MYUSER MYGROUP v3 auth md5 MYPASS123 priv aes 128 MYKEY123

The above command configures a user, using MD5 for authentication, and using AES128 for encryption.


Links to this page: