This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SNMP v3 - need help with credentials

I have looked through the Admin guide and the often referenced Cisco doc on SNMP v3.  I have gone through the many posts on it as well.  So I am starting to think I am doing something uniquely dumb.

Below is my Cisco switch config, I know there is some overlap on the views but I just kept getting broader to try and fix the problem.  In NPM it says credentials fail, however when I use the SNMP Tester tool in the engineer toolset I get a more specific error.

ERROR:   SNMPv3 - Unsupported Security Level - Either the requested MIB is not readable for this username, or this username requires a higher level of authentication / encryption.

Cisco SNMP config:

snmp-server group GROUPNAME v3 auth read view_all write view_all access 6

snmp-server view view_all iso included

snmp-server view view_all internet included

snmp-server view view_all system included

snmp-server view view_all interfaces included

snmp-server view view_all chassis included

snmp-server community public RO 5

snmp-server host 10.27.28.5 public

The last 2 lines are there so I can still monitor the switch while i figure this out.

I used this to config the user:

snmp-user USERNAME GROUPNAME v3 auth md5 PASSWORD access 6

 

Help please!

 

Parents
  • RNEWMARK,

    Below is the template we use for SNMPv3.  I've listed comments below the configuration.  Enter your own information/passwords in the bracketed sections and be sure to remove the brackets.

    no snmp-server system-shutdown
    no snmp-server trap-timeout 180
    snmp-server packetsize 1400
    snmp-server queue-length 20
    !
    snmp-server contact [ENTER CONTACT NAME & PHONE # HERE]
    !
    snmp-server view MGMTview interfaces included
    snmp-server view MGMTview internet included
    snmp-server view MGMTview chassis included
    snmp-server view MGMTview system included
    snmp-server view MGMTview mib-2 included
    snmp-server ifindex persist
    !
    snmp-server group READgroup v3 auth read MGMTview
    snmp-server group WRITEgroup v3 auth write MGMTview
    !
    ! NO ENCRYPTION
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] access 2
    !
    ! DES56
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] priv des56 [ENTER READ-ONLY ENCRYPTION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] priv des56 [ENTER READ-WRITE ENCRYPTION PASSWORD] access 2
    !
    ! AES
    snmp-server user HQNNM READgroup v3 auth sha [ENTER READ-ONLY AUTHENTICATION PASSWORD] priv aes 128 [ENTER READ-ONLY ENCRYPTION PASSWORD] access 1
    snmp-server user HQMGMT WRITEgroup v3 auth sha [ENTER READ-WRITE AUTHENTICATION PASSWORD] priv aes 128 [ENTER READ-WRITE ENCRYPTION PASSWORD] access 2
    !
    !
    no access-list 1
    access-list 1 remark "SNMP: READGroup access"
    access-list 1 permit host XXX.XXX.XXX.XXX
    access-list 1 deny any log

    no access-list 2
    access-list 2 remark "SNMP: WRITEGroup access"
    access-list 2 permit host XXX.XXX.XXX.XXX
    access-list 2 deny any log

    In this configuration the users are HQNNM or HQMGMT depending on whether they get READ or WRITE access.  In your Orion, these will be in the User Name field for SNMPv3.  We don't use context.  Our devices have 1 Authentication method which is SHA for standardization and 3 different Authentication methods depending on the IOS loaded.  Our goal is for all devices to run AES.  We use 20 character randomly generated passwords for our authentiation and encryption passwords.  In the Orion credential manager, based on the configuration above we have 4 different
    credentials loaded. 

    HQ READ DES56
    HQ WRITE DES56
    HQ READ AES128
    HQ WRITE AES128

    Before running the script above on the device, you can see what encryption the device will support by running this command in config mode: snmp-server user HQNNM READgroup v3 auth testpassword priv ?

    We run the complete template above so the highest supported level of encryption will be applied because many times we are not appling the template ourselves.  To troubleshoot devices that do not test out OK in Orion, use the following command in Global mode on the device:
    sh snmp user

    That command will show you how the device is configured.  All you'll need to do is select the appropriate credential.  If you have verified the credential is correct then verify your ACL.  You can do this by telnetting/sshing from your Orion server to the device and running a who on the device once you are logged in to confirm the IP.  Many times we are using NATed Orion IPs so be sure to include those in your ACL.  If the device doesn't accept any encryption, we usually use one of the 4 credentials above and blank the encryption password and set encrption to none.  You could create a seperate credential for that if you wish though.  We also just created one view and use it for both READ & WRITE access.  I've also included our SNMP ACLs.  Tailor as necessary.

    Hope this helps.

    Regards,

    Rob

  • Hello Rob,

    When you defined your views, internet includes mib-2 which includes system, interfaces, so why you did define mib-2,system and interfaces ?

    Regards,

    Lionel.

Reply Children
No Data