Skip to main content

Adding an SNMPv3 security user

SNMPv3 offers advanced security by using passphrases and encryption. You can use the command line interface (CLI) to add an SNMPv3 user at the cluster level. The SNMPv3 user can run SNMP utilities from the traphost (SNMP manager) using the authentication and privacy settings that you specify.

When you add an SNMPv3 user at the cluster level, that user can access the cluster through all the LIFs that have the mgmt firewall policy applied. To use SNMPv3, you should configure an SNMPv3 user to run the SNMP utilities from the SNMP manager.

Procedure

  1. Use the security login create command to create an SNMPv3 user, and provide the following information:

    • Engine ID: The default and recommended value is local EngineID.

    • Authentication protocol

    • Authentication password

    • Privacy protocol

    • Privacy protocol password

  2. Log in to the SNMP manager by using the user name and password, and run the SNMP utility commands. SNMPv3 includes an authentication feature that, when selected, requires users to enter their names, an authentication protocol, an authentication key, and their desired security level when invoking a command. The following table lists the SNMPv3 security parameters:
    Table 1. SNMPv3 security parameters
    ParameterCommand-line optionDescription
    <engineID>(recommended)-e EngineIDEngine ID of the SNMP agent. Default value is local EngineID.
    <securityName>-u NameUser name should not exceed 31 characters.
    <authProtocol>-a {MD5 | SHA}Authentication type can be MD5 or SHA.
    <authKey>-A PASSPHRASEPassphrase should be composed of at least eight characters.
    <securityLevel>-l {authNoPriv | AuthPriv | noauthNoPriv}Security level can be Authentication, No Privacy, Authentication, Privacy, or no Authentication, no Privacy.
    <privProtocol>-x { none | des}Privacy protocol can be none or des(data encryption standard).
    <privPassword>-X passwordPassword should be composed of at least eight characters.
  3. Create the SNMPv3 user with different security levels by running SNMP client-side commands (for example, snmpwalk) to query the cluster objects. For better performance, it is recommended to retrieve all objects in a table rather than a single object or a few objects from the table. You should use snmpwalk 5.3.1 or later when the authentication protocol is SHA.
    Note

    • Following is the output of creating an SNMPv3 user with the authPriv security level:

      Cluster-1::> security login create -user-or-group-name snmpv3user -application snmp \
      -authentication-method usm

      Enter the authoritative entity's EngineID [local EngineID]:

      Which authentication protocol do you want to choose (none, md5, sha, sha2-256) [none]: sha

      Enter the authentication protocol password (minimum 8 characters long):

      Enter the authentication protocol password again:

      Which privacy protocol do you want to choose (none, des, aes128) [none]: des

      Enter privacy protocol password (minimum 8 characters long):

      Enter privacy protocol password again:

    • Following is the output of creating an SNMPv3 user with the authNoPriv security level:

      Cluster-1::> security login create -user-or-group-name snmpv3user2 -application snmp \
      -authentication-method usm -role admin

      Please enter the authoritative entity's EngineID [local EngineID]: 

      Please choose an authentication protocol (none, md5, sha) [none]: md5

      Please enter authentication protocol password (minimum 8 characters long):

      Please enter authentication protocol password again:

      Please choose a privacy protocol (none, des) [none]: none


    • Following is the output of creating an SNMPv3 user with the noauthNoPriv security level:

      Cluster-1::> security login create -user-or-group-name snmpv1user -application snmp \
      -authentication-method usm

      Please enter the authoritative entity's EngineID [local EngineID]:

      Please choose an authentication protocol (none, md5, sha) [none]: none