The snmp-agent usm-user command creates an SNMPv3 user.
The undo snmp-agent usm-user command deletes an SNMPv3 user.
By default, no SNMPv3 user exists on a device.
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group group-name | acl { acl-number | acl-name } ] *
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name authentication-mode { md5 | sha | sha2-256 } [ localized-configuration cipher password | cipher password ]
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name privacy-mode { des56 | aes128 | aes192 | aes256 | 3des } [ localized-configuration cipher password | cipher password ]
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv4 { acl-number | acl-name } [ acl-ipv6 { acl-number | acl-name } ]
snmp-agent [ remote-engineid engineid ] usm-user v3 user-name group group-name acl-ipv6 { acl-number | acl-name }
undo snmp-agent [ remote-engineid engineid ] usm-user v3 user-name [ group | acl | authentication-mode | privacy-mode ]
| Parameter | Description | Value |
|---|---|---|
remote-engineid engineid |
Specifies the ID of the engine associated with a user. remote-engineid engineid must be set to the engine ID of the destination host that receives alarms. The engine IDs of the source and destination hosts must be different. |
The value is string of 10 to 64 hexadecimal digits. It cannot be all 0s or all Fs. |
v3 |
Indicates that the security mode in SNMPv3 is adopted. |
- |
user-name |
Specifies the name of an SNMPv3 user. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
group group-name |
Specifies the SNMPv3 user group to which the SNMPv3 user belongs. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
authentication-mode |
Sets the authentication mode. Authentication is a process in which the SNMP agent (or the NMS) confirms that the message is received from an authorized NMS (or SNMP agent) and the message is not changed during transmission. |
- |
md5 | sha | sha2-256 |
Specifies the authentication algorithm.
NOTE:
For higher security purposes, you are advised to specify the sha2-256 parameter. |
- |
privacy-mode |
Specifies the authentication with encryption. The system adopts the cipher block chaining (CBC) code of the data encryption standard (DES) and uses 128-bit privKey to generate the key. The NMS uses the key to calculate the CBC code and then adds the CBC code to the message while the SNMP agent fetches the authentication code through the same key and then obtains the actual information. Like the identification authentication, the encryption requires the NMS and the SNMP agent to share the same key to encrypt and decrypt the message. |
- |
des56 | aes128 | aes192 | aes256 | 3des |
Specifies DES-56, AES-128, AES-192, AES-256, or 3DES as the encryption algorithm. NOTE:
For higher security purposes, the DES-56 or 3DES algorithm is not recommended. If the DES-56 or 3DES algorithm is used, do not use passwords composed of repeated character strings. For example, in str*n, str is a repeated character string and n indicates the number of times this string repeats. Otherwise, the passwords containing any times of str can pass authentication. For example, if the password is Huawei@123Huawei@123, passwords Huawei@123, Huawei@123Huawei@123, and Huawei@123Huawei@123Huawei@123 can all pass authentication. |
- |
localized-configuration |
Specifies the localized password configuration mode. NOTE:
After authentication and encryption passwords are configured through MIB, this keyword is displayed in the commands recorded in configuration files. After authentication and encryption passwords are configured through command line, you are not advised to use this keyword. If this keyword is used, the cipher text passwords configured later use the local format. As a password with the localized-configuration keyword is related to the engine ID, copying configurations with this keyword from one device to another causes the password to be invalid. |
- |
cipher password |
Specifies the password. |
The value is a case-insensitive string without spaces. It must be in cipher text format with 32 to 108 characters.
|
acl |
Specifies an ACL that takes effect on both IPv4 and IPv6 networks. |
- |
acl-ipv4 |
Specifies an ACL that takes effect on only IPv4 network. |
- |
acl-ipv6 |
Specifies an ACL that takes effect on only IPv6 network. |
- |
acl-number |
Specifies the number of an ACL. |
The value is an integer ranging from 2000 to 3999. |
acl-name |
Specifies the name of a basic or an advanced Named ACL. |
The value is a string of 1 to 64 case-sensitive characters without spaces. The value must start with a letter. |
Usage Scenario
Protocol version |
User Checksum |
Encryption |
Authentication |
|---|---|---|---|
v1 |
Adopts the community name. |
None |
None |
v2c |
Adopts the community name. |
None |
None |
v3 |
Adopts user name-based encryption/decryption. |
Yes |
Yes |
The snmp-agent group command can be used to configure the authentication, encryption, and access rights for an SNMPv3 user group. The snmp-agent group command can be used to configure the rights for SNMPv3 users in a specified SNMPv3 user group and bind the SNMPv3 user group to a MIB view. The MIB view is created through the snmp-agent mib-view command. For details, see the usage guideline of this command. After an SNMPv3 user group is configured, the MIB-view-based access control is configured for the SNMPv3 user group. Users cannot access objects in the MIB view through the SNMPv3 user group. The purpose of adding SNMPv3 users to an SNMPv3 user group is to ensure that SNMPv3 users in an SNMPv3 user group have the same security level and access control list. When you run the snmp-agent usm-user command to configure a user in an SNMPv3 user group, you configure the MIB-view-based access rights for the user. If an SNMPv3 user group is configured with the AuthPriv access rights, you can configure the authentication mode and encryption mode when configuring SNMPv3 users. Note that the authentication keys and encryption passwords configured on the NMS and the SNMP agent should be the same; otherwise, authentication fails.
To ensure that the NMS correctly receives the alarm in Inform mode sent by the switch, run the snmp-agent remote-engineid engineid usm-user v3 user-name command to specify the NMS engine ID on the host. After the command is run, the host encapsulates the NMS engine ID in the Authoritative Engine ID field of the SNMPv3 alarm packet before sending the alarm in Inform mode. After receiving the alarm, the NMS compares the engine ID carried in the received packet with its own engine ID. If the two IDs match, the NMS sends a response to the alarm host. If the two IDs do not match, the NMS discards the packet.
When the NMS and device are in an insecure network environment, for example, a network prone to attacks, it is recommended that you configure different authentication password and encryption password to improve security.
Configuration Impact
If an SNMP agent is configured with a remote user, the engine ID is required during the authentication. If the engine ID changes after the remote user is configured, the remote user becomes invalid.
Precautions
The security level of the SNMPv3 user must be higher than or equal to the security level of the SNMPv3 user group to which the SNMPv3 user belongs. The security level can be (in descending order): AuthPriv (authentication and encryption), authNoPriv (authentication without encryption), and noAuthNoPriv (neither authentication nor encryption). If the user security level is set to neither authentication nor encryption, the user only has the read-only permission within MIB-2 (OID: 1.3.6.1.2.1).
To add an SNMPv3 user to an SNMPv3 user group, ensure that the SNMPv3 user group is valid.
If you run the snmp-agent usm-user command multiple times, only the latest configuration takes effect.
Keep your user name and plain-text password well when creating the user. The plain-text password is required when the NMS accesses the device.
When a user with a level lower than the level configured using this command queries the password configured using the display this command, the password is displayed as asterisks (******).
To specify the same ACL on IPv4 and IPv6 networks, you can only run the snmp-agent [ remote-engineid engineid ] usm-user v3 user-name acl { acl-number | acl-name } command.
If the snmp-agent usm-user command is run more than once to specify an ACL for the same SNMPv3 user, the latest configuration overrides the previous one.
# Configure an SNMPv3 user with user name u1, group name g1, authentication mode sha-256, authentication password 8937561bc, encryption mode aes128, and encryption password 68283asd.
<HUAWEI> system-view [HUAWEI] snmp-agent usm-user v3 u1 group g1 [HUAWEI] snmp-agent usm-user v3 u1 authentication-mode sha2-256 Please configure the authentication password (8-64) Enter Password: Confirm Password: [HUAWEI] snmp-agent usm-user v3 u1 privacy-mode aes128 Please configure the privacy password (8-64) Enter Password: Confirm Password: [HUAWEI]