Configuring SNMPv3 (NSM Procedure)

You can configure SNMP version 3 (SNMPv3) for message security and access control. You can configure the entries for the user-based security model (USM) that SNMPv3 uses for message security and the view-based access control model (VACM) that SNMPv3 uses for access control. USM specifies authentication and encryption. USM uses the concept of a user for which security parameters (levels of security, authentication, privacy protocols, and keys) are configured for both the agent and the manager. VACM specifies access-control rules.

To configure the SNMPv3 options in NSM:

  1. In the navigation tree, select Device Manager > Devices.
  2. In the Devices list, double-click the device to select it.
  3. Click the Configuration tab.
  4. In the configuration tree, expand SNMP.
  5. Select V3.
  6. Enter the parameters as specified in Table 79.
  7. Click one:
    • OK—To save the changes.
    • Cancel—To cancel the modifications.
    • Apply—To apply the SNMP settings.

Note: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See the Updating Devices section in the Network and Security Manager Administration Guide for more information.

Table 79: Configuring V3 Fields

Option

Function

Your Action

Comment

Specifies the comment for the SNMPv3 configuration.

Enter a comment.

Notify

Specifies the management targets for notifications as well as the type of notifications. Notifications can be either traps or informs.

  1. Expand the V3 tree and select Notify.
  2. Click the New button or select an entry and click the Edit button.
  3. Configure the following to create and define an entry:
    • Name—Specify the name for the notification.
    • Comment—Enter the comment for the notification.
    • Type—Choose the notification type:

      • trap—Unconfirmed notifications
      • inform—Confirmed notifications
    • Tag—Specify a tag. Notifications are sent to all targets configured with this tag.

Notify Filter

Lists the group of MIB objects on which access is to be defined. The notify filter limits the type of traps or informs sent to the Network Security Management (NMS).

  1. Expand the V3 tree and select Notify Filter.
  2. Click the New button or select an entry and click the Edit button.
  3. Configure the following to create and define an entry:
    • Name—Specify the name for the notification filter.
    • Comment—Enter the comment for the notification filter.
    • OID—Specify an object identifier (OID) to represent a subtree of MIB objects. All MIB objects represented by this ID have the specified OID as a prefix. Specify the OID using either a sequence of dotted integers or a subtree name.
      • None
      • include—Include the subtree of MIB objects represented by the specified OID.
      • exclude—Exclude the subtree of MIB objects represented by the specified OID.

SNMP Community

Lists the SNMP communities authorizing the SNMPv1 or SNMPv2 clients. The access privileges associated with the configured security name define which MIB objects are available and the operations (notify, read, or write) allowed on those objects.

  1. Expand the V3 tree and select SNMP Community.
  2. Configure the following to create and define an entry:
    • Name—Specify the name for the SNMP community.
    • Comment—Enter the comment for the community.
    • Community Name—Enter the community string for the SNMPv1 or SNMPv2 community. If you do not enter a name, it is the same as the community index. Ensure that community names are unique.
    • Security Name—Enter the name you want to use for access control. This is done to associate the community string to a security name.
    • Context—Specify the context in which the community string is to be used.
    • Tag—Specify the addresses of managers that are allowed to use this community string.

Target Address

Specifies the management application’s address and parameters to be used in sending notifications.

  1. Expand the V3 tree and select Target Address.
  2. Click the New button or select an entry and click the Edit button.
  3. Configure the following to create and define an entry:
    • Name—Specify the name to be assigned to the target address.
    • Comment—Enter a comment for the target address.
    • Address—Enter the IPv4 or the IPv6 address of the device to receive traps or informs.

      Note: Specify an address, not a hostname.

    • Port—Enter the UDP port number for the SNMP target.
    • Timeout—Specify the number of seconds to wait for an inform acknowledgment. If no acknowledgment is received within the timeout period, the inform is retransmitted. The default timeout period is 15 seconds.
    • Retry Count—Specify the maximum number of times the inform is transmitted if no acknowledgment is received. If no acknowledgment is received after the inform is transmitted the maximum number of times, the inform message is discarded. The default count is 3 times.
    • Tag List—Specify an SNMP tag list to be used to define sets of target addresses.
    • Address Mask—Specify an address mask to verify the source addresses for this group of target addresses. An address mask, combined with the address, defines a range of addresses.
    • Routing Instance—Specify a routing instance for this SNMPv3 target address.
    • Logical System—On routers only, specify the logical system group for this SNMPv3 target address.
    • Target Parameters—Specify the message processing and security parameters to be used in sending notifications to a particular management target.

Target Parameters

Specifies the message processing and security parameters to be used in sending notifications to a particular management target.

  1. Expand the V3 tree and select Target Parameters.
  2. Click the New button or select an entry and click the Edit button.
  3. Configure the following to create and define an entry:
    • Name—Specify the name to be assigned to this group of target parameters.
    • Comment—Enter a comment for this group of target parameters.
    • Notify Filter—Specify the notify filter to be used by this specific set of target parameters.
    • Parameters—Configure the entries for this specific set of target parameters:

      Message Processing Model—Specify the message processing model:

      • None
      • v1—SNMPv1 message process model
      • v2c—SNMPv2c message process model
      • v3—SNMPv3 message process model

      Security Model—Specify this group’s security model:

      • None
      • usm—SNMPv3 security model
      • v1—SNMPv1 message process model
      • v2c—SNMPv2c message process model

      Security Level—Specify this group’s security level:

      • authentication—Authentication but no encryption.
      • none—Authentication and no encryption.
      • privacy—Authentication and encryption.
      • Security Name—The user name (if USM is used) or the SNMP community name (if SNMPv1 or SNMPv2c security models are used) when generating the notification.

Usm

Specifies USM information.

  1. Expand the V3 tree and select Usm.
  2. Configure the following to create and define an entry:
    • Comment—Enter a comment for this USM set.
    • Local Engine—Specify the local-engine information for USM. Assign a user associated with an SNMPv3 group. Specify the authentication type for the SNMPv3 user as MD5 or SHA.

      Assign the encryption algorithm:

      • Advanced Encryption Standard (privayc-aes128)
      • Triple Data Encryption Standard (privacy-3des)
      • Data Encryption Standard (privacy-des)

      Configure the password used to generate the key used for encryption.

    • Remote Engine—Enter the engine ID for the SNMP agent on the remote device where the user resides for the USM. You must do this to send inform messages to an SNMPv3 user on a remote device. The engine ID is used to compute the security digest for authenticating and encrypting packets sent to a user on the remote host. Assign a user associated with an SNMPv3 group.

      Assign the authentication type:

      • MD5—Sets the message digest algorithm (MD5) as the authentication type.
      • SHA—Sets the secure hash algorithm (SHA) as the authentication type.

      Assign the encryption algorithm:

      • Advanced Encryption Standard (privayc-aes128)
      • Triple Data Encryption Standard (privacy-3des)
      • Data Encryption Standard (privacy-des)

      Configure the plain-text password used to generate the key used for encryption meeting these requirements on a device:

      • The password must be at least eight characters long.
      • The password can include alphabetic, numeric, and special characters, but not control characters.

Vacm

Specifies the VACM information.

  1. Expand the V3 tree and select Vacm.
  2. Configure the following to create and define an entry:
    • Comment—Enter a comment for this VACM set.
    • Access—Assign the security name to a group of SNMP security names that belong to the same an SNMP access policy and define the access privileges for this group. Users belonging to a particular SNMP group inherit all access privileges granted to that group. Specify a context prefix for this group or a default context prefix for all VACM entries by configuring the context security model and entering a comment for the context security model.

      Specify this group’s security model:

      • Any
      • usm —SNMPv3 security model
      • v1—SNMPv1 message process model
      • v2c—SNMPv2c message process model

      Specify this group’s security level:

      • authentication—Provides authentication but no encryption.
      • none—No authentication and no encryption.
      • privacy—Provides authentication and encryption.

      Designate the level of security view access.

      • Read View—Provides read access.
      • Write View—Provides write access.
      • Notify View—Provides notify access, in which a list of notifications is sent to each user in this group.
    • Security To Group—Configure the group to which a specific security name belongs. Assign the security name to a group of SNMP security names that belong to the same SNMP access policy and define the access privileges for this group. Users belonging to a particular SNMP group inherit all access privileges granted to that group.

      Specify this group’s security model:

      • usm —SNMPv3 security model.
      • v1—SNMPv1 message process model
      • v2c—SNMPv2c message process model.

Related Documentation