To enable SNMPv3 management of a device

Before you begin

If you are configuring an NE for LI, you must create a second access group. See Chapter 94, Lawful Intercept for information about creating an LI user and access group.

SROS 22.2 R1 and later NEs do not support some combinations of authentication and privacy:

  • hmac-md5-96 cannot be combined with cfb128-aes-192 or cfb128-aes-256

  • hmac-sha1-96 cannot be combined with cfb128-aes-192 or cfb128-aes-256

  • hmac-sha2-224 cannot be combined with cfb128-aes-256

Steps
 

Open a CLI session on the device.


Enter the following commands in the order shown to create a read-write-notify group for general SNMP mediation on the managed device:

configure system security snmp ↵

access group “SNMPv3_group” security-model usm security-level privacy read “iso” write “iso” notify “iso” ↵

where

SNMPv3_group is the name to assign to the new SNMP group


If mediation of VPRN objects is required (for configured VPRN or internal VPRN from an Ethernet satellite), enter the following command to create a read-write-notify group for this purpose on the managed device:

access group “SNMPv3_group” security-model usm security-level privacy context vprn prefix read “vprn-view” write “vprn-view” notify “iso” ↵

where

SNMPv3_group is the name to assign to the new SNMP group


Enter the following command to exit the SNMP group configuration.

exit ↵


Enter the following command to obtain the SNMP engine ID of the device.

show system info ↵

The SNMP engine ID is displayed as SNMP Engine ID.


Generate an authentication key and a privacy key.

  • An authentication key is used to encrypt a user password.

  • A privacy key is used to encrypt the user SNMP packets.

Note: The key authentication method determines the key length.

  1. Log in to an NFM-P single-user client, client delegate server, or main server station.

    Note:

    If you log in to a RHEL main or client delegate server station, you must log in as the nsp user.

    If you log in to a single-user client station, you must log in as the user who installed the client, or as a local administrator.

  2. Open a console window.

  3. On a RHEL station, navigate to the install_directory/nms/bin directory, where install_directory is one of the following:

    • the NFM-P main server installation location, /opt/nsp/nfmp/server

    • the NFM-P single-user client or client delegate server installation location, typically /opt/nsp/client

  4. On a Windows station, navigate to the install_directory\nms\bin directory, where install_directory is the NFM-P single-user client or client delegate server installation location, typically C:\nsp\client.

  5. Enter one of the following to create an authentication key:

    • on a RHEL station:

    ./nmsclient.bash password2key method password engine_ID

    • on a Windows station:

    nmsclient.bat password2key method password engine_ID

    where

    method is the authentication method, either MD5, SHA, SHA224, SHA256, SHA384 or SHA512

    password is the authentication key password

    engine_ID is the SNMP engine ID obtained in   Step 5

    Note: You must enclose a password that contains a special character in single quotation marks; for example:

    password2key method 'Mypa$$word'

    Only use the authentication key from the output.

  6. Enter the following to create a privacy key.

    • on a RHEL station:

    ./nmsclient.bash password2key method password engine_ID

    • on a Windows station:

    nmsclient.bat password2key method password engine_ID

    where

    method is the authentication method, either MD5, SHA, SHA224, SHA256, SHA384 or SHA512

    password is the privacy key password

    engine_ID is the SNMP Engine ID of the SR, in hexadecimal form with 10-64 hex digits (5-32 bytes)

    Note: You must enclose a password that contains a special character in single quotation marks; for example:

    password2key method 'Mypa$$word'

    The list of privacy keys for each privacy method is displayed.

  7. Store the generated keys for your applicable authentication and privacy methods.


Using the keys generated in Step 6 , create an SNMPv3 user on the managed device.

  1. Enter the following sequence of commands at the prompt:

    configure system security user SNMPv3_user

    access snmp ↵

    snmp ↵

    authentication auth_method authentication_key privacy priv_method privacy_key

    group SNMPv3_group

    exit all ↵

    where

    SNMPv3_user is the name to assign to the new user

    SNMPv3_group is the name of the new SNMP user group created in Step 2

    auth_method can be:

    hmac-md5-96   hmac-sha1-96  hmac-sha2-224 hmac-sha2-256 hmac-sha2-384 hmac-sha2-512

    authentication_key is the authentication key value generated in Step 6

    priv_method can be:

    cbc-des   cfb128-aes-128  cfb128-aes-192  cfb128-aes-256

    privacy_key is the privacy key value generated in Step 6

  2. Enter the following to save the configuration changes:

    admin save ↵

    The device is now ready for management using SNMPv3.

  3. Close the CLI session.


Create an SNMPv3 NE user in the NFM-P.

See the section on NE user and device security in the NSP System Administrator Guide for specific information about creating and configuring NE users.

  1. Choose Administration→Security→NE User Configuration from the NFM-P main menu. The NE User Configuration form opens.

  2. Click Create. The NE User (Create) form opens.

  3. Configure the parameters as follows:

    • Enter the SNMPv3_username value from Step 7 as the User Name.

    • Enable the SNMP option of the Access parameter.

    • On the SNMPv3 tab:

      — Configure the authentication and privacy parameters. Ensure the NEs support a valid combination of authentication and privacy protocols.

      — Enter the password used to generate the authentication key in Step 6 .

      — Enter the password used to generate the privacy key in Step 6 .

    Note: In the mediation security policy that you create for the device, you must specify the following:

    • SNMPv3 (USM) as the Security Model value

    • the SNMPv3_user value from Step 7 as the User Name

    See To configure device mediation for specific information about creating and configuring mediation security policies.


If you are performing this procedure for device discovery, see Workflow for device discovery for the next steps.

End of steps