Using SNMPv3 with NMIS for Secure Network Management
NMIS supports using SNMPv3 for securing the collection of sensitive network information. This is especially important from core switches and routers which if compromised could have a considerable business impact. This configuration note does not include details about the SNMPv3 protocol, and assumes that people are wanting to use the authPriv (Authentication and Privilege) mode which is the most secure.
NOTE: From NMIS 9.5.2, SHA256 and AES256 support is enabled by the installer (if selected)
IMPORTANT NOTE ON 256 BIT ENCRYPTION PROTOCOL SUPPORT
Regarding SNMPv3 protocol support, different vendors and even different products support different combinations of authentication and privilege protocols. The above example is for an older Cisco router, newer devices support SHA256 and AES256, the combinations will depend on your device.
Configuring Cisco IOS for SNMPv3
The first step is to enable SNMPv3 on your router or switch. If using Cisco IOS, the commands are below, if using other Cisco operating systems or other vendors, the concepts are the same and the commands will likely be similar. The most important thing is that the device will support SNMPv3, it will require encryption features if you want to use full auth/priv mode.
Required Cisco IOS Configuration for SNMPv3 communication to NMIS
The following three lines of Cisco IOS commands are required to enable SNMPv3 on the Cisco IOS device. When running a show run, the configured user will not show up in the running configuration, the configured users can be viewed by running the command "show snmp user".
snmp-server view NMIS8RO iso included snmp-server group NMIS8 v3 priv match exact read NMIS8RO snmp-server user nmis8 NMIS8 v3 auth md5 nmis4242 priv des nmis4242
The commands above will create a user called nmis8, with an authorisation password of nmis4242 and a privilege password of nmis4242
View the configured SNMP users
asgard# show snmp user User name: nmis8 Engine ID: 800000090300001E13B18D00 storage-type: nonvolatile active Authentication Protocol: MD5 Privacy Protocol: DES Group-name: NMIS8
Details about Cisco IOS SNMPv3
More details about Cisco IOS SNMPv3 can be found at http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/Snmp3.html
Configuring Linux SNMP Daemon (Net-SNMP SNMPD) for SNMPv3
The first step is to enable SNMPv3 on in the /etc/snmp/snmpd.conf file, then restart the daemon.
Required Linux SNMPD Configuration for SNMPv3 communication to NMIS9
Add the following configuration to the top, edit the /etc/snmp/snmpd.conf file as the root user, e.g.
sudo vi /etc/snmp/snmpd.conf
Add the following configuration replacing the username and passwords is you require.
createUser nmis SHA banana4242 AES monkey4242 rouser nmis priv 1.3.6.1
The commands above will create a user called nmis, with an authorisation password of banana4242 and a privilege password of monkey4242
The view of 1.3.6.1, will permit access to the Standard MIB and the Enterprise MIB, essentially providing full access.
Restart the SNMP Daemon
sudo service snmpd restart
Testing your SNMPv3 Configuration with NET-SNMP
To verify that SNMPv3 is working as configured run the following command. Change the username and passwords if you have used different ones.
snmpwalk -v 3 -l authPriv -u n