No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R010C00 Command Reference

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
snmp-agent usm-user

snmp-agent usm-user

Function

The snmp-agent usm-user command adds a user to an SNMP user group.

The undo snmp-agent usm-user command deletes a user from an SNMP user group.

By default, the SNMP user group has no users added.

Format

snmp-agent usm-user version v3 user-name [ group group-name | acl acl-number ] *

snmp-agent usm-user version v3 user-name authentication-mode { md5 | sha }

snmp-agent usm-user version v3 user-name privacy-mode { aes128 | des56 }

undo snmp-agent usm-user version v3 user-name [ acl | authentication-mode | group | privacy-mode ]

Parameters

Parameter Description Value
version v3 Indicates that the SNMP user group uses the SNMPv3 security mode. -
user-name Specifies a user name. The value is a string of 1 to 32 case-sensitive characters without spaces.
group-name Specifies the name of the SNMP group that the user belongs to. The value is a string of 1 to 32 case-sensitive characters without spaces.
authentication-mode Sets the authentication mode.
NOTE:
Authentication is a process in which the SNMP agent (or the NMS) confirms that the message is received from an authorized NMS (or SNMP agent) and the message is not changed during transmission. RFC 2104 defines Keyed-Hashing for Message Authentication Code (HMAC), an effective tool that uses the security hash function and key to generate the message authentication code. This tool is widely used in the Internet. HMAC used in SNMP includes HMAC-MD5-96 and HMAC-SHA-96. The hash function of HMAC-MD5-96 is MD5 that uses 128-bit authKey to generate the key. The hash function of HMAC-SHA-96 is SHA-1 that uses 160-bit authKey to generate the key.
-
md5 Uses the HMAC MD5 algorithm for user authentication. Two communication parties share a private key. The sending party uses this key to create a message authentication code (MAC), and the receiving party uses this key to calculate the MAC. If the calculated MAC matches the MAC created by the sending party, the authentication succeeds. -
sha Uses the HMAC SHA algorithm for user authentication. The working principle of the HMAC SHA algorithm is similar to that of the HMAC MD5 algorithm. The only difference lies in the methods for generating the MAC. -
privacy-mode Specifies the authentication with encryption.

The system adopts the cipher block chaining (CBC) code of the data encryption standard (DES) and uses 128-bit privKey to generate the key. The NMS uses the key to calculate the CBC code and then adds the CBC code to the message while the SNMP agent fetches the authentication code through the same key and then obtains the actual information. Like the identification authentication, the encryption requires the NMS and the SNMP agent to share the same key to encrypt and decrypt the message.

-
aes128 Specifies the encryption password. The 128-bit AES encryption algorithm is used to encrypt the PDU of packets. Each user has a key and uses this key to encrypt data using the AES algorithm and sends the encrypted data together with user information to the receiving party. After receiving the data, the receiving party obtains the key from the user information, and calculates the encrypted data based on the AES algorithm to obtain the plain text. -
des56 Specifies the encryption password. The 56-bit DES encryption algorithm is used to encrypt the PDU of packets. Each user has a key and uses this key to encrypt data using the DES algorithm and sends the encrypted data together with user information to the receiving party. After receiving the data, the receiving party obtains the key from the user information, and calculates the encrypted data based on the DES algorithm to obtain the plain text. -
acl acl-number Specifies the ACL number. The value is an integer that ranges from 2000 to 2999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

SNMPv1 and SNMPv2c have serious defects in terms of security. The security authentication mechanism used by SNMPv1 and SNMPv2c is based on the community name. In this mechanism, the community name is transmitted in plain text. You are not advised to use SNMPv1 and SNMPv2c on untrusted networks.

By adopting the user-based security model, SNMPv3 eradicates the security defects in SNMPv1 and SNMPv2c and provides two services, authentication and encryption. The user-based security model defines three security authentication levels: noAuthNoPriv, AuthNoPriv, and AuthPriv.
The security authentication level noAuthPriv does not exist. This is because the generation of a key is based on the authentication information and product information.
Different from SNMPv1 and SNMPv2c, SNMPv3 can implement access control, identity authentication, and data encryption through the local processing model and user security model. SNMPv3 can provide higher security and confidentiality than SNMPv1 and SNMPv2c. The following table lists the difference between SNMPv1, SNMPv2c, and SNMPv3:
Table 28-14  Comparison in the security of SNMP of different versions
Protocol version User Checksum Encryption Authentication
v1 Adopts the community name. None None
v2c Adopts the community name. None None
v3 Adopts user name-based encryption/decryption. Yes Yes

The snmp-agent group command can be used to configure the authentication, encryption, and access rights for an SNMP group. The snmp-agent group command can be used to configure the rights for users in a specified SNMP group and bind the SNMP group to a MIB view. The MIB view is created through the snmp-agent mib-view command. For details, see the usage guideline of this command. After an SNMP user group is configured, the MIB-view-based access control is configured for the SNMP user group. Users cannot access objects in the MIB view through the SNMP user group. The purpose of adding SNMP users to an SNMP user group is to ensure that SNMP users in an SNMP user group have the same security level and access control list. When you run the snmp-agent usm-user command to configure a user in an SNMP user group, you configure the MIB-view-based access rights for the user. If an SNMP user group is configured with the AuthPriv access rights, you can configure the authentication mode and encryption mode when configuring SNMP users. Note that the authentication keys and encryption passwords configured on the NMS and the SNMP agent should be the same; otherwise, authentication fails.

SHA and AES128 algorithm are recommended to improve data transmission security.

Configuration Impact

If an SNMP agent is configured with a remote user, the engine ID is required during the authentication. If the engine ID changes after the remote user is configured, the remote user becomes invalid.

Precautions

The user security level must be higher than or equal to the security level of the SNMP user group to which the user is added.

The security level of an SNMP user group can be (in descending order):
  • Level 1: privacy (authentication and encryption)
  • Level 2: authentication (without encryption)
  • Level 3: none (neither authentication nor encryption)

The user security level must be higher than the user group level. For example, if the security level of an SNMP user group is level 1, the security level of the user that is added to the group must be level 1; if the security level of an SNMP user group is level 2, the security level of the user that is added to the group can be level 1 or level 2.

To add an SNMP user to an SNMP group, ensure that the SNMP user group is valid.

If you run the snmp-agent usm-user command multiple times, only the latest configuration takes effect.

Keep your user name and plain-text password well when creating the user. The plain-text password is required when the NMS accesses the device.

The passwords have the following characteristics:
  • The password is a string of 8 to 64 case-sensitive characters.

  • The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character.

    The special characters include spaces and the following:

    `~!@#$%^&*()-_=+\|[{}];:'",<.>/?

  • The password cannot be the same as the user name or reverse of the user name.
  • The authentication password and encryption password cannot be the same.
  • Password entered in interactive mode is not displayed on the screen.

  • To improve password security, do not use passwords composed of repeated character strings, for example, abc123abc123abc123 and **123abc**123abc.

Example

# Configure an SNMPv3 user with user name u1, group name g1, authentication mode md5, authentication password 8937561bc, encryption mode aes128, and encryption password 68283asd.
<Huawei> system-view
[Huawei] snmp-agent usm-user version v3 u1 group g1
[Huawei] snmp-agent usm-user version v3 u1 authentication-mode md5
Please configure the authentication password (8-64)                             
Enter Password:                                                                 
Confirm password: 
[Huawei] snmp-agent usm-user version v3 u1 privacy-mode aes128
Please configure the privacy password (8-64)                                    
Enter Password:                                                                 
Confirm password:
[Huawei]
Related Topics
Translation
Download
Updated: 2019-11-21

Document ID: EDOC1100064352

Views: 203740

Downloads: 122

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next