SNMP v3 security levels explained


SNMP v3 offers 3 different security levels:


noAuthNoPriv

authNoPriv

authPriv


In the above, auth refers to authentication, and priv refers to privacy (encryption). So, the above 3 security levels can be translated to mean:


noAuthNoPriv    -    no authentication and no encryption

authNoPriv        -    authentication, but no encryption

authPriv            -    both authentication and encryption


The following are some example Cisco configs for the above 3 security levels of SNMP v3:


No auth, no priv:

snmp-server user snmpv3noAuthNoPriv snmpv3noAuthNoPriv v3

snmp-server group snmpv3noAuthNoPriv v3 noauth read snmpv3groupread write snmpv3groupwrite

snmp-server view snmpv3groupread dod included

snmp-server view snmpv3groupwrite dod included


Auth, no priv:

snmp-server user snmpv3authNoPriv snmpv3authNoPriv v3 auth sha v3authpass
snmp-server group snmpv3authNoPriv v3 auth read snmpv3groupread write snmpv3groupwrite
snmp-server view snmpv3groupread dod included
snmp-server view snmpv3groupwrite dod included


Auth and priv:

snmp-server user snmpv3authPriv snmpv3authPriv v3 auth sha v3authpass priv aes 128 v3privpass
snmp-server group snmpv3authPriv v3 priv read snmpv3groupread write snmpv3groupwrite
snmp-server view snmpv3groupread dod included
snmp-server view snmpv3groupwrite dod included


(* note that the above are examples only and should not be used as-is. Access-lists should probably be applied to limit the sources of snmp queries as in addition to the auth *)



With the above configuration(s) applied to a router, let's take a look at how and where this is configured in IRIS. Once logged in, navigate via the menu to Configuration -> Devices -> Manage Devices, click the + icon near the top right-hand side of the page to add a new device - you will be presented with the following device configuration modal (of course, you could also modify the configuration of an already existing device).



Start by changing the SNMP Version drop-down box to display 3, enter the name of the SNMP v3 user from the Cisco configuration (in the example Cisco configs above, it would be one of snmpv3noAuthNoPriv, snmpv3authNoPriv, or snmpv3authPriv). The security level configuration is taken care of with the next row - Auth/Priv Settings. IRIS will deduce the correct security level based on the various combinations of Auth and Priv being provided. E.g. to configure for noAuthNoPriv, leave the drop-downs for both as None, and leave the text entry fields blank. To configure for authNoPriv, select either SHA or MD5 to match your router configuration. In the examples above, I used SHA and the Auth password set to v3authpass. A complete SNMP v3 config example for the authPriv security level would be:


security name snmpv3authPriv, auth protocol SHA, auth password v3authpass, priv protocol AES and priv password v3privpass: