User-based security model

6

NOTE

This command is not used for SNMP version 1 and SNMP version 2. In these versions, groups and group views are created internally using community strings. (refer to “SNMP community strings” on page 156.) When a community string is created, two groups are created, based on the community string name. One group is for SNMP version 1 packets, while the other is for SNMP version 2 packets.

The group <groupname> parameter defines the name of the SNMP group to be created.

The v1, v2, or v3 parameter indicates which version of SNMP is used. In most cases, you will be using v3, since groups are automatically created in SNMP versions 1 and 2 from community strings.

The auth noauth parameter determines whether or not authentication will be required to access the supported views. If auth is selected, then only authenticated packets are allowed to access the view specified for the user group. Selecting noauth means that no authentication is required to access the specified view. Selecting priv means that an authentication password will be required from the users.

The access <standard-ACL-id>parameter is optional. It allows incoming SNMP packets to be filtered based on the standard ACL attached to the group.

The read <viewstring> write <viewstring> parameter is optional. It indicates that users who belong to this group have either read or write access to the MIB.

The <viewstring> variable is the name of the view to which the SNMP group members have access. If no view is specified, then the group has no access to the MIB.

The value of <viewstring> is defined using the snmp-server view command. The SNMP agent comes with the "all" default view, which provides access to the entire MIB; however, it must be specified when creating the group. The "all" view also allows SNMP version 3 to be backwards compatibility with SNMP version 1 and version 2.

NOTE

If you will be using a view other than the "all" view, that view must be configured before creating the user group.Refer to the section “SNMP v3 configuration examples” on page 169, especially for details on the include exclude parameters.

Defining an SNMP user account

The snmp-server user command does the following:

Creates an SNMP user.

Defines the group to which the user will be associated.

Defines the type of authentication to be used for SNMP access by this user.

Specifies one of the following encryption types used to encrypt the privacy password:

Data Encryption Standard (DES) – A symmetric-key algorithm that uses a 56-bit key.

Advanced Encryption Standard (AES) – The 128-bit encryption standard adopted by the U.S. government. This standard is a symmetric cipher algorithm chosen by the National Institute of Standards and Technology (NIST) as the replacement for DES.

Here is an example of how to create an SNMP User account.

Brocade(config)#snmp-s user bob admin v3 access 2 auth md5 bobmd5 priv des bobdes

Brocade ICX 6650 Administration Guide

161

53-1002600-01

 

Page 179
Image 179
Brocade Communications Systems 6650 manual Defining an Snmp user account