Posted on September 15, 2021 3:10 pm
 |  Asked by Mitchel Martin Timm
 |  111 views
RESOLVED
0
0
Print Friendly, PDF & Email

I have an arista 7010T switch with version 4.26.2 and am surprised that an snmpv3 configuration with authentication and privacy does not work.
Setup of the snmpv3 works so far. Tested with v1 and v3 with snmpwalk and authNoPriv. As soon as I want to set up the user with auth or auth / priv, he asks for hex strings for the passwords even without specifying localized. Am I running a bug there, or how do I have to create the hex strings so that they work?

0
Posted by Edmund
Answered on September 16, 2021 7:39 pm

You do not need to create the hex strings. Here's an example.

To begin with I have no snmp v3 configuration

switch...19:29:34#sho run section snmp
snmp-server community public ro

This is what I configure

switch...19:29:42#conf
switch...19:29:57(config)#
switch...19:30:08(config)#snmp-server view all .1 included
switch...19:30:09(config)#snmp-server group noc v3 priv read all
switch...19:30:09(config)#snmp-server user edmund noc v3 auth sha Arista123 priv aes arista123
switch...19:30:10(config)#end

This is how it shows in the running config

switch...19:30:15#sho run section snmp
snmp-server engineID local f5717f001c738c44d500
snmp-server view all .1 included
snmp-server community public ro
snmp-server group noc v3 priv read all
snmp-server user edmund noc v3 localized f5717f001c738c44d500 auth sha 5f94e3f71abc0dc8a3315d9176a5229d4e0816d6 priv aes 7d8a1707e1d7c4796ca73e2364bc897d
switch...19:30:21#

This is how I query the switch, and the response sent

% snmpget  -v 3 -u edmund -a SHA -A Arista123 -x AES -X arista123 -l authPriv switch system.sysDescr.0

SNMPv2-MIB::sysDescr.0 = STRING: Arista Networks EOS version 4.26.2F running on an Arista Networks DCS-7010T-48

0
Answered on September 17, 2021 7:42 am

This is also the procedure that I would expect and have found on the net. However, the switch always requires a hex string when entering the password, possibly only in the version?

---snip---

access-01(config)#snmp-server user testuser si-group v3 auth sha ?
HEX_STRING authentication passphrase for user
---snip---

0
Answered on September 17, 2021 7:45 am

This is also the procedure that I would expect and have found on the net. However, the switch always requires a hex string when entering the password, possibly only in the version?

---snip---

access-01(config)#snmp-server user testuser si-group v3 auth sha ?
HEX_STRING authentication passphrase for user

access-01(config)#snmp-server user testuser si-group v3 auth sha TEST123 priv aes ?
HEX_STRING privacy passphrase for user
---snip---

0
Posted by Edmund
Answered on September 17, 2021 9:44 am

 

I agree the help string asking for a HEX_STRING is confusing, but you use the plain text password if you don't use the localized keyword. If you check my output above, I tested this on a 7010T running 4.26.2F.

The snmp-server user command for v3 has two forms, one that is intended for direct use by users and one that is saved in the running-config or startup-config:

  1. snmp-server user USER GROUP v3 auth A_METH A_PLAIN_KEY priv P_METH P_PLAIN_KEY â€” this is the form for interactive use. When this is run, the keys are localized with the system’s current engineID, and the localized keys are stored in Sysdb.
  2. snmp-server user USER GROUP v3 localized ENGINEID_HEX auth A_METH A_HEX_STRING priv P_METH P_HEX_STRING â€” in this form, the keys are given as hex strings that are the output of localizing with the engineID in the command.
0
Answered on September 17, 2021 10:16 am

Hello Edmund,

works now. I thought I had checked it with this commands.

Post your Answer

You must be logged in to post an answer.